Patch Tuesday June 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080)
- Microsoft Office Remote Code Execution Vulnerability (CVE-2024-30101)
- Microsoft Office Remote Code Execution Vulnerability (CVE-2024-30104)
- Microsoft Office Remote Code Execution Vulnerability (CVE-2024-30102)
- Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-30103)
- Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability (CVE-2024-30072)
- Third-party application vulnerabilities:
Microsoft Vulnerabilities
This Patch Tuesday, Microsoft has addressed 51 vulnerabilities, a decrease from last month. Among these, only one is categorized as critical: CVE-2024-30080, which pertains to Microsoft Message Queuing. Notably, there are no zero-day vulnerabilities this time, and one of the vulnerabilities, an older Denial of Service (DoS) DNS bug identified by MITRE in February (CVE-2023-50868), has a proof of concept (PoC) available. Below are the details of the most significant updates provided this month.
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080)
A critical vulnerability has been identified in Microsoft Message Queuing (MSMQ), which could permit remote code execution. This issue stems from a Use After Free (CWE-416) flaw and is assigned a CVSS score of 9.8, indicating an extremely high severity level.
The vulnerability is accessible through the network with low attack complexity, requires no privileges, and no user interaction, with the scope of the vulnerability remaining unchanged. However, it carries high impacts on confidentiality, integrity, and availability.
An attacker could exploit this vulnerability by sending a specially crafted malicious MSMQ packet to a server, potentially resulting in remote code execution on that server. While no exploit code or proof of concept (PoC) for this vulnerability has been verified, the likelihood of exploitation is considered high.
The affected component, Windows Message Queuing Service, must be enabled for the vulnerability to be exploitable. This service can be added via the Control Panel. To check vulnerability, confirm whether the ‘Message Queuing’ service is running and if TCP port 1801 is open on the system.
This vulnerability impacts all versions of Windows starting from Windows Server 2008 and Windows 10.
This Patch Tuesday also highlights a series of important Microsoft Office Remote Code Execution (RCE) vulnerabilities starting with Microsoft Office 2016:
Microsoft Office Remote Code Execution Vulnerability (CVE-2024-30101)
This important vulnerability in Microsoft Office permits remote code execution and is associated with a Use After Free (CWE-416) flaw, earning a CVSS score of 7.5, which is considerably high.
It presents a network attack vector and high attack complexity, requires no privileges but necessitates user interaction. The vulnerability’s scope remains unchanged, yet it poses high impacts on confidentiality, integrity, and availability.
An attacker could exploit this by sending a malicious email to a user with an affected version of Microsoft Outlook. To trigger the vulnerability, the user must open the email and engage in specific actions. While no exploit code or proof of concept (PoC) is verified and the likelihood of exploitation is considered low, successful exploitation depends on the attacker winning a race condition. The Preview Pane is a potential attack vector, though further user interaction is needed.
Microsoft Office Remote Code Execution Vulnerability (CVE-2024-30104)
Another important vulnerability, characterized by Improper Link Resolution Before File Access (CWE-59), and holding a CVSS score of 7.8.
This vulnerability requires a local attack vector and low attack complexity, with no need for privileges but necessitating user interaction. It also poses high risks to confidentiality, integrity, and availability.
An attacker could exploit this vulnerability by sending a malicious file to a user and persuading them to open it. There is no verified exploit code or PoC available, and the likelihood of exploitation remains low.
In both cases, the term “remote” refers to the attacker’s location relative to the target. While the vulnerabilities are executed locally, meaning the attacker or victim must run code on the local machine to exploit them, these vulnerabilities are sometimes referred to as Arbitrary Code Execution (ACE). Notably, the Preview Pane is not an attack vector for CVE-2024-30104.
Microsoft Office Remote Code Execution Vulnerability (CVE-2024-30102)
A similar vulnerability has been identified in Microsoft 365 applications, designated as CVE-2024-30102. This issue stems from a Use After Free (CWE-416) flaw and carries a CVSS rating of 7.3, highlighting a high risk.
The vulnerability features a local attack vector and low attack complexity, requires low privileges, and necessitates user interaction. Its scope remains unchanged, yet it significantly impacts confidentiality, integrity, and availability.
An attacker could exploit this vulnerability by employing social engineering tactics to persuade a user to download and open a specially crafted file. Currently, there is no verified exploit code or proof of concept (PoC) available, and the likelihood of exploitation is considered low.
Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-30103)
Continuing with the Office RCE vulnerability group, CVE-2024-30103 represents a important vulnerability in Microsoft Outlook that could enable remote code execution. This issue is classified as an Incomplete List of Disallowed Inputs (CWE-184) and has received a CVSS rating of 8.8, indicating a high level of risk.
The vulnerability is accessible through a network attack vector with low attack complexity, requires low privileges, and does not necessitate user interaction. It maintains an unchanged scope but poses high risks to confidentiality, integrity, and availability.
An attacker could exploit this vulnerability by circumventing Outlook registry block lists, which could enable the creation of malicious DLL files. Currently, no exploit code has been detected, and no proof of concept (PoC) is available, keeping the probability of exploitation low. However, the Preview Pane does serve as an attack vector in this scenario, where the attacker must possess valid Exchange user credentials to initiate the attack.
Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability (CVE-2024-30072)
Concluding today’s discussion of important vulnerabilities, we have CVE-2024-30072, a significant issue found in Microsoft Event Trace Log File Parsing that could facilitate remote code execution. This vulnerability is caused by an integer overflow or wraparound (CWE-190) and carries a CVSS rating of 7.8, reflecting a high risk level.
This vulnerability possesses a local attack vector and low attack complexity, does not require elevated privileges, but it does require user interaction. The scope of the vulnerability remains unchanged, and it impacts confidentiality, integrity, and availability significantly.
An attacker could exploit this vulnerability by sending a malicious file to a user and persuading the user to open it. Currently, there is no verified exploit code or proof of concept (PoC) available, and the likelihood of exploitation is considered low. Despite the use of “remote” in the title, which refers to the attacker’s location, this type of exploit is sometimes termed Arbitrary Code Execution (ACE). The attack is executed locally, meaning that either an attacker or victim must execute code on the local machine to exploit the vulnerability.
This vulnerability specifically affects Windows Server 2022 and Windows 11.
Google Chrome
Google has released Chrome 125, which includes a fix for a zero-day vulnerability among eight other security issues.
The most critical vulnerability addressed is CVE-2024-4947, a type confusion flaw in the JavaScript V8 engine, already exploited in the wild. This vulnerability allows a remote attacker to execute arbitrary code within a sandbox through a specially crafted HTML page. Google credited Vasily Berdnikov and Boris Larin from Kaspersky Lab for reporting the vulnerability but did not provide details about its exploitation.
Another significant issue resolved in Chrome 125 is CVE-2024-4948, a severe use-after-free vulnerability in Dawn, an open-source, cross-platform implementation of the WebGPU standard in Chromium. Additionally, a moderate use-after-free vulnerability in the V8 engine and an issue related to an inappropriate low-severity implementation in the downloads section were addressed.
In a separate update, Google patched another zero-day vulnerability, marking the eighth actively exploited zero-day in Chrome this year with an emergency security update.
This issue, discovered by Google researcher Clement Lesin and tracked as CVE-2024-5274, involves a serious type confusion in V8, Chrome’s JavaScript engine. This vulnerability can lead to crashes, data corruption, and remote code execution (RCE). Type confusion occurs when a program allocates memory for one type but then interprets it as another, causing undefined behavior. Such vulnerabilities, which are a subset of memory corruption issues, can cause a program to perform operations not valid for the actual data type, leading to crashes and data corruption. RCE, a particularly severe outcome, allows attackers to execute arbitrary code on a victim’s machine, potentially taking full control of the affected system.
While Google has not disclosed the technical details, it acknowledges the existence of a working exploit for CVE-2024-5274 and attempts to exploit it in the wild.
Updates for Chrome version 125.0.6422.112/.113 are now available for Windows and Mac users, with Linux users set to receive the update in the coming weeks.
Mozilla Firefox
Mozilla Firefox 126 addresses 21 security vulnerabilities, including two rated as critical.
The first critical vulnerability, CVE-2024-4764, involves accessing a previously freed memory area during the processing of multiple WebRTC streams with audio. This issue poses significant risks to system stability and data integrity.
The second critical vulnerability, CVE-2024-4367, enables the execution of JavaScript code through the handling of custom fonts within Firefox’s built-in PDF viewer. This flaw could allow malicious scripts to run, potentially compromising user data and system security.
Additionally, nine other vulnerabilities stem from various memory-related issues, such as buffer overflows and access to freed memory areas. These vulnerabilities could potentially enable the execution of malicious code when users open specially crafted web pages, thereby posing a serious security threat.
PHP
DEVCORE has identified a critical vulnerability, CVE-2024-4577, affecting all versions of PHP on Windows systems. This vulnerability enables remote code execution attacks against web servers utilizing PHP CGI. It notably circumvents protections set by the 2012 security patch for CVE-2012-1823, which was intended to prevent attacks arising from the parsing of certain query string parameters in PHP CGI.
The vulnerability emerged because the implementation team overlooked the best-fit encoding conversion feature of Windows, which permitted unauthenticated attackers to bypass security measures using specific character strings. This allowed for arbitrary code execution on remote PHP servers through an argument injection attack.
Recognizing the severity of this issue, PHP developers were promptly informed on May 7. They managed to address the vulnerability by releasing updated versions 8.3.8, 8.2.20, and 8.1.29 on June 6. Researchers from Watchtower, who reproduced and closely analyzed the vulnerability, described it as a nasty bug with a very simple exploit.
Azure
Tenable researchers have uncovered a high-severity vulnerability in Azure service tags that could potentially expose customers’ personal information. This vulnerability allows attackers to forge malicious web requests that mimic trusted Azure services, effectively bypassing the tag-based firewall. These firewalls often lack authentication checks, making them vulnerable to Server-Side Request Forgery (SSRF)-like attacks.
The issue arises during the use of the Availability Test feature in either the Classic Test or Standard Test functionality within the Application Insights Availability service. This feature, which allows for the customization of HTTP requests including headers and methods, can inadvertently provide access to internal services and potentially expose internal APIs hosted on ports 80 and 443.
In their detailed report, the researchers outlined how Azure’s custom headers and tags could be misused to access internal APIs. However, Microsoft developers do not acknowledge these concerns as vulnerabilities and thus have no plans for remedial patches. They maintain that service tags should be employed solely as a routing mechanism, supplemented by validation controls.
This vulnerability affects not only Azure Application Insights but also extends to ten other services, including Azure DevOps, Machine Learning, Logic Apps, Container Registry, Load Testing, API Management, Data Factory, Action Group, AI Video Indexer, and Chaos Studio. Despite Microsoft’s stance, Tenable advises Azure customers to implement additional authentication and authorization layers on top of service tag-based network controls to safeguard their assets. When configuring network rules for Azure services, it is important to understand that service tags alone do not guarantee security against traffic to private services.
Check Point
A critical zero-day vulnerability in VPNs has been linked to attacks as early as April 2024, where attackers targeted Active Directory data to navigate across victims’ networks horizontally. On Monday, Check Point issued a warning to customers that their security gateways, specifically those using outdated local VPN accounts with insecure password-only authentication, would be vulnerable to attacks starting May 24.
Subsequently, Check Point discovered that these attacks were exploiting an information disclosure vulnerability, identified as CVE-2024-24919, prompting the release of urgent patches for their CloudGuard, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark networks. However, Mnemonic researchers observed that exploitation attempts of CVE-2024-24919 in some customer environments had commenced as early as April 30. This vulnerability is considered especially critical due to its ease of remote exploitation without requiring user interaction or special privileges on compromised Check Point security gateways that have remote access VPN and mobile access enabled.
This vulnerability allows attackers to recompute and extract password hashes for all local accounts, including those used to connect to Active Directory. Compromised systems have been observed to allow extraction of the ntds.dit file—storing Active Directory data including users, groups, security descriptors, and password hashes—within 2-3 hours of a local user logging on. Furthermore, the vulnerability has been used to extract data enabling attackers to maneuver within the victim’s network and use Visual Studio code to channel malicious traffic.
Mnemonic advises Check Point customers to immediately upgrade to fixed versions and eliminate all local users on vulnerable security gateways. It is also recommended that administrators change passwords for LDAP connections from the gateway to Active Directory, conduct a post-remediation audit of logs for any signs of compromise, and, if possible, update the Check Point IPS signature to detect further exploitation attempts.
Additionally, researchers have highlighted the emergence of a proof of concept (PoC) for an actively exploited zero-day vulnerability in Check Point VPNs. This vulnerability, discovered on May 27 and cataloged as CVE-2024-24919 with a CVSS score of 8.6, involves an arbitrary file reading issue in gateways equipped with IPSec VPN or Mobile Access blades. The affected models include the CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark appliances. Exploitation of this vulnerability could provide access to sensitive information and, in some cases, allow attackers to obtain domain administrator privileges.
As of May 31, Censys reported over 13,800 Check Point gateways exposed on the internet, not all of which may be vulnerable to CVE-2024-24919. However, given the early start of the exploitation and the timing of the alert issuance, the potential for attacks remains significant. The ongoing attacks, the ease of their execution, and the presence of numerous vulnerable, outdated Check Point gateway versions underscore the urgency of implementing the recommended security measures as swiftly as possible.
GitHub
GitHub has issued a patch for a critical vulnerability in GitHub Enterprise Server that could allow an unauthenticated attacker to obtain administrative privileges. The vulnerability, identified as CVE-2024-4985, has received the highest CVSS rating of 10/10 and impacts all versions of Enterprise Server up to 3.13.0 that utilize SAML single sign-on (SSO) authentication with the optional encrypted assertions feature enabled.
The vulnerability permits unauthorized server access with administrator privileges without requiring pre-authentication by exploiting a spoofed SAML response. However, GitHub notes that instances employing SAML SSO authentication without the encrypted assertions feature are not susceptible to this vulnerability, as encrypted assertions are not enabled by default.
In response to this critical issue, GitHub has urgently released updated versions of Enterprise Server, including 3.9.15, 3.10.12, 3.11.10, and 3.12.4. While there are no known instances of the vulnerability being exploited in the wild, the severity of CVE-2024-4985 necessitates that users upgrade their GitHub Enterprise Server to one of these patched versions immediately. Given the vulnerability’s maximum severity rating, users operating unpatched versions face a significant risk of network compromise by potential attackers.
Rockwell
Leading ICS vendor Rockwell Automation has urgently requested customers to “IMMEDIATELY” unplug their ICS devices. The company attributes this drastic measure to the escalation of malicious cyber activities targeting ICS amid intensifying geopolitical tensions.
The vendor has advised that ICS devices not specifically designed for connection to the public internet be isolated promptly to prevent potential compromises, particularly those devices that may not yet be patched against known vulnerabilities. Although the specific devices affected are not disclosed in the vendor’s advisory, Rockwell has emphasized the importance of implementing mitigations to protect against several critical vulnerabilities: CVE-2021-22681, CVE-2022-1159, CVE-2023-3595, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917.
Highlighting the severity of the situation, even the Cybersecurity and Infrastructure Security Agency (CISA) has echoed Rockwell Automation’s call by reposting their advisory on disabling ICS devices.
Veeam
Backup solution provider Veeam has issued a warning to customers about a critical vulnerability in Backup Enterprise Manager that permits an unauthenticated attacker to log into the VBEM web interface as any user. Identified as CVE-2024-29849, this vulnerability carries a high CVSS rating of 9.8/10. It’s important to note that not all environments are affected, as VBEM is not enabled by default.
This issue has been resolved with the release of VBEM version 12.1.2.172. Nevertheless, administrators are advised to temporarily disable the VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) and VeeamRESTSvc (Veeam RESTful API) services as a precaution before applying the update. Additionally, Veeam has addressed two other high-severity vulnerabilities within VBEM: CVE-2024-29850 and CVE-2024-29851. The first allows for account hijacking through an NTLM relay attack, while the second enables users with high privileges to capture the NTLM hash of a Veeam Backup Enterprise Manager service account.
Given the historical context of March 2023, when ransomware exploited similar vulnerabilities to hijack backup infrastructure hosts, it is crucial for customers to apply these patches without delay to avoid potential compromises.
Fluent Bit
Tenable researchers have identified a critical vulnerability in Fluent Bit, a widely-used logging and metrics solution that affects nearly all major cloud providers. Fluent Bit is integrated into leading Kubernetes distributions, including those from Amazon AWS, Google GCP, and Microsoft Azure. As of March 2024, Fluent Bit has been downloaded and deployed over 13 billion times and is utilized by prominent infosec vendors such as Crowdstrike and Trend Micro, as well as major technology companies like Cisco, VMware, Intel, Adobe, and Dell.
The vulnerability, known as Linguistic Lumberjack and tracked as CVE-2024-4323, was introduced in version 2.0.7 due to a heap buffer overflow issue when the embedded HTTP server in Fluent Bit processes trace requests. This flaw allows unauthenticated attackers to potentially cause a denial of service (DoS) or remotely capture sensitive information. Under certain conditions, it could also be exploited for remote code execution (RCE).
Given these risks, Tenable highlighted that the most pressing threats include the possibility of a readily executable DoS and significant information leakage. The vulnerability was reported to the vendor on April 30, and a fix was merged into the main branch of Fluent Bit on May 15. Official releases containing the patch are expected in Fluent Bit version 3.0.4. Moreover, Microsoft, Amazon, and Google have also issued advisories regarding this issue.
Until patches are available for all affected platforms, customers are advised to mitigate the risk by restricting access to the Fluent Bit monitoring API to only authorized users and services, or by disabling the vulnerable API endpoint altogether.
QNAP
Researchers from watchTowr Labs have delivered unsettling news for owners of QNAP NAS devices, which are known targets for ransomware gangs and Advanced Persistent Threats (APTs). They have uncovered 15 vulnerabilities in the NAS firmware, with several posing risks for remote code execution attacks that do not require user authentication.
The report highlights a particularly concerning vulnerability, CVE-2024-27130, an unauthenticated stack overflow issue that permits remote code execution. Unfortunately, of the 15 vulnerabilities found, the vendor has only addressed the first four, excluding CVE-2024-27130. Patched versions, QTS 5.1.6.2722 build 20240402 and QuTS Hero h5.1.6.2734 build 20240414, are available, but they do not cover this specific vulnerability.
Despite granting several extensions to the vendor as part of a coordinated disclosure effort, watchTowr Labs has released a proof of concept (PoC) for one of the most critical vulnerabilities in this group. They advise all affected users to consider disabling their systems or severely restricting access until patches are issued.
However, patches may not be forthcoming soon. watchTowr notes that QNAP’s codebase is complex, written in the hackers’ favored C language, and contains many outdated components. Despite these challenges, the researchers are continuing their work, with new reports on the remaining issues expected shortly. These findings are likely to be closely monitored by operators of ransomware like DeadBolt, Checkmate, and Qlocker.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
