valerybrozhinsky - stock.adobe.c

Critical SharePoint, Qakbot-linked flaws focus of May Patch Tuesday

A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention

A critical vulnerability affecting Microsoft SharePoint Server, and two zero-day flaws in Windows MSHTML Platform and Windows Desktop Window Manager (DWM) Core Library should be top-of-mind for administrators, as Microsoft releases its monthly Patch Tuesday update addressing over 60 bugs and issues.

The SharePoint Server flaw – which stands as the only critical vulnerability in the May 2024 drop – is a remote code execution (RCE) vulnerability tracked as CVE-2024-30044. Details of it have not yet been made public, and nor does it appear to have been exploited in the wild.

Microsoft said that if an authenticated attacker has obtained site owner permissions, they could exploit CVE-2024-30044 to upload a specially crafted file to the victim server and create specialised application programming interface (API) requests to trigger the deserialisation of the file’s parameters. In this way, they could then achieve RCE in the context of the compromised server.

The fact that CVE-2024-30044 stems from an untrusted data deserialisation issue makes it particularly problematic, explained Mike Walters, president and co-founder of Action1, because it allows attackers to inject and execute arbitrary code during the deserialisation process.

“An attacker with basic Site Viewer permissions could leverage this vulnerability to execute code remotely, enabling activities such as deploying web shells, installing malware or extracting sensitive data,” said Walters. “If an attacker gains initial access through other means, such as phishing or another vulnerability, they could use CVE-2024-30044 to establish a more persistent and powerful foothold within the network.

“Combining this vulnerability with another that allows privilege escalation could enable attackers to transition from initial access to full administrative control,” he said.

“This can facilitate persistence within the network and make detection more challenging. Upon establishing control, attackers could use further tools to exfiltrate sensitive data from the SharePoint Server, potentially leading to significant data breaches. Additionally, once remote code execution is achieved, threat actors might deploy ransomware to encrypt critical files on the SharePoint Server, demanding a ransom for the decryption keys.”

Object linking and embedding

The two zero-day flaws this month are CVE-2024-30040, a security feature bypass vulnerability in Windows MSHTML Platform, and CVE-2024-30051, an elevation of privilege (EoP) vulnerability in Windows DWM Core Library.

On the first of these, Microsoft revealed how it essentially lets a malicious actor bypass object linking and embedding (OLE) protections in Microsoft 365 and Microsoft Office by getting a user to load a tainted file onto a vulnerable system via a phishing email or instant message and convincing them to manipulate it, though not necessarily to click on or open it. This would give the unauthenticated attacker the ability to execute arbitrary code presenting as the victim.

Quackers for Qakbot

On the Windows DWM Core Library vulnerability, Microsoft said it would enable an attacker to gain system-level privileges on the victim’s system, but provided little additional context or detail. It’s known to stem from a heap-based buffer overflow, which makes it potentially severe, and is also exploitable by a local user with relatively low privileges.

Of the two zero-days, it’s CVE-2024-30051 that has generated significant interest among cyber experts, due to an historic connection to an infamous threat.

Tyler Reguly, senior manager of security research and development at Fortra, explained: “This month everyone is going to be talking about CVE-2024-30051 since it is known that it is being used in QakBot and other malware. This is an update that should be applied as soon as possible given the nature of the vulnerability and the fact that real-world exploitation has been confirmed.”

Qakbot is a venerable banking malware dating back over a decade. It latterly became popular among cyber criminals as a remote access trojan (RAT) used to great effect by ransomware gangs such as LockBit and REvil.

Its infrastructure was taken down in August 2023 in an FBI-led operation dubbed Operation Duck Hunt, but as of February 2024, researchers from the Sophos X-Ops team reported that someone with access to Qakbot’s source code appeared to be testing out new builds and making concerted efforts to harden the malware’s encryption, meaning the new variant can more effectively defy analysis.

Read more about Patch Tuesday

The vulnerability was found by Kaspersky researchers at the beginning of April, when a suspicious document found on VirusTotal drew their attention. Written in broken English and missing crucial details, the document hinted at a potential Windows OS vulnerability, but the exploit chain seemed identical to that used to activate a previous zero-day, CVE-2023-36033.

Suspecting the flaw to be either fictional or unexploitable nonsense, the Kaspersky team chose to probe it further, and quickly found and reported the fact CVE-2023-30051 was genuine. The team has since been monitoring for its use, and said today that an exploit has been circulating since mid-April.

“We found the document on VirusTotal intriguing due to its descriptive nature, and decided to investigate further, which led us to discover this critical zero-day vulnerability,” said Boris Larin, principal security researcher at Kaspersky GReAT. “The speed with which threat actors are integrating this exploit into their arsenal underscores the importance of timely updates and vigilance in cyber security.”

Kaspersky said it plans to release more technical details of CVE-2024-30051 once enough time has passed for vulnerable users to update.

Action1’s Walters added: “Given its critical nature and the low complexity of the exploit, CVE-2024-30051 poses a significant risk, particularly in environments with numerous and diverse local users, such as corporate networks and academic institutions.

“The existence of functional exploit code and confirmed exploitation reports suggests that attackers are well-acquainted with this vulnerability and are actively exploiting it in campaigns,” he said. “In light of the high level of privilege attainable through this exploit, it is crucial for organisations to prioritise deploying Microsoft’s official patch to mitigate potential damage.”

Read more on Application security and coding requirements