August Patch Tuesday proves busy with six zero-days to fix

IT administrators and security teams hoping for a quiet summer have been left disappointed after Microsoft patched six actively exploited zero-day vulnerabilities and four additional issues that have been made public, in its latest Patch Tuesday update.

Also in the crosshairs of malicious actors this month are no fewer than nine flaws, two of them third-party issues coming from Red Hat, that carry critical severity ratings.

None of these critical flaws make the list of zero-days, but coming amid one of the larger Patch Tuesday updates so far this year, comprising over 100 fixes once third-party issues are accounted for, they will doubtless occupy a lot of time over the next few days.

“Microsoft has evidence of in-the-wild exploitation … or public disclosure for 10 of the vulnerabilities published today, which is significantly more than usual,” said Rapid7 lead software engineer, Adam Barnett.

“At time of writing, all six of the known exploited vulnerabilities patched today are listed on [the] CISA KEV [database]. Microsoft is also patching five critical remote code execution (RCE) vulnerabilities today.

“Patch Tuesday watchers will know that today’s haul of four publicly-disclosed vulnerabilities and six further exploited-in-the-wild vulnerabilities is a much larger batch than usual,” he said.

Barnett added: “As something of an olive branch for defenders who may now be eyeing their to-do list with concern, Microsoft has not published any SharePoint or Exchange vulnerabilities this month.”

The six zero-days – for which no public exploit code is yet circulating – comprise the following bugs:

• CVE-2024-38106, an elevation of privilege (EoP) vulnerability in Windows Kernel;
• CVE-2024-38107, an EoP vulnerability in Windows Power Dependency Coordinator;
• CVE-2024-38178, a remote code execution vulnerability in Scripting Engine;
• CVE-2024-38189, an RCE vulnerability in Microsoft Project;
• CVE-2024-38193, an EoP vulnerability in Windows Ancillary Function Driver for WinSock;
• CVE-2024-38213, a security feature bypass vulnerability in Windows Mark-of-the-Web.

The good news, as Chris Goettl, Ivanti vice president of security products was quick to observe, is that updating the Windows operating system and Office will “knock out most of the risk pretty quick”.

Running the rule over the list of zero-days, Goettl said CVE-2024-38189 was likely to be the most impactful as it allows an attacker to socially engineer their way into executing arbitrary code on their victim’s system. But, he added, there were mitigating factors, such as policies to block macros from running in Office files from the internet, and VBA macro notification settings.

“If these are enabled, the attack could be thwarted. Somewhere out there these policy settings were obviously disabled allowing an attacker to exploit the CVE in the wild. Risk-based guidance would be to get your Office installs update this month. If you have limited control over the mitigating policy settings or have an open BYOD [bring your own device] policy then updating Office could be more urgent to reduce your exposure,” he said. 

For CVE-2024-38107, Goettl observed that although the exploit requires an attacker to win a race condition, given it has been detected in attacks already this should not be cause to defer remediating it.

He urged users to consider risk-based guidance and treat this update as of higher severity than Microsoft says it is, adding that the same goes for all of the four other zero-days listed.

The flaws that have been made public, but are not yet seen as exploited in the wild, are as follows:

• CVE-2024-21302, an EoP flaw in Windows Secure Kernel Mode;
• CVE-2024-38199, an RCE flaw in Windows line Printer Daemon Service;
• CVE-2024-38200, a spoofing flaw in Microsoft Office;
• CVE-2024-38202, an EoP flaw in Windows Update Stack.

Reviewing these four issues, Scott Caveza, staff research engineer at Tenable, said CVE-2024-38202 and CVE-2024-21302 warranted particular attention.

“Both of [these] were disclosed by SafeBreach Labs researcher Alon Leviev. If chained together, an attacker could downgrade or roll back software updates without the need for interaction from a victim with elevated privileges,” said Caveza.

“As a result, previous remediation efforts are essentially erased as target devices could be made susceptible to previously patched vulnerabilities, thus increasing the attack surface of the device.”

CVE-2024-38200 also warrants close attention, said Caveza. “An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email. Successful exploitation of the vulnerability could result in the victim exposing New Technology Lan Manager (NTLM) hashes to a remote attacker,” he explained.

“NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker's foothold into an organisation. NTLM relay attacks have been observed by a Russian-based threat actor, APT28 [Fancy Bear], who leveraged a similar vulnerability to carry out attacks – CVE-2023-23397, an EoP vulnerability in Microsoft Outlook patched in March 2023.”