National Cyber Warfare Foundation (NCWF) Forums


Patch Tuesday - June 2024


0 user ratings
2024-06-11 19:51:31
milo
Red Team (CNA)
MSMQ RCE again. Office malicious file RCEs. SharePoint RCE. DNSSEC NSEC3 DoS.

Patch Tuesday - June 2024

It’s June 2024 Patch Tuesday. Microsoft is addressing 51 vulnerabilities today, and has evidence of public disclosure for just a single one of those. At time of writing, none of the vulnerabilities published today are listed on CISA KEV, although this is always subject to change. Microsoft is patching a single critical remote code execution (RCE) vulnerability today. Seven browser vulnerabilities were published separately this month, and are not included in the total.

MSMQ: critical RCE

The sole critical RCE patched today is CVE-2024-30080 for all current versions of Windows. Exploitation requires that an attacker send a specially crafted malicious packet to an MSMQ server, which Patch Tuesday watchers will know as a perennial source of vulnerabilities. As usual, Microsoft points out that the Windows message queuing service is not enabled by default; as usual, Rapid7 notes that a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine. As is typical of MSMQ RCE vulnerabilities, CVE-2024-30080 receives a high CVSSv3 base score due to the network attack vector, low attack complexity, and lack of required privileges. Code execution is presumably in a SYSTEM context, although the advisory does not specify.

Office: malicious file RCEs

Microsoft Office receives patches for a pair of RCE-via-malicious-file vulnerabilities. CVE-2024-30101 is a vulnerability in Outlook; although the Preview Pane is a vector, the user must subsequently perform unspecified specific actions to trigger the vulnerability and the attacker must win a race condition. On the other hand, CVE-2024-30104 does not have the Preview Pane as a vector, but nevertheless ends up with a slightly higher CVSS base score of 7.8, since exploitation relies solely on the user opening a malicious file.

SharePoint: RCE

This month also brings a patch for SharePoint RCE CVE-2024-30100. The advisory is sparing on details, and the context of code exploitation is not clear. The weakness is described as CWE-426: Untrusted Search Path; many (but not all) vulnerabilities associated with CWE-426 lead to elevation of privilege.

DNSSEC NSEC3: CPU exhaustion DoS

And now for something completely different: ​​CVE-2023-50868, which describes a denial of service vulnerability in DNSSEC. This vulnerability is present in the DNSSEC spec itself, and the CVE was assigned by MITRE on behalf of DNSSEC. Microsoft’s implementation of DNSSEC is thus subject to the same attack as other implementations. An attacker can exhaust CPU resources on a DNSSEC-validating DNS resolver by demanding responses from a DNSSEC-signed zone, if the resolver uses NSEC3 to respond to the request. NSEC3 is designed to provide a safe way for a DNSSEC-validating DNS resolver to indicate that a requested resource does not exist. Under certain circumstances, the DNS resolver must perform thousands of iterations of a hash function to calculate an NSEC3 response, and this is the foundation on which this DoS exploit rests. All current versions of Windows Server receive a patch today.

Typically, when Microsoft publishes a security advisory and describes the vulnerability as publicly disclosed, that public disclosure will have been recent. However, in the case of CVE-2023-50868, the flaw in DNSSEC was first publicly disclosed on 2024-02-13. The advisory acknowledges four academics from the German National Research Centre for Applied Cybersecurity (ATHENE), which is perhaps of interest since these same researchers are authors on a March 2024 academic paper that downplays the DoS potential of CVE-2024-50868. Those same researchers published another DNSSEC flaw CVE-2023-50387 (also known as KeyTrap) in January 2024, which they describe as having potentially serious implications; Microsoft patched that one at the next scheduled opportunity in February. The CVE-2023-50868 advisory published today does not provide further insight as to why this vulnerability wasn’t patched sooner; a reasonable assumption might be that Microsoft assesses CVE-2023-50868 as less urgent/critical than CVE-2023-50387, although both receive a rating of Important on Microsoft’s proprietary severity ranking scale. It’s also possible that Microsoft does not wish to be the only major server OS vendor without a patch.

Lifecycle update

There are no significant changes to the lifecycle phase of Microsoft products this month. In July, Microsoft SQL Server 2014 will move past the end of extended support. From August onwards, Microsoft only guarantees to provide SQL Server 2014 security updates to customers who choose to participate in the paid Extended Security Updates program.

Summary Charts

Patch Tuesday - June 2024
Patch Tuesday - June 2024
What goes up must come down and/or is an attacker's privilege level.
Patch Tuesday - June 2024
No spoofing. No security feature bypass. Plenty of elevation of privilege though.


Summary Tables

Azure vulnerabilities

















































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-37325Azure Science Virtual Machine (DSVM) Elevation of Privilege VulnerabilityNoNo8.1
CVE-2024-35252Azure Storage Movement Client Library Denial of Service VulnerabilityNoNo7.5
CVE-2024-35254Azure Monitor Agent Elevation of Privilege VulnerabilityNoNo7.1
CVE-2024-35255Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege VulnerabilityNoNo5.5
CVE-2024-35253Microsoft Azure File Sync Elevation of Privilege VulnerabilityNoNo4.4

Browser vulnerabilities































































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-5499Chromium: CVE-2024-5499 Out of bounds write in Streams APINoNoN/A
CVE-2024-5498Chromium: CVE-2024-5498 Use after free in Presentation APINoNoN/A
CVE-2024-5497Chromium: CVE-2024-5497 Out of bounds memory access in Keyboard InputsNoNoN/A
CVE-2024-5496Chromium: CVE-2024-5496 Use after free in Media SessionNoNoN/A
CVE-2024-5495Chromium: CVE-2024-5495 Use after free in DawnNoNoN/A
CVE-2024-5494Chromium: CVE-2024-5494 Use after free in DawnNoNoN/A
CVE-2024-5493Chromium: CVE-2024-5493 Heap buffer overflow in WebRTCNoNoN/A

Developer Tools vulnerabilities



































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-29187GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEMNoNo7.3
CVE-2024-29060Visual Studio Elevation of Privilege VulnerabilityNoNo6.7
CVE-2024-30052Visual Studio Remote Code Execution VulnerabilityNoNo4.7

ESU vulnerabilities




























CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-30074Windows Link Layer Topology Discovery Protocol Remote Code Execution VulnerabilityNoNo8
CVE-2024-30075Windows Link Layer Topology Discovery Protocol Remote Code Execution VulnerabilityNoNo8

Microsoft Dynamics vulnerabilities



































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-35249Microsoft Dynamics 365 Business Central Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-35248Microsoft Dynamics 365 Business Central Elevation of Privilege VulnerabilityNoNo7.3
CVE-2024-35263Microsoft Dynamics 365 (On-Premises) Information Disclosure VulnerabilityNoNo5.7

Microsoft Office vulnerabilities

















































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-30103Microsoft Outlook Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-30100Microsoft SharePoint Server Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-30104Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-30101Microsoft Office Remote Code Execution VulnerabilityNoNo7.5
CVE-2024-30102Microsoft Office Remote Code Execution VulnerabilityNoNo7.3

Windows vulnerabilities


































































































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-30064Windows Kernel Elevation of Privilege VulnerabilityNoNo8.8
CVE-2024-30068Windows Kernel Elevation of Privilege VulnerabilityNoNo8.8
CVE-2024-30097Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-30085Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30089Microsoft Streaming Service Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30072Microsoft Event Trace Log File Parsing Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-35265Windows Perception Service Elevation of Privilege VulnerabilityNoNo7
CVE-2024-30088Windows Kernel Elevation of Privilege VulnerabilityNoNo7
CVE-2024-30099Windows Kernel Elevation of Privilege VulnerabilityNoNo7
CVE-2024-30076Windows Container Manager Service Elevation of Privilege VulnerabilityNoNo6.8
CVE-2024-30096Windows Cryptographic Services Information Disclosure VulnerabilityNoNo5.5
CVE-2024-30069Windows Remote Access Connection Manager Information Disclosure VulnerabilityNoNo4.7

Windows ESU vulnerabilities

































































































































































CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2024-30080Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityNoNo9.8
CVE-2024-30078Windows Wi-Fi Driver Remote Code Execution VulnerabilityNoNo8.8
CVE-2024-30077Windows OLE Remote Code Execution VulnerabilityNoNo8
CVE-2024-30086Windows Win32 Kernel Subsystem Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30062Windows Standards-Based Storage Management Service Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-30094Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-30095Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityNoNo7.8
CVE-2024-35250Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30082Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30087Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30091Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2024-30083Windows Standards-Based Storage Management Service Denial of Service VulnerabilityNoNo7.5
CVE-2023-50868MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPUNoYes7.5
CVE-2024-30070DHCP Server Service Denial of Service VulnerabilityNoNo7.5
CVE-2024-30093Windows Storage Elevation of Privilege VulnerabilityNoNo7.3
CVE-2024-30084Windows Kernel-Mode Driver Elevation of Privilege VulnerabilityNoNo7
CVE-2024-30090Microsoft Streaming Service Elevation of Privilege VulnerabilityNoNo7
CVE-2024-30063Windows Distributed File System (DFS) Remote Code Execution VulnerabilityNoNo6.7
CVE-2024-30066Winlogon Elevation of Privilege VulnerabilityNoNo5.5
CVE-2024-30067Winlogon Elevation of Privilege VulnerabilityNoNo5.5
CVE-2024-30065Windows Themes Denial of Service VulnerabilityNoNo5.5



Source: Rapid7
Source Link: https://blog.rapid7.com/2024/06/11/patch-tuesday-june-2024/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



© Copyright 2012 through 2024 - National Cyber War Foundation - All rights reserved worldwide.