October Patch Tuesday roundup: One Windows hole has a score of 9.8
This month’s Patch Tuesday fixes include a plug for a critical vulnerability with a CVSS score of 9.8.
It’s one of 117 security holes identified by Microsoft in yesterday’s releases.
The critical hole, CVE-2024-43468, is in Microsoft Configuration Manager, used by Windows administrators to manage large groups of computers and servers.
Microsoft describes the vulnerability as an improper neutralization of special elements used in an SQL Command – otherwise known as an SQL injection.
An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner, says Microsoft, enabling the attacker to execute commands on the server and/or underlying database.
But plugging this hole involves more than installing a patch. Admins using a version of Configuration Manager specified in the security updates table of this CVE need to install an an update from their Configuration Manager console, selecting the individual updates that they want to install.
Tyler Reguly, associate director of security R&D at Fortra, notes this process does not update secondary sites and there is a manual process that administrators must perform in order to update secondary sites that is detailed in the KB Article. “It is situations like this that are often overlooked,” he said in a blog, “resulting in the existence of vulnerable environments within the enterprise.”
Given the widespread use of Windows-based systems in corporate and government settings, CVE-2024-43572 “poses a considerable risk,” said Mike Walters, president of Action1. “It’s estimated that millions of endpoints, particularly those in organizations using MMC for administrative tasks and policy enforcement, are vulnerable—especially those that have not installed the necessary security update to block execution from untrusted MSC files. This threat is especially acute in environments with less technically aware end-users or extensive digital footprints.
So far there is no evidence that this vulnerability has been disclosed or exploited publicly.
Of the other fixes released by Microsoft yesterday, Reguly notes that five are for vulnerabilities that have been publicly disclosed, two of which have also seen active exploitation. They include CVE-2024-43573, a vulnerability in MSHTML Platform that allows spoofing, and CVE-2024-43572, a vulnerability in Microsoft Management Console that allows for code execution when opening untrusted, malicious Microsoft Saved Console (MSC) files.
The vulnerability in MSHTML is the fourth zero-day hole in this component found this year, the SANS Institute notes.
The other vulnerabilities publicly disclosed Tuesday that are not yet seeing active exploitation include CVE-2024-6197 - a vulnerability in curl, CVE-2024-20659 – a security feature bypass in Hyper-V, and CVE-2024-43583 – a privilege escalation in winlogon.
“Thankfully,” writes Reguly, “for the Hyper-V vulnerability there are a number of criteria that make it less likely that we’ll see this vulnerability exploited. Microsoft indicates that only certain hardware is impacted, which could allow the bypass of UEFI (Unified Extensible Firmware Interface, code that connects firmware to Windows) and lead to a compromise of the hypervisor, this would require that the system first be rebooted and that the attacker have access to the local network, as Microsoft has marked the attack vector in the CVSS score with the rarely seen adjacent value, meaning the attack must originate from the same physical or logical network.”
Walters also drew attention to a fix for Remote Desktop Protocol Server, an often-used utility by threat actors to hack into systems. It plugs a remote code execution vulnerability CVE-2024- 43582, which enables attackers to manipulate memory in a way that could allow them to run arbitrary code.
Also on Tuesday Adobe released nine patches addressing 52 vulnerabilities in Adobe Substance 3D Painter, Commerce, Dimension, Animate, Lightroom, InCopy, InDesign, Substance 3D Stager, and Adobe FrameMaker.
The Zero Day Initiative says the largest and most urgent of these patches covers 22 CVEs in Adobe Commerce, which includes fixes for critical-rated code execution bugs. Although not listed as public or under attack, Adobe lists this as Priority 2.