Microsoft revealed on Tuesday that two security flaws affect Windows NT LAN Manager (NTLM) and Task Scheduler are heavily exploited in the wild.
Among the security vulnerabilities 90 security errors the tech giant addressed this as part of its November 2024 Patch Tuesday update. Of the 90 flaws, four were rated Critical, 85 were rated Important, and one was rated Moderate. Fifty-two of the patched vulnerabilities are remote code execution flaws.
Corrections in addition to 31 vulnerability Microsoft fixed the issue in its Chromium-based Edge browser after releasing the October 2024 Patch Tuesday update. The two vulnerabilities that have been flagged as being actively exploited are listed below –
- CVE-2024-43451 (CVSS Score: 6.5) – Windows NTLM Hash Disclosure Forgery Vulnerability
- CVE-2024-49039 (CVSS Score: 8.8) – Windows Task Scheduler Elevation of Privilege Vulnerability
“This vulnerability exposes the user’s NTLMv2 hash to an attacker who could use this to authenticate the user,” Microsoft said in an advisory for CVE-2024-43451, crediting ClearSky researcher Israel Yeshurun for discovering the flaw and reporting him.
It should be noted that CVE-2024-43451 is the third flaw after CVE-2024-21410 (corrected in February) and CVE-2024-38021 (patched in July) that can be used to detect a user’s NTLMv2 hash and has been used in the wild just this year.
“Attackers continue to aggressively identify and exploit zero-day vulnerabilities that can expose NTLMv2 hashes, as these can be used to authenticate to systems and potentially travel across the network to access other systems,” Satnam Narang, a senior research engineer at Fair, said in a statement.
CVE-2024-49039, on the other hand, could allow an attacker to perform RPC functions that are otherwise restricted to privileged accounts. However, Microsoft notes that successful exploitation requires an authenticated attacker to run a specially crafted application on the target system to first elevate their privileges to a medium integrity level.
Vlad Stolyarov and Bahare Sabouri of the Google Threat Analysis Group (TAG) and an anonymous researcher received recognition for reporting the vulnerability. This increases the likelihood that the exploit of the zero-day flaw is linked to some nation-state group or entity that is an Advanced Persistent Threat (APT).
There is currently no information on how the flaws are being exploited in the wild or how widespread these attacks are, but it has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to to add them to known exploited vulnerabilities (KEV) directory.
One of the publicly disclosed but not yet exploited zero-day flaws is this CVE-2024-49019 (CVSS Score: 7.8), a privilege escalation vulnerability in Active Directory Certification Services that could be exploited to gain domain administrator privileges. Details of the vulnerability, dubbed EKUwu, were out documented from TrustedSec last month.
Another vulnerability is worth noting CVE-2024-43498 (CVSS Score: 9.8), a critical remote code execution flaw in .NET and Visual Studio that could be exploited by a remote, unauthenticated attacker by sending specially crafted requests to a vulnerable .NET web application or by uploading a specially crafted file to a vulnerable desktop application.
The update also fixes a critical cryptographic protocol flaw that affects Windows Kerberos (CVE-2024-43639CVSS score: 9.8) that could be used by an unauthenticated attacker to perform remote code execution.
The highest-rated vulnerability in this month’s release is a remote code execution bug in Azure CycleCloud (CVE-2024-43602CVSS score: 9.9), which allows an attacker with basic user rights to gain root privileges.
“Ease of use was as simple as sending a request to a vulnerable AzureCloud CycleCloud cluster changing its configuration,” said Narang. “As organizations continue to move to the cloud, the attack surface is expanding as a result.”
Finally, a non-Microsoft CVE addressed to Redmond is a remote code execution flaw in OpenSSL (CVE-2024-5535CVSS score: 9.1). It was originally patched by OpenSSL developers as early as June 2024.
“Exploitation of this vulnerability requires an attacker to send a malicious link to the victim via email or to convince the user to click the link, typically through a lure in an email or Instant Messenger message,” Microsoft said.
“In the worst-case scenario of an email attack, an attacker can send a user a specially crafted email without requiring the victim to open, read or click on the link. This could lead to an attacker remotely executing code on the victim’s machine. .”
In conjunction with the November security update, Microsoft also announced the adoption of the Common Security Advisory Framework (CSAF), the OASIS standard for machine-readable vulnerability disclosure for all CVEs to speed response and remediation.
“CSAF files are intended to be used by computers more than humans, so we are adding CSAF files as a supplement to our existing CVE data feeds, not as a replacement,” the company said in a statement. said. “This is the start of a journey to further increase the transparency of our supply chain and the weaknesses we are looking at and addressing throughout our supply chain, including the open source software embedded in our products.”
Third-party software patches
Apart from Microsoft, other vendors have also released security updates to address several vulnerabilities over the past few weeks, including –