Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Microsoft patched 88 CVEs in its August 2024 Patch Tuesday release, with seven rated critical, 80 rated as important, and one rated as moderate.
This month’s update includes patches for:
Elevation of Privilege (EoP) vulnerabilities accounted for 41% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) at 33%.
CVE-2024-38206 is a critical severity information disclosure vulnerability affecting Microsoft’s Copilot Studio, an AI-powered chatbot. This vulnerability received a CVSSv3 score of 8.5 and could be abused by an authenticated attacker to bypass server-side request forgery (SSRF) protections in order to leak potentially sensitive information. The vulnerability was released by Microsoft on August 6, with the advisory noting that no user action is required as the issue has been patched by Microsoft. This vulnerability was discovered and reported to Microsoft by Tenable researcher Evan Grant.
CVE-2024-38109 is a critical severity EoP vulnerability affecting Azure Health Bot. This vulnerability received a CVSSv3 score of 9.1 and is the result of a SSRF vulnerability in Azure Health Bot that can be abused to escalate privileges. This vulnerability was discovered by Tenable researcher Jimi Sebree and responsibly disclosed to Microsoft. The issue has been patched by Microsoft and no action is required for users of the Health Bot service. For more information on this vulnerability, please refer to Tenable Research Advisories TRA-2024-27 and TRA-2024-28, as well as our blog post.
CVE-2024-38106, CVE-2024-38133 and CVE-2024-38153 are EoP vulnerabilities affecting the Windows Kernel. CVE-2024-38133 and CVE-2024-38153 received CVSSv3 scores of 7.8, while CVE-2024-38106 was scored as a 7. Despite the lower severity and the exploitability requirements of the attacker needing to win a race condition for successful exploitation, CVE-2024-38106 was reportedly exploited in the wild as a zero-day. CVE-2024-38133 and CVE-2024-38153 were not listed as being exploited, however CVE-2024-38133 was rated as “Exploitation More Likely” according to the Microsoft Exploitability Index. Successful exploitation of these vulnerabilities could allow the attacker to elevate privileges to SYSTEM.
CVE-2024-38107 is an EoP Vulnerability affecting Windows Power Dependency Coordinator (pdc.sys), a driver responsible for power management on a Windows system. This vulnerability was exploited in the wild as a zero-day, though no specific details about exploitation were available at the time this blog was published. Microsoft provided a CVSSv3 score of 7.8 for this vulnerability and patches are available for all supported versions of Windows and Windows Server.
CVE-2024-38178 is a Scripting Engine memory corruption vulnerability in Windows Scripting. This vulnerability was assigned a CVSSv3 score of 7.5 and Microsoft notes that exploitation has been observed. According to Microsoft, an authenticated victim must have Edge in Internet Explorer Mode as a prerequisite for exploitation prior to an unauthenticated attacker convincing the victim to click a specially crafted URL to obtain RCE.
CVE-2024-38189 is a RCE vulnerability affecting Microsoft Project, a project management tool. This vulnerability received a CVSSv3 score of 8.8 and was exploited in the wild. According to the advisory, exploitation requires an unsuspecting victim to open a crafted Microsoft Office Project file. Additionally, the system must be configured to have the “Block macros from running in Office files from the Internet policy” disabled as well as have the VBA Macro Notification Settings disabled in order for a successful attack. Micsoft’s advisory does clarify that the Preview Pane is not an attack vector for this vulnerability and offers mitigation options to protect systems if immediate patching cannot be immediately performed.
CVE-2024-38141 and CVE-2024-38193 are EoP vulnerabilities affecting the Windows Ancillary Function Driver for Winsock (afd.sys). Both of these vulnerabilities were given CVSSv3 scores of 7.8 and can allow an attacker to escalate privileges to SYSTEM. CVE-2024-38141 is rated as “Exploitation More Likely” and CVE-2024-38193 was reported to have been exploited in the wild as a zero-day vulnerability.
CVE-2024-38213 is a security feature bypass vulnerability with an assigned CVSSv3 score of 6.5. Exploitation of this vulnerability requires a user to open a specially crafted file, which could be hosted on a file server, website or sent via a phishing email. If the attacker is successful in convincing a victim to open this file, they could bypass the Windows SmartScreen user experience. Microsoft has flagged this as “Exploitation Detected” as they are aware of an instance of this vulnerability being exploited.
CVE-2024-38163 and CVE-2024-38202 are both EoP vulnerabilities in Windows Update Stack and were assigned CVSSv3 scores of 7.8 and 7.3 respectively. CVE-2024-38163, if successfully exploited could result in gaining SYSTEM privileges. Microsoft has noted that users don’t need to take any action for this vulnerability as it is only exploitable at run time and the impacted version of WinRE has been superseded by a new version.
CVE-2024-38202 was disclosed and presented at BlackHat USA 2024 and DEF CON 32 by SafeBreach Labs researcher Alon Leviev prior to the August 2024 Patch Tuesday release. The vulnerability which exists in Windows Backup, allows a user with basic privileges to “reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)”. Leviev identified the vulnerability in the Windows Update mechanism that could allow unauthorized elevation of privileges by enforcing the downgrade of system components. This vulnerability exposes systems to previously patched exploits, making them susceptible to attacks that could leverage these old vulnerabilities. Microsoft has noted that “an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful.” Microsoft issued an advisory in coordination with this disclosure at Black Hat.
Source: Leviev's SafeBreach Blog
CVE-2024-21302 and CVE-2024-38142 are both elevation of privilege vulnerabilities in Windows Secure Kernel with an exploitability assessment by Microsoft as “Exploitation Less Likely”. CVE-2024-21302 carries a CVSSv3 score of 6.7 and CVE-2024-38142 a score of 7.8 with successful exploitation of either of these vulnerabilities resulting in an attacker gaining SYSTEM privileges.
CVE-2024-21302 was disclosed at Black Hat USA 2024 by the previously mentioned security researcher, Alon Leviev. Leviev demonstrated that CVE-2024-21302 could be chained with CVE-2024-38202 to downgrade or roll back software versions without the need for interaction from a victim with elevated privileges. The result of this chained attack is the target device could be made susceptible to previously patched vulnerabilities, increasing the attack surface of the device. CVE-2024-21302 was also included in the previously mentioned Microsoft advisory released in coordination with the disclosure at Black Hat.
CVE-2024-38199 is a RCE vulnerability in Windows Line Printer Daemon (LPD) Service. The flaw was assigned a CVSSv3 score of 9.8 and rated “Exploitation Less Likely” by Microsoft. A remote attacker could exploit this across a network by dispatching a specially crafted print task to Windows LPD Service, if successful it would result in RCE on the server. Microsoft has also noted that it was publicly disclosed prior to a patch being available.
CVE-2024-38200 is a spoofing vulnerability affecting Microsoft Office with a CVSSv3 score of 6.5 and rated by Microsoft as “Exploitation Less Likely”. An attacker could leverage this vulnerability with a specially crafted file that a victim would need to interact with. This could be achieved by hosting it on a file server or website and convincing the victim to click on the file or similarly it could be included in a phishing email. Successful exploitation of the vulnerability could result in the victim exposing NTLM (New Technology Lan Manager) hashes to a remote attacker.
CVE-2024-38200 was publicly disclosed on August 8 at DEF CON 32 by Jim Rush and Tomais Williamson, both Senior Security Consultants at PrivSec Consulting. Patches for this vulnerability were released today as part of the August 2024 Patch Tuesday released, however on August 10, Microsoft provided mitigations in coordination with this disclosure prior to the patch being released.
CVE-2024-38063 is a critical RCE vulnerability affecting Windows TCP/IP. It received a CVSSv3 score of 9.8 and is rated as “Exploitation More Likely.” An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. Microsoft’s mitigation suggestions suggest disabling IPv6 as only IPv6 packets can be abused to exploit this vulnerability. Microsoft has released patches for all supported versions of Windows and Windows Server, including Server Core installations.
A list of all the plugins released for Microsoft’s August 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about https://www.tenable.com/products/tenable-one">Tenable One, the Exposure Management Platform for the modern attack surface.
The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. The SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Tenable Vulnerability Management trials created everywhere except UAE will also include Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Tenable Vulnerability Management trials created everywhere except UAE will also include Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Tenable Vulnerability Management trials created everywhere except UAE will also include Tenable Lumin and Tenable Web App Scanning.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose your subscription option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.
Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Get the Operational Technology security you need.
Reduce the risk you don’t.
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Exceptional unified cloud security awaits you!
We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.
Exposure management for the modern attack surface.
Know the exposure of every asset on any platform.
Free for 7 days
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.