CVE-2024-43572 is a RCE vulnerability in Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by convincing a vulnerable target through the use of social engineering tactics to open a specially crafted file. Successful exploitation would allow the attacker to execute arbitrary code. According to Microsoft, CVE-2024-43572 was exploited in the wild as a zero-day. This is the second month in a row that Microsoft patched a RCE vulnerability in the MMC, as Microsoft addressed CVE-2024-38259 in its September 2024 Patch Tuesday release.

As part of its patch for CVE-2024-43572, Microsoft has altered the behavior for Microsoft Saved Console (MSC) files, preventing untrusted MSC files from being opened on a system.

CVE-2024-43573 is a spoofing vulnerability in the Windows MSHTML Platform. It was assigned a CVSSv3 score of 6.5 and is rated as moderate. An unauthenticated, remote attacker could exploit this vulnerability by convincing a potential target to open a malicious file. According to Microsoft, CVE-2024-43573 was exploited in the wild as a zero-day.

This is the fourth zero-day vulnerability in the Windows MSHTML Platform that was exploited in the wild in 2024, which include CVE-2024-30040, a security feature bypass flaw that was patched in May 2024, CVE-2024-38112, a spoofing vulnerability that was patched in July 2024 and CVE-2024-43461, a spoofing vulnerability that was patched on September 10, 2024, though details about in-the-wild exploitation was not known until September 13, 2024. Both CVE-2024-38112 and CVE-2024-43461 were used as part of an exploit chain by an advanced persistent threat (APT) actor known as Void Banshee.

CVE-2024-20659 is a security feature bypass vulnerability in Windows Hyper-V. It was assigned a CVSSv3 score of 7.1, is rated as important and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. This is likely due to the fact that there are multiple conditions that need to be met in order for exploitation to be feasible, such as a user rebooting their machine and application specific behavior among other user-required actions. Successful exploitation would allow an attacker to bypass a Virtual Machine’s Unified Extensible Firmware Interface (UEFI) on the host machine, resulting in both the hypervisor and secure kernel being compromised. According to Microsoft, CVE-2024-20659 was publicly disclosed prior to a patch being made available.

In addition to CVE-2024-20659, Microsoft also addressed three denial of service (DoS) vulnerabilities and one RCE in Windows Hyper-V:

CVE-2024-43583 is an EoP vulnerability in Winlogon. It was assigned a CVSSv3 score of 7.8 and is rated as important. A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. According to Microsoft, CVE-2024-43583 was publicly disclosed prior to a patch being made available.

In addition to applying the available patch for CVE-2024-43583, Microsoft recommends enabling Microsoft first-party Input Method Editor (IME) in order to thwart vulnerabilities within third-party IMEs. For more information on enabling first-party IME, please refer to the knowledge base article KB5046254.

CVE-2024-43468 is a RCE in Microsoft Configuration Manager listed as “Exploitation Less Likely” by Micorosft despite having a critical CVSSv3 score of 9.8, the highest in October's Patch Tuesday update. An attacker can leverage this vulnerability without prior authentication by sending a specially crafted request to a vulnerable machine resulting in RCE on the machine or its underlying database.

Microsoft has advised impacted users to install an in-console update as the only mitigation path, but has listed a workaround for users who cannot immediately implement the updates. The workaround suggested by Microsoft is to use an alternate service account for the Management point connection account in place of the default “Computer” account.

CVE-2024-38124 is a EoP vulnerability in Windows Netlogon assessed as “Exploitation Less Likely” with a CVSSv3 score of 9, the second highest in the October Patch Tuesday update. An attacker would need authenticated access to the same network as a vulnerable device and rename their machine to match the domain controller in order to establish a secure channel. If these prerequisites are met, the attacker would then need to rename their machine back to its original name and “once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.”

There are no workarounds listed for this vulnerability, but if immediate patching is not an option, Microsoft has listed a handful of mitigating factors to consider:

• Avoid using predictable naming conventions on Domain Controllers
• Ensure Secure Channel validation requires more than just a matching computer name.
• Monitoring for the renaming of computers within the network.
• Consider enhanced authentication mechanisms.