In its November 2024 Patch Tuesday update, Microsoft addressed 90 security vulnerabilities, including two critical zero-day exploits currently being actively exploited in the wild (CVE-2024-49039 and CVE-2024-49039). This also update includes fixes for issues impacting Windows NT LAN Manager (NTLM) and Task Scheduler.
Overview of the November 2024 Patch Tuesday
Out of the 90 vulnerabilities fixed this Patch Tuesday, four are categorized as Critical, 85 as Important, and one as Moderate. This month’s update focuses on remote code execution (RCE) vulnerabilities, with 52 RCE issues patched. Key vulnerabilities include:
- CVE-2024-43451 – An NTLM Hash Disclosure Vulnerability
- CVE-2024-49039 – A Task Scheduler privilege escalation vulnerability.
These updates are essential, given the active exploitation of two specific vulnerabilities, raising significant concerns for enterprises worldwide.
Actively Exploited Vulnerabilities
1. CVE-2024-43451 (Windows NTLM Hash Disclosure Spoofing Vulnerability)
- CVSS Score: 6.5
- Description: This vulnerability exposes a user’s NTLMv2 hash to an attacker, enabling the attacker to potentially impersonate the user.
- Discovery: Credited to Israel Yeshurun from ClearSky, this flaw represents the third NTLM hash disclosure issue this year, following similar vulnerabilities patched in February and July.
- Implications: Disclosed NTLMv2 hashes allow attackers to gain unauthorized access and move laterally within a network, heightening the risk of broader breaches.
2. CVE-2024-49039 (Windows Task Scheduler Elevation of Privilege Vulnerability)
- CVSS Score: 8.8
- Description: By exploiting this vulnerability, an attacker could execute restricted RPC functions, gaining escalated privileges.
- Requirements for Exploitation: An authenticated attacker would need to run a crafted application on a target system, elevating their privileges to a Medium Integrity Level.
- Contributors: This flaw was reported by members of Google’s Threat Analysis Group and suggests possible exploitation by advanced persistent threat (APT) groups, possibly aligned with nation-state actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these severe vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
Additional Notable Vulnerabilities
CVE-2024-49019 – Active Directory Certificate Services Privilege Escalation
- CVSS Score: 7.8
- Nickname: EKUwu
- Risk: This zero-day vulnerability, while not actively exploited, can grant attackers domain admin privileges through privilege escalation.
CVE-2024-43498 – Critical RCE in .NET and Visual Studio
- CVSS Score: 9.8
- Risk: This RCE vulnerability could be triggered by a specially crafted request to a vulnerable .NET web app or file, allowing remote code execution without authentication.
CVE-2024-43639 – Windows Kerberos Cryptographic Protocol Flaw
- CVSS Score: 9.8
- Description: A cryptographic protocol vulnerability in Windows Kerberos that enables RCE attacks, making it one of the most critical patches this month for network security.
CVE-2024-43602 – Azure CycleCloud RCE
- CVSS Score: 9.9
- Risk: This vulnerability allows attackers with basic permissions to escalate privileges to root level, making it a high-priority patch for organizations using Azure CycleCloud for cloud management.
In addition to these vulnerabilities, Microsoft has patched a remote code execution flaw in OpenSSL (CVE-2024-5535) originally patched by OpenSSL in June 2024. This highlights the ongoing collaboration between tech vendors to address vulnerabilities across ecosystems.
Common Security Advisory Framework (CSAF) Also Announced
Microsoft has also announced its commitment to adopting the Common Security Advisory Framework (CSAF). As an OASIS standard, CSAF allows for machine-readable advisories that can improve response times and simplify automated vulnerability management for enterprises. While traditional CVE advisories remain, CSAF files add another layer of transparency, especially important for organizations managing a large-scale software ecosystem, including open-source components.
Final Thoughts
Microsoft’s November 2024 Patch Tuesday underscores the critical nature of regular software updates to protect against emerging threats. The vulnerabilities addressed this month, particularly the two zero-day exploits, emphasize the importance of rapid deployment of security patches across all Microsoft systems and applications.