Application Management and Patching
November 2024 Patch Tuesday: Key Security Updates and Vulnerabilities
The November 2024 Patch Tuesday release addresses several high-severity vulnerabilities that pose significant risks to organizations. With four zero-day vulnerabilities—two of which are actively exploited—it is crucial for IT administrators and security teams to act swiftly. By applying these updates and following best practices, organizations can strengthen their security posture.
Two Actively Exploited Zero-Day Vulnerabilities
Windows Task Scheduler Elevation of Privilege Vulnerability (CVE-2024-49039)
This “Important” vulnerability (CVSS score of 8.8) allows attackers to exploit the Windows Task Scheduler to escalate privileges on a Windows machine. A specially crafted application can grant access to resources or execute code at a higher integrity level than intended, potentially leading to full system compromise. Google’s Threat Analysis Group discovered this flaw, but the specific methods of its exploitation remain unknown.
NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451)
Ranked “Important” with a CVSS score of 6.5, this vulnerability exposes users’ NTLMv2 hashes to attackers. What makes this especially concerning is the minimal user interaction needed for exploitation: simply selecting, inspecting (right-clicking), or performing any action other than opening or executing a malicious file can trigger the vulnerability. Attackers can then use the stolen hashes to authenticate as legitimate users, opening the door for “pass-the-hash” attacks that allow them to move laterally within a network. This vulnerability marks the third NTLM zero-day discovered this year, highlighting its attractiveness to attackers.
Publicly Disclosed Vulnerabilities
Two additional zero-day vulnerabilities, though not yet observed being actively exploited, were publicly disclosed:
Microsoft Exchange Server Spoofing Vulnerability (CVE-2024-49040)
This flaw allows attackers to spoof the sender’s email address in emails sent to local recipients. The vulnerability stems from the implementation of the “P2 FROM” header verification in transport. While not an immediate crisis, the potential for phishing and social engineering attacks makes this a significant concern.
Active Directory Certificate Services Elevation of Privilege Vulnerability (CVE-2024-49019)
Attackers can exploit this vulnerability to gain domain administrator privileges by taking advantage of built-in default version 1 certificate templates. The vulnerability lies in the ability to craft a Certificate Signing Request (CSR) to include application policies that supersede the configured Extended Key Usage attributes specified in the template.
Other Critical Vulnerabilities Addressed
.NET and Visual Studio Remote Code Execution Vulnerability (CVE-2024-43498)
- Severity: Critical
- Description: A type confusion error allows attackers to execute remote code by sending specially crafted requests to a .NET web or desktop application.
- Impact: Potential for attackers to install malware or execute arbitrary code on affected systems.
- Recommendation: Apply the updates for .NET and Visual Studio immediately.
Windows Kerberos Remote Code Execution Vulnerability (CVE-2024-43639)
- Severity: Critical
- Description: An unauthenticated attacker can exploit a vulnerability in Windows Kerberos to execute remote code.
- Impact: Could lead to unauthorized access and control over network resources.
- Recommendation: Prioritize patching to secure authentication protocols within your network.
Windows VMSwitch Elevation of Privilege Vulnerability (CVE-2024-43625)
- Severity: Critical
- Description: Exploitation allows a Hyper-V guest to execute code on the Hyper-V host, potentially compromising the entire virtual environment.
- Impact: Breach of virtualization boundaries, leading to host-level attacks.
- Recommendation: Update Hyper-V hosts and review security configurations for virtual environments.
Airlift.microsoft.com Elevation of Privilege Vulnerability (CVE-2024-49056)
- Severity: Critical
- Description: Unauthorized users can elevate privileges due to an authentication bypass on airlift.microsoft.com.
- Impact: Could lead to unauthorized access and control over certain Microsoft services.
- Recommendation: Microsoft has mitigated this vulnerability; ensure all services are updated and monitor for any unusual activity.
Final Noteworthy Vulnerabilities
Multiple SQL Server Remote Code Execution Vulnerabilities: At least 29 vulnerabilities (each with a CVSS score of 8.8) have been addressed, which could allow attackers to execute code if an authenticated user connects to a malicious SQL database server. Organizations using SQL Server should apply these patches promptly.
Windows Telephony Service Vulnerabilities: Several remote code execution vulnerabilities affecting the Windows Telephony Service have been fixed. These could allow attackers to execute code remotely, necessitating immediate updates.
Recommendations for Administrators
- Prioritize Zero-Day Patches: Immediately apply patches for the actively exploited zero-day vulnerabilities, especially CVE-2024-49039 and CVE-2024-43451.
- Update Critical Systems: Focus on updating systems affected by critical vulnerabilities, including those in .NET, Visual Studio, Windows Kerberos, and SQL Server.
- Review Exchange Server Configurations: Ensure Microsoft Exchange Servers are updated and review email security policies to mitigate spoofing risks.
- Assess Certificate Services: Examine Active Directory Certificate Services for any weak configurations or overly permissive templates.
- Monitor Networks: Implement monitoring to detect any unusual activities that might indicate exploitation attempts.
Stay Protected with Recast Software
We’re committed to helping you navigate these challenges. Our solutions, including Application Manager and Application Workspace, can streamline your app management processes, ensuring that your systems are up-to-date and secure.
For a detailed list of all the updates released this month, you can visit Microsoft’s official November 2024 Security Updates page.
Stay vigilant and keep your systems protected.
