Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws

1 week ago 32
BOOK THIS SPACE FOR AD
ARTICLE AD

Patch Tuesday

Today is Microsoft's November 2024 Patch Tuesday, which includes security updates for 91 flaws, including four zero-days, two of which are actively exploited.

This Patch Tuesday fixed four critical vulnerabilities, which include two remote code execution and two elevation of privileges flaws.

The number of bugs in each vulnerability category is listed below:

26 Elevation of Privilege vulnerabilities 2 Security Feature Bypass vulnerabilities 52 Remote Code Execution vulnerabilities 1 Information Disclosure vulnerability 4 Denial of Service vulnerabilities 3 Spoofing vulnerabilities

This count does not include two Edge flaws that were previously fixed on November 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5046617 and KB5046633 cumulative updates.

Four zero-days disclosed

This month's Patch Tuesday fixes four zero-days, two of which were actively exploited in attacks, and three were publicly disclosed.

Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no official fix is available.

The two actively exploited zero-day vulnerabilities in today's updates are:

CVE-2024-43451 - NTLM Hash Disclosure Spoofing Vulnerability

Microsoft has fixed a vulnerability that exposes NTLM hashes to remote attackers with minimal interaction with a malicious file.

"This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user," explained Microsoft.

"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability," continued Microsoft.

Microsoft says Israel Yeshurun of ClearSky Cyber Security discovered this vulnerability and that it was publicly disclosed, but did not share any further details.

CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege Vulnerability

A specially crafted application could be executed that elevates privilege to Medium Integrity level.

"In this case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment," explained Microsoft.

Microsoft says that exploiting this vulnerability would allow attackers to execute RPC functions that are normally restricted to privileged accounts.

The flaw was discovered by Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group.

It is not known how the flaw was exploited in attacks.

The other three vulnerabilities that were publicly disclosed but not exploited in attacks are:

CVE-2024-49040 - Microsoft Exchange Server Spoofing Vulnerability

Microsoft has fixed a Microsoft Exchange vulnerability that allows threat actors to spoof the sender's email address in emails to local recipients.

"Microsoft is aware of a vulnerability (CVE-2024-49040) that allows attackers to run spoofing attacks against Microsoft Exchange Server," explains a related advisory by Microsoft.

"The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport."

Starting with this month's Microsoft Exchange security updates, Microsoft is now detecting and flagging spoofed emails with an alert prepended to the email body that states, "Notice: This email appears to be suspicious. Do not trust the information, links, or attachments in this email without verifying the source through a trusted method."

Microsoft says the flaw was discovered by Slonser at Solidlab, who publicly disclosed the flaw in this article.

CVE-2024-49019 - Active Directory Certificate Services Elevation of Privilege Vulnerability

Microsoft fixed a flaw that allows attackers to gain domain administrator privileges by abusing built-in default version 1 certificate templates.

"Check if you have published any certificates created using a version 1 certificate template where the Source of subject name is set to "Supplied in the request" and the Enroll permissions are granted to a broader set of accounts, such as domain users or domain computers," explains Microsoft.

"An example is the built-in Web Server template, but it is not vulnerable by default due to its restricted Enroll permissions."

The flaw was discovered by Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec, who disclosed the "EKUwu" vulnerability in October.

"Using built-in default version 1 certificate templates, an attacker can craft a CSR to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template," reads TrustedSec's report.

"The only requirement is enrollment rights, and it can be used to generate client authentication, certificate request agent, and codesigning certificates using the WebServer template."

As explained above, CVE-2024-43451 was also publicly disclosed.

Recent updates from other companies

Other vendors who released updates or advisories in November 2024 include:

Adobe released security updates for numerous applications, including Photoshop, Illustrator, and Commerce. Cisco releases security updates for multiple products, including Cisco Phones, Nexus Dashboard, Identity Services Engine, and more. Citrix releases security updates for NetScaler ADC and NetScaler Gateway vulnerabilities. They also released an update for the Citrix Virtual Apps and Desktops reported by Watchtowr. Dell releases security updates for code execution and security bypass flaws in SONiC OS. D-Link releases a security update for a critical DSL6740C flaw that allows modification of account passwords. Ivanti releases security updates for twenty-five vulnerabilities in Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Secure Access Client (ISAC). SAP releases security updates for multiple products as part of November Patch Day. Schneider Electric releases security updates for flaws in Modicon M340, Momentum, and MC80 products. Siemens released a security update for a critical 10/10 flaw in TeleControl Server Basic tracked as CVE-2024-44102.

The November 2024 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the November 2024 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
.NET and Visual Studio CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability Important
.NET and Visual Studio CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability Critical
Airlift.microsoft.com CVE-2024-49056 Airlift.microsoft.com Elevation of Privilege Vulnerability Critical
Azure CycleCloud CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability Important
LightGBM CVE-2024-43598 LightGBM Remote Code Execution Vulnerability Important
Microsoft Defender for Endpoint CVE-2024-5535 OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread Important
Microsoft Edge (Chromium-based) CVE-2024-10826 Chromium: CVE-2024-10826 Use after free in Family Experiences Unknown
Microsoft Edge (Chromium-based) CVE-2024-10827 Chromium: CVE-2024-10827 Use after free in Serial Unknown
Microsoft Exchange Server CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability Important
Microsoft Graphics Component CVE-2024-49031 Microsoft Office Graphics Remote Code Execution Vulnerability Important
Microsoft Graphics Component CVE-2024-49032 Microsoft Office Graphics Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2024-49029 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2024-49026 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2024-49027 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2024-49028 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2024-49030 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office SharePoint ADV240001 Microsoft SharePoint Server Defense in Depth Update None
Microsoft Office Word CVE-2024-49033 Microsoft Word Security Feature Bypass Vulnerability Important
Microsoft PC Manager CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability Important
Microsoft Virtual Hard Drive CVE-2024-38264 Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability Important
Microsoft Windows DNS CVE-2024-43450 Windows DNS Spoofing Vulnerability Important
Role: Windows Active Directory Certificate Services CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability Important
Role: Windows Hyper-V CVE-2024-43633 Windows Hyper-V Denial of Service Vulnerability Important
Role: Windows Hyper-V CVE-2024-43624 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability Important
SQL Server CVE-2024-48998 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-48997 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-48993 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49001 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49000 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-48999 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49043 Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability Important
SQL Server CVE-2024-43462 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-48995 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-48994 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-38255 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-48996 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-43459 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49002 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49013 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49014 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49011 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49012 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49015 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49018 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49021 Microsoft SQL Server Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49016 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49017 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49010 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49005 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49007 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49003 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49004 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49006 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49009 SQL Server Native Client Remote Code Execution Vulnerability Important
SQL Server CVE-2024-49008 SQL Server Native Client Remote Code Execution Vulnerability Important
TorchGeo CVE-2024-49048 TorchGeo Remote Code Execution Vulnerability Important
Visual Studio CVE-2024-49044 Visual Studio Elevation of Privilege Vulnerability Important
Visual Studio Code CVE-2024-49050 Visual Studio Code Python Extension Remote Code Execution Vulnerability Important
Visual Studio Code CVE-2024-49049 Visual Studio Code Remote Extension Elevation of Privilege Vulnerability Moderate
Windows CSC Service CVE-2024-43644 Windows Client-Side Caching Elevation of Privilege Vulnerability Important
Windows Defender Application Control (WDAC) CVE-2024-43645 Windows Defender Application Control (WDAC) Security Feature Bypass Vulnerability Important
Windows DWM Core Library CVE-2024-43636 Win32k Elevation of Privilege Vulnerability Important
Windows DWM Core Library CVE-2024-43629 Windows DWM Core Library Elevation of Privilege Vulnerability Important
Windows Kerberos CVE-2024-43639 Windows Kerberos Remote Code Execution Vulnerability Critical
Windows Kernel CVE-2024-43630 Windows Kernel Elevation of Privilege Vulnerability Important
Windows NT OS Kernel CVE-2024-43623 Windows NT OS Kernel Elevation of Privilege Vulnerability Important
Windows NTLM CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Important
Windows Package Library Manager CVE-2024-38203 Windows Package Library Manager Information Disclosure Vulnerability Important
Windows Registry CVE-2024-43641 Windows Registry Elevation of Privilege Vulnerability Important
Windows Registry CVE-2024-43452 Windows Registry Elevation of Privilege Vulnerability Important
Windows Secure Kernel Mode CVE-2024-43631 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important
Windows Secure Kernel Mode CVE-2024-43646 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important
Windows Secure Kernel Mode CVE-2024-43640 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important
Windows SMB CVE-2024-43642 Windows SMB Denial of Service Vulnerability Important
Windows SMBv3 Client/Server CVE-2024-43447 Windows SMBv3 Server Remote Code Execution Vulnerability Important
Windows Task Scheduler CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Important
Windows Telephony Service CVE-2024-43628 Windows Telephony Service Remote Code Execution Vulnerability Important
Windows Telephony Service CVE-2024-43621 Windows Telephony Service Remote Code Execution Vulnerability Important
Windows Telephony Service CVE-2024-43620 Windows Telephony Service Remote Code Execution Vulnerability Important
Windows Telephony Service CVE-2024-43627 Windows Telephony Service Remote Code Execution Vulnerability Important
Windows Telephony Service CVE-2024-43635 Windows Telephony Service Remote Code Execution Vulnerability Important
Windows Telephony Service CVE-2024-43622 Windows Telephony Service Remote Code Execution Vulnerability Important
Windows Telephony Service CVE-2024-43626 Windows Telephony Service Elevation of Privilege Vulnerability Important
Windows Update Stack CVE-2024-43530 Windows Update Stack Elevation of Privilege Vulnerability Important
Windows USB Video Driver CVE-2024-43643 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important
Windows USB Video Driver CVE-2024-43449 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important
Windows USB Video Driver CVE-2024-43637 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important
Windows USB Video Driver CVE-2024-43634 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important
Windows USB Video Driver CVE-2024-43638 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important
Windows VMSwitch CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability Critical
Windows Win32 Kernel Subsystem CVE-2024-49046 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important

Update 9/11/24: Updated to explain that only three flaws were actively exploited and why CVE-2024-43491 was marked as exploited.

Read Entire Article