Microsoft Windows Hyper-V EoP bug under active exploit

Patch Tuesday Clear your Microsoft system administrator’s diary: The bundle of fixes in Redmond’s July Patch Tuesday is a doozy, with at least two bugs under active exploitation.

Tuesday’s software updates address more than 130 Microsoft CVEs.

The first of two vulnerabilities for sure under active exploit – CVE-2024-38080 – is a Windows Hyper-V elevation of privilege flaw with a 7.8-out-of-10 CVSS rating, which Microsoft deemed “important.”

We don’t know how widespread exploitation is of this one, though Microsoft does note “an attacker who successfully exploited this vulnerability could gain system privileges.” Plus, as Zero Day Initiative’s Dustin Childs pointed out, this exploit would prove quite useful for ransomware. If you’re running Hyper-V, test and deploy this update.

The second bug listed as having been found and exploited by miscreants before Redmond pushed a patch is a Windows MSHTML platform spoofing vulnerability tracked as CVE-2024-38112. MSHTML (aka Trident) is Microsoft’s proprietary browser engine for Internet Explorer, and this one received a 7.5 CVSS severity score.

It does require user interaction to exploit. As Redmond explained: “An attacker would have to send the victim a malicious file that the victim would have to execute.” Haifei Li with Check Point Research discovered and reported the flaw to Microsoft.

The outcome of its exploitation is vague, though it appears it causes something like information or resources to be exposed to the wrong person. Given the prevalence of successful social engineering attacks of late – and the fact that Microsoft has already detected exploitation of this CVE – we’ve seen time and again that getting users to click malicious links is pretty darn easy. Thus, patch this before your next bad click triggers CVE-2024-38112.

The first of two CVE bugs listed as publicly disclosed but not publicly exploited is CVE-2024-35264 – a remote code execution vulnerability in .NET and Visual Studio. To exploit this one, an attacker would need to induce a race condition to allow inappropriate data access. But they could use it to achieve remote code execution (RCE).

According to Redmond: “An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition.” Microsoft’s own Radek Zikmund found this flaw.

The second known but not exploited bug – CVE-2024-37985 – affects Arm-based Redmond operating systems and it garnered a 5.9 CVSS rating. It’s a side-channel attack from 2023 dubbed FetchBench that can be abused to leak secret information.

Five critical Microsoft CVEs

Of the remaining Microsoft CVEs, five are critical severity and three of those – CVE-2024-38074, CVE-2024-38076 and CVE-2024-38077 – are 9.8-rated RCE bugs in Windows Remote Desktop Licensing Service. Redmond described all three as “exploitation less likely.”

Zero Day Initiative’s Childs’s advice regarding CVE-2024-38077 is that “exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server.”

He recommended making sure these servers aren’t accessible over the internet. “If a bunch of these servers are internet-connected, I would expect exploitation soon,” Childs warned. “Now is also a good time to audit your servers to ensure they aren’t running any unnecessary services.”

The other two critical Microsoft bugs include CVE-2024-38060 – an 8.8-rated RCE in Windows Imaging Component that could be exploited by any authenticated user uploading a malicious TIFF file to a server.

Also of note is CVE-2024-38023 – a 7.2-rated flaw in Microsoft SharePoint Server that can also lead to RCE. “An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server,” Redmond explained.

Adobe lightens up

Adobe’s monthly patch dump addresses a mere three products and seven CVEs – none of which appear to have been found and exploited by criminals.

That’s the good news. The bad news is that six of the seven are critical bugs can lead to arbitrary code execution.

Today’s updates address one critical vulnerability – CVE-2024-34123 – in Adobe Premiere Pro, and four other critical flaws – CVE-2024-20781, CVE-2024-20782, CVE-2024-20783, CVE-2024-20785 – in InDesign. The patches for Adobe Bridge fix two vulnerabilities – one of which (CVE-2024-34139) is rated critical and the other (CVE-2024-34140) important as it can allow memory leakage.

SAP security notes

SAP released 18 new and updated patches, two of which are high-priority fixes.

Security note #3483344 is the most critical of the bunch. It’s a missing authorization check vulnerability in SAP Product Design Cost Estimating (PDCE) that earned a 7.7 CVSS score.

“A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk,” Onapsis Research Labs SAP security researcher Thomas Fritsch warned. “The patch disables the vulnerable function module.”

Fortinet fixes flaws

Fortinet fixed a cross-site scripting vulnerability tracked as CVE-2024-26006 in FortiOS and FortiProxy’s web SSL VPN UI. It “may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via social engineering the targeted user into bookmarking a malicious samba server, then opening the bookmark,” the vendor warned.

The infosec outfit also patched CVE-2024-26015 in the FortiOS and FortiProxy IP address validation feature. It’s a bug that could be abused by an unauthenticated attacker to bypass the IP blocklist using specially crafted requests.

Citrix joins the party

Citrix addressed a CVE-2024-6151 and CVE-2024-6286 – both 8.5-rated privilege-escalation flaws in Windows Virtual Delivery Agent and the Citrix Workspace app – that could allow a low-privileged user to gain system privileges.

Citrix Workspace app is the client for virtual desktops and apps and is deployed on many not-very-strictly managed endpoints, making this a bug worthy of your attention.

And…Android

Rounding out the July patch party, Google released patches for 27 CVEs in Android. The worst of the bunch is CVE-2024-31320 – a critical security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. ®