www.belgium.be Logo of the federal government

WARNING: MICROSOFT JULY 2024 PATCH TUESDAY - 138 VULNERABILITIES ADDRESSED (5 CRITICAL, 132 IMPORTANT, 1 MODERATE), INCLUDING 5 ZERO-DAYS OF WHICH 2 ACTIVELY EXPLOITED - IMMEDIATE ACTION REQUIRED!

Reference: 
Advisory #2024-106
Version: 
1.1
Affected software: 
Microsoft software and hardware
Type: 
Several types, from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS: 

Microsoft patched 138 vulnerabilities in its July 2024 Patch Tuesday release, 5 rated as critical, 132 rated important, and 1 moderate, including 5 0-day vulnerabilities with 2 actively exploited.

Number of CVEs by type:

  • 59 Remote Code Execution vulnerabilities
  • 24 Elevation of Privilege vulnerabilities
  • 8 Information Disclosure vulnerabilities
  • 5 Spoofing vulnerabilities
  • 17 Denial of Service vulnerabilities 
  • 24 Security Feature Bypass vulnerabilities

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2024-jul

Risks

Microsoft’s July 2024 Patch Tuesday includes 138 vulnerabilities (5 critical, 132 important, 1 moderate) for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes 2 actively exploited vulnerabilities and 5 0-day vulnerabilities. Some vulnerabilities are rated as more likely to be exploited soon, urgent patching is advised.

(CVE-2024-38077) Additionally, proof-of-concept (PoC) exploit code has recently been published, making this vulnerability even easier to exploit for attackers.

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases, called “Patch Tuesday” contain security fixes for Microsoft devices and software.

CVE-2024-38080: Windows Hyper-V (Actively exploited 0-Day)
CVSS Score: 7.8 rated as Important
Technology: Virtualization

Elevation of Privilege Vulnerability: A local, authenticated threat actor can exploit CVE-2024-38080 to gain SYSTEM privileges. Microsoft reports that attackers have actively exploited this vulnerability in the wild as a zero-day. Threat actors find virtualization technology particularly attractive because vulnerabilities can provide complete control over the virtual environment, potentially affecting all virtual machines hosted on the system in the worst-case scenario.

CVE-2024-38112: Windows MSHTML (Actively exploited 0-Day)
CVSS Score: 7.5, rated as important.
Technology: Web Browser Engine

Spoofing Vulnerability: CVE-2024-38112 is a Spoofing Vulnerability where an unauthenticated, remote threat actor can exploit it by convincing a victim to open a malicious file. Microsoft highlights that successfully exploiting this flaw requires the threat actor to take additional actions to prepare the target environment. This vulnerability has been actively exploited in the wild as a zero-day, emphasizing its immediate risk and the need for prompt mitigation measures.

CVE-2024-35264: .NET and Visual Studio (exploitation less likely 0-Day)
CVSS Score: 8.1, rated as important.
Technology: Development Platform

Remote Code Execution Vulnerability: CVE-2024-35264 is a Remote Code Execution (RCE) vulnerability affecting .NET and Visual Studio. Despite being the third zero-day vulnerability patched by Microsoft this month, it has not been observed as exploited in the wild. Details were disclosed publicly before the patch release. Exploiting this vulnerability requires a threat actor to win a race condition, which is why it is rated as "Exploitation Less Likely" based on its exploitability assessment.

CVE-2024-38060: Windows Imaging Component (exploitation more likely)
CVSS Score: 8.8, rated as critical.
Technology: Image Processing Framework

Remote Code Execution Vulnerability: CVE-2024-38060 is a Remote Code Execution (RCE) vulnerability affecting the Windows Imaging Component, which processes images. An authenticated threat actor can exploit this vulnerability by uploading a malicious Tag Image File Format (TIFF). Microsoft deems it more likely for attackers to exploit this vulnerability.

CVE-2024-38059 and CVE-2024-38066: Windows Win32k (exploitation more likely) 
CVSS Score: 7.8, rated as important. 
Technology: Kernel-Mode Driver 

Elevation of Privilege Vulnerability (EOP): CVE-2024-38059 and CVE-2024-38066 are Elevation of Privilege (Epos) vulnerabilities affecting Windows Win32k, a critical kernel-side driver in Windows.

CVE-2024-38059 and CVE-2024-38066 enable a threat actor to escalate privileges to SYSTEM after compromising a system. Exploiting CVE-2024-38059 and CVE-2024-38066 allows attackers significant control over the affected system, potentially leading to complete compromise and unauthorized access.

CVE-2024-38021: Microsoft Office (exploitation more likely)
CVSS Score
: 8.8, rated as Important.
Technology: Office Suite

Remote Code Execution Vulnerability: CVE-2024-38021 affects Microsoft Office 2016. Successful exploitation would enable a threat actor to attain elevated privileges, including the ability to read, write, and delete data. Attackers target this vulnerability due to the widespread use of Microsoft Office in enterprises, making it a lucrative target for potential data breaches and system compromises, often initiated through phishing attacks.

A threat actor exploits this vulnerability by crafting a malicious link to bypass the Protected View Proto- col. By luring a user to click on this maliciously crafted link, the threat actor gains access to local NTLM credential information, which can be leveraged to escalate privileges and achieve Remote Code Exe- cution, compromising the affected system.

CVE-2024-38077 – Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability (exploitation less likely)
CVSS Score:
9.8 rated as critical
Technology: Remote Desktop Services

Remote Code Execution Vulnerability: CVE-2024-38077 is one of three Remote Desktop Licensing Remote Code Execution (RCE) vulnerabilities being addressed this month, all rated at CVSS 9.8. An unauthenticated user can execute malicious code by sending a crafted message to an affected server. Disabling the Licensing Service is advised but unrealistic because this typically requires the licensing functionality. Ensuring these servers are inaccessible from the public Internet is crucial to mitigate im- mediate exploitation risks.

CVE-2024-38023 – Microsoft SharePoint Server Remote Code Execution Vulnerability (exploitation more likely)
CVSS Score: 7.2 (more likely to be 8.8 based on hypotheses)
Technology: Microsoft SharePoint Server

Remote Code Execution Vulnerability: CVE-2024-38023 requires authentication and can be ex- ploited by any SharePoint user with Site Owner permissions. SharePoint's default configuration allows authenticated users to create sites, which challenges Microsoft's CVSS rating of "Privileges Required" as high. Hypothetically, adjusting this to low could elevate the CVSS score from 7.2 to a potentially more accurate 8.8.

According to the zero-day initiative, similar vulnerabilities have been exploited in the past.If your organization uses SharePoint, it is crucial to implement this fix.

38 CVEs: Microsoft OLE DB Driver and SQL Server Native Client OLE DB Provider (exploitation less likely)
CVSS Score:
8.8, rated as Important.
Technology: Database Connectivity

Remote Code Execution Vulnerability: Microsoft's Patch Tuesday release included 38 CVEs for RCEs affecting SQL Server Native Client OLE DB Provider and the OLE DB Driver for SQL Server. Successful exploitation can be achieved by convincing an authenticated user to connect to a malicious SQL server database using an affected driver.

CVE-2024-38094 – Microsoft SharePoint Server Remote Code Execution Vulnerability - Known exploited and added to CISA KEV on 22/10/2024
CVSS Score: 7.2
Technology: Microsoft SharePoint Server
 
Remote Code Execution Vulnerability: CVE-2024-38094 requires authentication and can be exploited by any SharePoint user with Site Owner permissions. SharePoint's default configuration allows authenticated users to create sites. If exploited, arbitrary code can be injected to the SharePoint Server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://www.theregister.com/2024/07/10/july_2024_patch_tuesday/
https://www.zerodayinitiative.com/blog/2024/7/9/the-july-2024-security-update-review
https://www.tenable.com/blog/microsofts-july-2024-patch-tuesday-addresses-138-cves-cve-2024-38080-cve-2024-38112