www.belgium.be Logo of the federal government

WARNING: MICROSOFT PATCH TUESDAY JUNE 2024 PATCHES 49 VULNERABILITIES (1 CRITICAL, 48 IMPORTANT), PATCH IMMEDIATELY!!

Reference: 
Advisory #2024-86
Version: 
1.0
Affected software: 
Multiple Microsoft software
Type: 
Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS: 

Microsoft patched 49 vulnerabilities in its June 2024 Patch Tuesday release, 1 rated as critical and 48 rated important. This Patch Tuesday update does not contain any actively exploited or zero-day vulnerabilities. This count omitted two CVEs that were not issued by Microsoft; CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub).

Number of CVE by type:

  • 24 Elevation of Privilege vulnerabilities
  • 18 Remote Code Execution vulnerabilities
  • 4   Denial of Service vulnerabilities
  • 3   Information Disclosure vulnerabilities

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun

Risks

Microsoft’s June 2024 Patch Tuesday includes 49 vulnerabilities (1 critical and 48 important), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday update does not contain any actively exploited or zero-day vulnerabilities. Microsoft has categorized several vulnerabilities as 'Exploitation More Likely’; therefore, urgent patching is advised. This count omitted two CVEs that were not issued by Microsoft; CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub).

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.

The CCB would like to point your attention to following vulnerabilities:

CVE-2024-30080: Microsoft Message Queuing (MSMQ) - Critical

Remote Code Execution Vulnerability. CVE-2024-30080 is a critical remote code execution (RCE) vulnerability in the Microsoft Message Queuing (MSMQ) component of Windows operating systems. The vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted MSMQ packets to a vulnerable MSMQ server. This could result in remote code execution on the server side. Microsoft has classified this vulnerability as ‘Exploitation More Likely’.

For a system to be vulnerable, the MSMQ service must be added and enabled. If the service is enabled on a Windows installation, a service named "Message Queuing" will be running on TCP port 1801.

CVE-2024-30080 is the fourth RCE vulnerability affecting MSMQ patched in 2024, with two addressed in the April Patch Tuesday release (CVE-2024-26232, CVE-2024-26208) and one in February’s Patch Tuesday release (CVE-2024-21363).

CVE-2024-30082, CVE-2024-30087 and CVE-2024-30091: Win32k – Important

Elevation of Privilege Vulnerabilities. CVE-2024-30082, CVE-2024-30087 and CVE-2024-30091 are vulnerabilities in Microsoft’s Win32k, which is a core kernel-side driver used in Windows. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and classified as ‘Exploitation More Likely’.

An attacker can exploit these vulnerabilities to gain the same rights as the user running the affected application, or SYSTEM rights in the case of CVE-2024-30082.

Microsoft fixed several EoP flaws in Win32k over the last years. Several of these vulnerabilities have been actively exploited in the wild. Urgent patching is advised!

CVE-2024-30085: Windows Cloud Files Mini Filter Driver – Important

Elevation of Privilege Vulnerability. This vulnerability affects the Microsoft Windows Cloud Files Mini Filter Driver. It was assigned a CVSSv3 score of 7.8 and classified as ‘Exploitation More Likely’. An attacker could exploit this vulnerability to elevate privileges to SYSTEM.

CVE-2024-30089: Microsoft Streaming Service – Important

Elevation of Privilege Vulnerability. CVE-2024-30089 is a vulnerability in Microsoft Streaming Service. It was assigned a CVSSv3 score of 7.8 and classified as ‘Exploitation More Likely’. An attacker could exploit this vulnerability to elevate privileges to SYSTEM.

CVE-2024-30103: Microsoft Outlook – Important

Remote Code Execution Vulnerability. CVE-2024-30103 is a Remote Code Execution (RCE) vulnerability in Microsoft Outlook. This vulnerability was assigned a CVSSv3 score of 8.8 but is categorized as ‘Exploitation less likely’. To exploit this vulnerability an attacker must be authenticated using valid Exchange user credentials and according to Microsoft: “An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files.” The Cybersecurity firm Morphisec, which discovered the vulnerability said that the flaw could be used to trigger code execution without requiring users to click or interact with the email content.

CVE-2024-30078: Windows Wi-Fi driver – Important

Remote Code Execution Vulnerability. CVE-2024-30078 is a vulnerability in the Windows Wi-Fi driver. This vulnerability was assigned a CVSSv3 score of 8.8 and classified as ‘Exploitation Less Likely’. An unauthenticated attacker can exploit this vulnerability to execute code on an affected system by sending the target a specially crafted network packet. The target would need to be in Wi-Fi range of the attacker and using a Wi-Fi adapter.

CVE-2023-50868: MITRE -  DNSSEC validation process – Important

Denial of Service Vulnerability. CVE-2023-50868 is a denial-of-service issue impacting the DNSSEC validation process that could cause CPU exhaustion on a DNSSEC-validating resolver. This vulnerability was issued by Mitre and is not included in our Microsoft Patch Tuesday statistics. For more information, please see our previous advisory for this vulnerability, named KeyTrap on our website.                                          

 

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.theregister.com/2024/06/12/june_patch_tuesday/
https://securityaffairs.com/164442/security/microsoft-patch-tuesday-june-2024.html
https://thehackernews.com/2024/06/microsoft-issues-patches-for-51-flaws.html
https://www.tenable.com/blog/microsofts-june-2024-patch-tuesday-addresses-49-cves
https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review
https://www.securityweek.com/patch-tuesday-remote-code-execution-flaw-in-microsoft-message-queuing/
https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2024-patch-tuesday-fixes-51-flaws-18-rces/