Headline
Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed
The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP.
Tuesday, August 13, 2024 15:12
Microsoft disclosed six security vulnerabilities that are actively being exploited across its products as part of the company’s regular Patch Tuesday security update.
In all, August’s monthly round of patches from Microsoft included 87 vulnerabilities, seven of which are considered critical. In addition to the zero-days disclosed Tuesday, Microsoft also fixed a security issue that had already been publicly disclosed: CVE-2024-21302, a vulnerability in Microsoft Office that could result in unauthorized disclosure of sensitive information to malicious actors. Microsoft initially warned about the possibility that attackers could exploit this vulnerability in the wild last week, including being able to reverse older software patches that could re-open them to past vulnerabilities.
Cisco Talos’ Vulnerability Research team discovered four of the vulnerabilities Microsoft patched this week: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186 and CVE-2024-38187. These are elevation of privilege vulnerabilities in the Microsoft Windows kernel-mode driver that could allow an attacker to gain SYSTEM-level privileges.
The most serious of the issues included in August’s Patch Tuesday is CVE-2024-38063, a remote code execution vulnerability in Windows TCP/IP. An unauthenticated attacker could exploit this vulnerability by repeatedly sending specially crafted IPv6 packets to a targeted Windows machine that could enable remote code execution. Systems that have IPv6 disabled are not susceptible to this vulnerability.
CVE-2024-38063 has a severity score of 9.8 out of 10 and is listed as “more likely” to be exploited.
Two other remote code execution vulnerabilities, CVE-2024-38159 and CVE-2024-38160, exist in Windows Network Virtualization, and another, CVE-2024-38140, exists in the Windows Reliable Multicast Transport Driver. All three are considered critical.
Two of the vulnerabilities already being exploited in the wild are CVE-2024-38178, a memory corruption vulnerability in the Microsoft Scripting Engine, and CVE-2024-38193, an elevation of privilege vulnerability in the Windows Ancillary Function Driver. Though they are both zero-days, Microsoft only lists them as being “important.”
Lastly, we’d also like to highlight two vulnerabilities in the Secure Boot security feature, CVE-2024-38090 and CVE-2024-28918, which are rated critical and important, respectively.
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63858 – 63861 and 63864 - 63878. There are also Snort 3 rules 300980 – 300988.
Related news
Windows 11 machines remain open to downgrade attacks, where attackers can abuse the Windows Update process to revive a patched driver signature enforcement (DSE) bypass.
A new attack technique could be used to bypass Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks. "This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more," SafeBreach
Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.
The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.
The North Korean threat actor known as ScarCruft has been linked to the zero-day exploitation of a now-patched security flaw in Windows to infect devices with malware known as RokRAT. The vulnerability in question is CVE-2024-38178 (CVSS score: 7.5), a memory corruption bug in the Scripting Engine that could result in remote code execution when using the Edge browser in Internet Explorer Mode.
Talos researchers have disclosed three vulnerabilities in OpenPLC, a popular open-source programmable logic controller.
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. The development is indicative of the persistent efforts made by the nation-state adversary, which had made a habit of incorporating rafts of Windows zero-day exploits into its arsenal in recent months.
Microsoft Windows IPv6 vulnerability checking proof of concept python script that causes a denial of service. Windows 10 and 11 versions under 10.0.26100.1457 and Server 2016-2019-2022 versions under 10.0.17763.6189 are affected.
It’s not unusual for a threat actor to exaggerate the extent of a hack or breach to drum up interest, and hopefully, the eventual purchase or ransom price.
A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this
Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”
A researcher used two Windows vulnerabilities to perform downgrade attacks. These flaws have now been patched by Microsoft
Eight of the vulnerabilities affect the license update feature for CLIPSP.SYS, a driver used to implement Client License System Policy on Windows 10 and 11.
Microsoft on Tuesday shipped fixes to address a total of 90 security flaws, including 10 zero-days, of which six have come under active exploitation in the wild. Of the 90 bugs, seven are rated Critical, 79 are rated Important, and one is rated Moderate in severity. This is also in addition to 36 vulnerabilities that the tech giant resolved in its Edge browser since last month. The Patch Tuesday
Microsoft today released updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.
Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors. The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office - Microsoft Office 2016 for 32-bit edition and 64-bit editions Microsoft
Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions. The vulnerabilities are listed below - CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability CVE-2024-21302