Aggregator
Self Destruction To Use After Free In Kernel:CVE-2024-38059分析记录
【补丁日速递】2024年7月微软补丁日安全风险通告
注意喚起: 2024年7月マイクロソフトセキュリティ更新プログラムに関する注意喚起 (公開)
微软7月补丁日多个产品安全漏洞风险通告:2个在野利用、5个紧急漏洞
再创佳绩 | 复旦白泽漏洞治理团队研究成果获软件工程顶会 FSE 杰出论文奖
在APT32的分析报告里学习与吸收
【数据跨境流动治理模式概览】
王燃 | 电子数据真实性判断的时间审查
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
by Haifei Li Introduction and Background Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the […]
The post Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) appeared first on Check Point Research.
Как CISO не сесть в тюрьму?!
Microsoft Patch Tuesday, July 2024 Edition
July Patch Tuesday Unleashes a Torrent of Updates
How Network Visibility Gaps Challenge IT in Assuring Business Continuity
The July 2024 Security Update Review
We’re just past the halfway point of 2024, and as expected, Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for July 2024
For July, Adobe released three patches addressing seven CVEs in Adobe Premiere Pro, InDesign, and Adobe Bridge. The patch for InDesign is the largest, fixing four Critical-rated CVEs. All four could lead to arbitrary code execution. The fix for Premiere Pro fixes a single CVE that could lead to arbitrary code execution. Finally, the fix for Bridge fixes one Critical rated and one Important rated bug. The Critical-rated bug could lead to code execution while the other bug is a memory leak. After such a huge Adobe release last month, it’s nice to see a smaller one this month.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for July 2024
This month, Microsoft released a gargantuan 139 new CVEs in Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure; Defender for IoT; SQL Server; Windows Hyper-V; Bitlocker and Secure(?) Boot; Remote Desktop; and Xbox (yes Xbox!). If you include the third-party CVEs being documented this month, the CVE count comes to 142. One of these cases came through the ZDI program.
Of the patches being today, five are rated Critical, 133 are rated Important, and three are rated Moderate in severity. This release is another huge bunch of fixes from Redmond, just shy of the record 147 CVEs from back in April this year.
Two of these CVEs are listed as publicly known, with one of those being a third-party update that’s now being integrated into Microsoft products. Two other bugs are listed as being under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerabilities currently being exploited:
- CVE-2024-38080 – Windows Hyper-V Elevation of Privilege Vulnerability
This vulnerability could allow an authenticated threat actor to execute code with SYSTEM privileges. While not specifically stated by Microsoft, let’s assume the worst-case scenario and say that an authorized user could be on a guest OS. Microsoft also does not state how widespread the exploitation is, but this exploit would prove quite useful for ransomware. If you’re running Hyper-V, test and deploy this update quickly.
- CVE-2024-38112 – Windows MSHTML Platform Spoofing Vulnerability
This bug is listed as “Spoofing” for the impact, but it’s not clear exactly what is being spoofed. Microsoft has used this wording in the past for NTLM relay attacks, but that seems unlikely here. Given the researcher who reported this to Microsoft, we’ll likely see additional analysis from them soon. The good news is that a user would need to click a link to be affected. The bad news is that users click anything.
- CVE-2024-38077 – Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
This is one of three Remote Desktop Licensing RCEs getting fixed this month, and all have a CVSS rating of 9.8. Exploitation of this should be straightforward, as any unauthenticated user could execute their code simply by sending a malicious message to an affected server. As a temporary workaround, you could disable the Licensing Service, but if you’re running it, you likely need it. I would also ensure these servers are not addressable to the Internet. If a bunch of these servers are Internet-connected, I would expect exploitation soon. Now is also a good time to audit your servers to ensure they aren’t running any unnecessary services.
- CVE-2024-38060 – Microsoft Windows Codecs Library Remote Code Execution Vulnerability
This bug does require the attacker to be authenticated, but any authenticated user could abuse it. It simply requires an authenticated user to upload a specially crafted TIFF image to an affected system. This would be a nifty method for lateral movement once an initial foothold has been achieved. There are no workarounds either, so test and deploy the patch quickly.
- CVE-2024-38023 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This vulnerability also requires authentication, but any SharePoint user with Site Owner permissions can hit it. However, the default configuration of SharePoint allows authenticated users to create sites. That’s why I disagree with Microsoft’s CVSS rating here. By changing “Privileges Required” to low instead of high, it takes it from a 7.2 to (IMHO) more accurate 8.8. We blogged about this type of bug in the past. These types of bugs have been exploited in the past, so if you’re running SharePoint, don’t disregard or delay implementing this fix.
Here’s the full list of CVEs released by Microsoft for July 2024:
CVE Title Severity CVSS Public Exploited Type CVE-2024-38080 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No Yes EoP CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability Important 7.5 No Yes Spoofing CVE-2024-37985 * Arm: CVE-2024-37985 Systematic Identification and Characterization of Proprietary Prefetchers Important 5.9 Yes No Info CVE-2024-35264 .NET and Visual Studio Remote Code Execution Vulnerability Important 8.1 Yes No RCE CVE-2024-38023 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 7.2 No No RCE CVE-2024-38060 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2024-38074 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2024-38076 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2024-38077 Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2024-38095 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-30105 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38091 Microsoft WS-Discovery Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-35270 Windows iSCSI Service Denial of Service Vulnerability Important 5.3 No No DoS CVE-2024-38101 Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-38102 Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-38105 Windows Layer-2 Bridge Network Driver Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-38027 Windows Line Printer Daemon Service Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-38048 Windows Network Driver Interface Specification (NDIS) Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-38031 Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38067 Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38068 Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38015 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38071 Windows Remote Desktop Licensing Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38072 Windows Remote Desktop Licensing Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38073 Windows Remote Desktop Licensing Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-38099 † Windows Remote Desktop Licensing Service Denial of Service Vulnerability Important 5.9 No No DoS CVE-2024-38081 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2024-38092 † Azure CycleCloud Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2024-35261 Azure Network Watcher VM Extension Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38061 DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability Important 7.5 No No EoP CVE-2024-38052 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38054 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38057 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38089 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 9.1 No No EoP CVE-2024-38013 Microsoft Windows Server Backup Elevation of Privilege Vulnerability Important 6.7 No No EoP CVE-2024-38033 PowerShell Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2024-38043 PowerShell Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38047 PowerShell Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38059 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38100 Windows File Explorer Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38034 Windows Filtering Platform Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38079 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38085 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38022 Windows Image Acquisition Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-38062 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-30079 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-21417 Windows Text Services Framework Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2024-38066 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38050 Windows Workstation Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-38017 Microsoft Message Queuing Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-32987 Microsoft SharePoint Server Information Disclosure Vulnerability Important 7.5 No No Info CVE-2024-38055 Microsoft Windows Codecs Library Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-30061 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 7.3 No No Info CVE-2024-38056 Microsoft Windows Codecs Library Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-38041 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-30071 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 4.7 No No Info CVE-2024-38064 Windows TCP/IP Information Disclosure Vulnerability Important 7.5 No No Info CVE-2024-38086 Azure Kinect SDK Remote Code Execution Vulnerability Important 6.4 No No RCE CVE-2024-38044 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-38021 † Microsoft Office Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37334 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-38094 Microsoft SharePoint Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-38024 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-38019 Microsoft Windows Performance Data Helper Library Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-38025 Microsoft Windows Performance Data Helper Library Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-38028 Microsoft Windows Performance Data Helper Library Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-38032 Microsoft Xbox Remote Code Execution Vulnerability Important 7.1 No No RCE CVE-2024-20701 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21303 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21308 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21317 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21331 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21332 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21333 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21335 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21373 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21398 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21414 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21415 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21425 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21428 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-21449 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28928 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-35256 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-35271 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-35272 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37318 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37319 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37320 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37321 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37322 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37323 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37324 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37326 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37327 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37328 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37329 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37330 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37331 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37332 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37333 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-37336 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-38087 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-38088 SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-38049 Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability Important 6.6 No No RCE CVE-2024-38104 Windows Fax Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-38051 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-38053 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-30013 Windows MultiPoint Services Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-38078 Xbox Wireless Adapter Remote Code Execution Vulnerability Important 7.5 No No RCE CVE-2024-38058 BitLocker Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-26184 Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-28899 Secure Boot Security Feature Bypass Vulnerability Important 8.8 No No SFB CVE-2024-37969 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37970 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37971 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37972 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37973 Secure Boot Security Feature Bypass Vulnerability Important 8.4 No No SFB CVE-2024-37974 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37975 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37977 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37978 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37981 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37984 Secure Boot Security Feature Bypass Vulnerability Important 8.4 No No SFB CVE-2024-37986 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37987 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37988 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-37989 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-38010 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-38011 Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-38065 Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-30098 Windows Cryptographic Services Security Feature Bypass Vulnerability Important 7.5 No No SFB CVE-2024-38069 Windows Enroll Engine Security Feature Bypass Vulnerability Important 7 No No SFB CVE-2024-38070 Windows LockDown Policy (WLDP) Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-35266 Azure DevOps Server Spoofing Vulnerability Important 7.6 No No Spoofing CVE-2024-35267 Azure DevOps Server Spoofing Vulnerability Important 7.6 No No Spoofing CVE-2024-3596 * CERT/CC: CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability Important 7.5 No No Spoofing CVE-2024-30081 Windows NTLM Spoofing Vulnerability Important 7.1 No No Spoofing CVE-2024-38030 Windows Themes Spoofing Vulnerability Important 6.5 No No Spoofing CVE-2024-38517 * Github: CVE-2024-38517 TenCent RapidJSON Elevation of Privilege Vulnerability Moderate 7.8 No No EoP CVE-2024-39684 * Github: CVE-2024-39684 TenCent RapidJSON Elevation of Privilege Vulnerability Moderate 7.8 No No EoP CVE-2024-38020 Microsoft Outlook Spoofing Vulnerability Moderate 6.5 No No Spoofing* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
There are a total of 59 code execution bugs in this release, which is more CVEs than the entire June release. However, 38 of these are related to SQL Server and require a user to connect to a malicious SQL server database. That does seem unlikely, but it could be used as a post-exploitation technique for lateral movement. There’s an interesting bug in the Windows Multipoint Service, but it requires the service to be restarted for an attack to succeed. The one, new publicly known bug this month is in .NET Framework and Visual Studio. It’s an interesting race condition, but it seems unlikely to be exploited. There are the standard open-and-own Office bugs, including one that requires multiple security updates to fully address the vulnerability. Be sure to check for the “†” in the above table. There are some authenticated RCEs in the Performance Data Helper Library, but these require elevated permissions. There are additional SharePoint fixes, but it’s not clear why these are rated Important instead of Critical. There’s a scary-sounding bug in the DHCP server, but it also requires high privileges. That’s the same for the bug in Windows DTC. There’s a bug for adjacent attackers to use in the Layer-2 Bridge Network Driver. It’s not often you see exploits that low on the OSI model, but this one doesn’t require authentication. The final RCE fixes for this month happen in components you don’t expect to see patches for. The first is in the Azure Kinect SDK. Yes – that Kinect. It requires someone actually plug in a malicious USB drive to an affected system. The Kinect SDK is available for Windows and Linux, but it’s not clear if the fix covers both. Then there are fixes for the Xbox and Xbox Wireless Controller. For the Xbox, an unauthenticated attacker could get code execution by sending a malicious networking packet to an adjacent console that employs a Wi-Fi networking adapter. That’s the same scenario for the controller. Obviously, an attacker would need to be in close proximity to achieve this exploit.
There are a couple dozen fixes for Elevation of Privilege (EoP) bugs in this release, but most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. The bug in the Text Services Framework could be used as a sandbox or AppContainer escape. The bug in Defender for IoT could also be used as an AppContainer escape. Two of the PowerShell bugs allow a threat actor to go from a restrained user to an unrestrained WDAC user. PowerShell is often used for post-exploitation for lateral movement, so this technique would be handy for those living off the land. The bug is the Workstation Service could allow an attacker to overwrite critical structures of the service, leading to arbitrary memory writing or control flow hijacking. Not exactly a common technique, but it does lead to a privilege escalation. Finally, the bug in Azure CycleCloud could allow an authenticated user to escalate to the Administrator role on affected Azure CycleCloud instances. If you’re using this component, you need to update your CycleCloud VMs. If you aren’t familiar with that process, Microsoft provides some guidance here.
There are also two dozen fixes for security feature bypass (SFB) bugs, although I think we need to rename a component. Between 23 fixes in April and 20 more this month, I don’t think we can really call it Secure Boot anymore. Even worse, all but two of these could be exploited by an Adjacent attacker with LAN access to the target. Oof. I’m calling this feature “Protected Boot” rather than “Secure Boot”. The SFB bug in BitLocker requires physical access, but BitLocker is specifically designed to prevent this sort of attack, so…er…not good. The SFB in cryptographic services requires a SHA1 hash collision. The bug in the Windows Enroll Engine could allow a threat actor to avoid certificate validation during the enrollment process, but the exploitation would be complicated.
There are only nine information disclosure bugs receiving fixes this month and most only result in info leaks consisting of unspecified memory contents. There are only two exception. The bug in the on prem version of Dynamics 365 discloses data stored in the underlying datasets in Dataverse. This could include Personal Identifiable Information (PII). The bug in SharePoint could disclose data from the targeted website including IDs, tokens, cryptographic nonces, or other sensitive information.
There are quite a few Denial-of-Service (DoS) bugs in the July release, but Microsoft provides very little information about the details. It would be nice to know if these are blue screens or just a service-level DoS. We do know that the bugs in the iSCSI service and the Layer-2 Bridge Network driver require the attacker to be adjacent. The same goes for the bug in the Line Printer Daemon Service and the Network Driver Interface Specification. Lastly, one of the DoS bugs in the Remote Desktop Licensing Service requires some extra steps beyond the patch. According to Microsoft, “If your RD session hosts and RD licensing servers are joined to a workgroup, you need to ensure that your RD session hosts have the necessary credentials to access your RD licensing servers.” You can find additional information about that here.
The July release is rounded out by a few spoofing bugs. Probably the most important of these is the bug in Outlook that could result in NTLM relaying. Fortunately, the Preview Pane is not an attack vector. Although not specifically stated, one would assume the same for the NTLM spoofing bug. And while not as clear, one would assume the same for the spoofing bug in Themes as Microsoft lists disabling NTLM as a workaround. Finally, the bugs in Azure DevOps Server are listed as spoofing, but they could also be used for DoS or Information Disclosure.
There are no new advisories in this month’s release.
Looking Ahead
The next Patch Tuesday of 2024 will be on August 13, and I’ll return with details and patch analysis then. I’ll also be at Black Hat and DEFCON, so if you’re there, I’d love to chat about all things patches and bug bounties. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Finding hidden API parameters
Learn how to use Param Miner to find hidden parameters that may help manipulate an API in unintended ways, revealing potential security flaws.
The post Finding hidden API parameters appeared first on Dana Epp's Blog.