Scheduled updates fix 89 Microsoft vulnerabilities, including two zero-day vulnerabilities

Threat ID:CC-4573

Threat Severity:Medium

Published:13 November 2024 3:33 PM

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Windows Server

.NET and Visual Studio

Microsoft Exchange Server

The following platforms are also known to be affected:

Airlift.microsoft.com
Azure CycleCloud
Azure Database for PostgreSQL
LightGBM
Microsoft Graphics Component
Microsoft Office Excel
Microsoft Office Word
Microsoft PC Manager
Microsoft Virtual Hard Drive
Microsoft Windows DNS
Role: Windows Hyper-V
SQL Server
TorchGeo
Visual Studio
Visual Studio Code
Windows Active Directory Certificate Services
Windows CSC Service
Windows Defender Application Control (WDAC)
Windows DWM Core Library
Windows Kerberos
Windows Kernel
Windows NT OS Kernel
Windows NTLM
Windows Package Library Manager
Windows Registry
Windows Secure Kernel Mode
Windows SMB
Windows SMBv3 Client/Server
Windows Task Scheduler
Windows Telephony Service
Windows Update Stack
Windows USB Video Driver
Windows VMSwitch
Windows Win32 Kernel Subsystem

Threat details

Active exploitation of CVE-2024-43451 and CVE-2024-49039

Microsoft has reported two vulnerabilities are under active exploitation. NHS England National CSOC urges organisations to apply relevant security updates to affected versions of Windows and Windows Server as soon as practicable.

Introduction

Microsoft has released security updates to address 89 vulnerabilities in Microsoft products. The security updates include four critical vulnerabilities, two vulnerabilities that are under zero-day exploitation, and four vulnerabilities that are publicly disclosed.

Vulnerability details

CVE-2024-43451 - NTLM Hash Disclosure Spoofing Vulnerability

CVE-2024-43451 is an 'external control of file name or path’ vulnerability in Windows and Windows Server and has a CVSSv3 score of 6.5. Successful exploitation discloses a user's NTLMv2 hash to the attacker, who could use the hash to authenticate as the user. This vulnerability is publicly known and is under active exploitation.

CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege Vulnerability

CVE-2024-49039 is a ‘improper authentication’ vulnerability in .NET and Visual Studio 2022 with a CVSSv3 score of 8.8. An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only. This vulnerability is under active exploitation.

CVE-2024-43498 - .NET and Visual Studio Remote Code Execution Vulnerability

CVE-2024-49039 is a critical ‘type confusion’ vulnerability in .NET and Visual Studio 2022 with a CVSSv3 score of 9.8. An unauthenticated attacker could exploit this vulnerability leading to remote code execution.

CVE-2024-49019 - Active Directory Certificate Services Elevation of Privilege Vulnerability

CVE-2024-49019 is a ‘weak authentication’ vulnerability in Windows Server with a CVSSv3 score of 7.8. An attacker who successfully exploited this vulnerability could escalate privileges to gain domain administrator privileges. This vulnerability is publicly disclosed.

CVE-2024-49040 - Microsoft Exchange Server Spoofing Vulnerability

CVE-2024-49040 is a ‘user interface (UI) misrepresentation of critical information’ vulnerability in Microsoft Exchange Server with a CVSSv3 score of 7.5. This vulnerability is publicly known and Microsoft has a blog post that provides additional information and explains how this vulnerability could lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate.

CVE-2024-43625 - Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

CVE-2024-43625 is a critical ‘use after free’ vulnerability with a CVSSv3 score of 8.1 that affects Windows and Windows Server. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges or lead to a scope change, which would mean that the attacker could traverse the guest's security boundary to execute arbitrary code on the Hyper-V host execution environment.

CVE-2024-43639 - Windows Kerberos Remote Code Execution Vulnerability

CVE-2024-43639 is a critical ‘numeric truncation error’ vulnerability with a CVSSv3 score of 9.8 that affects Windows Server. An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.

Threat updates


28 Nov 2024	Updates for Exchange Server Released Microsoft has re-released the security updates for Exchange server that were paused after resolving issues impacting transport rules: Re-release of November 2024 Exchange Server Security Update packages \| Microsoft Community Hub
15 Nov 2024	Update issues with Exchange Server Microsoft has paused updates for Exchange server, citing the known issues section of this blog: Released: November 2024 Exchange Server Security Updates \| Microsoft Community Hub We are aware of customers having an issue with the Transport rules stopping periodically after this update is installed. Based on our initial investigation, this can happen to customers who use their own transport or DLP rules. If you are seeing this problem, you might have to uninstall the November SU until it is re-released. We are continuing the investigation and are working on a permanent fix to address this issue. We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update. Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update.

28 Nov 2024

Updates for Exchange Server Released

Microsoft has re-released the security updates for Exchange server that were paused after resolving issues impacting transport rules: Re-release of November 2024 Exchange Server Security Update packages | Microsoft Community Hub

15 Nov 2024

Update issues with Exchange Server

Microsoft has paused updates for Exchange server, citing the known issues section of this blog: Released: November 2024 Exchange Server Security Updates | Microsoft Community Hub

We are aware of customers having an issue with the Transport rules stopping periodically after this update is installed. Based on our initial investigation, this can happen to customers who use their own transport or DLP rules. If you are seeing this problem, you might have to uninstall the November SU until it is re-released.
We are continuing the investigation and are working on a permanent fix to address this issue. We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update. Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update.

Remediation advice

Affected organisations are encouraged to review Microsoft's November 2024 Security Updates Summary and apply the relevant updates as soon as practicable.