VULNERA Pulse

SolarWinds — Web Help Desk

CVE-2024-28986 / Added: Aug. 15, 2024

CRITICAL CVSS 9.80 EPSS Score 1.87 EPSS Percentile 88.66

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.

Headlines

• Aug. 16, 2024 - CISA warns critical SolarWinds RCE bug is exploited in attacks
• Aug. 16, 2024 - CISA Warns of Active Exploitation in SolarWinds Web Help Desk Vulnerability
• Aug. 15, 2024 - SolarWinds: Critical RCE Bug Requires Urgent Patch
• Aug. 15, 2024 - SolarWinds Releases Patch for Critical Flaw in Web Help Desk Software
• Aug. 15, 2024 - Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986)
• Aug. 15, 2024 - SolarWinds Urges Upgrade After Revealing Critical RCE Bug
• Aug. 14, 2024 - SolarWinds addressed a critical RCE in all Web Help Desk versions
• Aug. 14, 2024 - SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
• Aug. 14, 2024 - CVE-2024-28986 (CVSS 9.8): SolarWinds Web Help Desk Users Must Patch Now!

Back to top ↑

Microsoft — Project

CVE-2024-38189 / Added: Aug. 13, 2024

HIGH CVSS 8.80 EPSS Score 0.52 EPSS Percentile 77.14

Microsoft Project contains an unspecified vulnerability that allows for remote code execution via a malicious file.

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

Back to top ↑

Microsoft — Windows

CVE-2024-38193 / Added: Aug. 13, 2024

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.04

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges.

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

Back to top ↑

Microsoft — Windows

CVE-2024-38107 / Added: Aug. 13, 2024

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.04

Microsoft Windows Power Dependency Coordinator contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to obtain SYSTEM privileges.

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

Back to top ↑

Microsoft — Windows

CVE-2024-38178 / Added: Aug. 13, 2024

HIGH CVSS 7.50 EPSS Score 2.30 EPSS Percentile 89.88

Microsoft Windows Scripting Engine contains a memory corruption vulnerability that allows unauthenticated attacker to initiate remote code execution via a specially crafted URL.

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

Back to top ↑

Microsoft — Windows

CVE-2024-38106 / Added: Aug. 13, 2024

HIGH CVSS 7.00 EPSS Score 0.04 EPSS Percentile 10.04

Microsoft Windows Kernel contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

Back to top ↑

Microsoft — Windows

CVE-2024-38213 / Added: Aug. 13, 2024

MEDIUM CVSS 6.50 EPSS Score 1.42 EPSS Percentile 86.75

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience via a malicious file.

Headlines

• Aug. 16, 2024 - ZDI Details Copy2Pwn: Zero-Day CVE-2024-38213 Evades Windows Security Measures
• Aug. 15, 2024 - August Patch Tuesday goes big
• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft Fixes Nine Zero-Days on Patch Tuesday
• Aug. 14, 2024 - Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - New Windows SmartScreen bypass exploited as zero-day since March
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

Back to top ↑

CVE-2024-38063

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 39.62

Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 13, 2024

Windows TCP/IP Remote Code Execution Vulnerability

Quotes

• Consistently exploit the flaw in attacks
• The bug triggers before fw handling the packet. Considering its harm, I will not disclose more details in the short term
• An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
• Moving on to the other code execution bugs, we’re greeted with three different CVSS 9.8 bugs right off the top. The worst is likely the bug in TCP/IP that would allow a remote, unauthenticated attacker to get elevated code execution just by sending specially crafted IPv6 packets to an affected target. That means it’s wormable

Headlines

• Aug. 16, 2024 - Microsoft urges customers to fix Windows RCE in the TCP/IP stack
• Aug. 15, 2024 - August Patch Tuesday goes big
• Aug. 15, 2024 - Windows TCP/IP Vulnerability CVE-2024-38063: Researchers Hold Back Exploit Details Due to High Risk
• Aug. 14, 2024 - Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
• Aug. 14, 2024 - Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled
• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft Patch Tuesday security updates for August 2024 six actively exploited bugs
• Aug. 14, 2024 - CVE-2024-38063 (CVSS 9.8): 0-Click RCE Affects All Windows Systems
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed

CVE-2024-28986

CRITICAL CVSS 9.80 EPSS Score 1.87 EPSS Percentile 88.66

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Aug. 13, 2024

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.   However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Vendor Impacted: Solarwinds

Product Impacted: Web Help Desk

Quotes

• SolarWinds Web Help Desk was found to be susceptible to a Java deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine
• While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available
• SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing

Headlines

• Aug. 16, 2024 - CISA warns critical SolarWinds RCE bug is exploited in attacks
• Aug. 16, 2024 - CISA Warns of Active Exploitation in SolarWinds Web Help Desk Vulnerability
• Aug. 15, 2024 - SolarWinds: Critical RCE Bug Requires Urgent Patch
• Aug. 15, 2024 - SolarWinds Releases Patch for Critical Flaw in Web Help Desk Software
• Aug. 15, 2024 - Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986)
• Aug. 15, 2024 - SolarWinds Urges Upgrade After Revealing Critical RCE Bug
• Aug. 14, 2024 - SolarWinds addressed a critical RCE in all Web Help Desk versions
• Aug. 14, 2024 - SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
• Aug. 14, 2024 - CVE-2024-28986 (CVSS 9.8): SolarWinds Web Help Desk Users Must Patch Now!

CVE-2024-38193

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.04

CISA Known Exploited

Published: Aug. 13, 2024

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 21h2, Windows 10 1607, Windows 11 23h2, Windows 10 1507, Windows 11 24h2, Windows 10 22h2, Windows Server 2022 23h2, Windows Server 2008, Windows Server 2022, Windows Server 2016, Windows 10 1809

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• Microsoft lists exploit complexity as high due to the attacker needing to win a race condition
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
• These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

CVE-2024-38107

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.04

CISA Known Exploited

Published: Aug. 13, 2024

Windows Power Dependency Coordinator Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 21h2, Windows 10 1607, Windows 11 23h2, Windows 10 1507, Windows 11 24h2, Windows 10 22h2, Windows Server 2022 23h2, Windows Server 2022, Windows Server 2016, Windows 10 1809

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• Microsoft lists exploit complexity as high due to the attacker needing to win a race condition
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
• These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

CVE-2024-38178

HIGH CVSS 7.50 EPSS Score 2.30 EPSS Percentile 89.88

CISA Known Exploited

Published: Aug. 13, 2024

Scripting Engine Memory Corruption Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 21h2, Windows 10 1607, Windows 11 23h2, Windows 10 1507, Windows 11 24h2, Windows 10 22h2, Windows Server 2022 23h2, Windows Server 2022, Windows Server 2016, Windows 10 1809

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• Microsoft lists exploit complexity as high due to the attacker needing to win a race condition
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
• These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

CVE-2024-38202

HIGH CVSS 7.30 EPSS Score 0.04 EPSS Percentile 9.51

Risk Context N/A

Published: Aug. 8, 2024

Summary Microsoft was notified that an elevation of privilege vulnerability exists in Windows Update, potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). However, an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful. Microsoft is developing a security update to mitigate this threat, but it is not yet available. Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the Recommended Actions section of this CVE. This CVE will be updated, and customers will be notified when the official mitigation is available in a Windows security update. We highly encourage customers to subscribe to Security Update Guide notifications to receive an alert when this update occurs. Details A security researcher informed Microsoft of an elevation of privilege vulnerability in Windows Update potentially enabling an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of VBS. For exploitation to succeed, an attacker must trick or convince an Administrator or a user with delegated permissions into performing a system restore which inadvertently triggers the vulnerability. Microsoft is developing a security update that will mitigate this vulnerability, but it is not yet available. This CVE will be updated with new information and links to the security updates once available. We highly encourage customers subscribe to Security Update Guide notifications to be a...
Please see the NVD entry for the full description.

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 15, 2024 - August Patch Tuesday goes big
• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft Fixes Nine Zero-Days on Patch Tuesday
• Aug. 14, 2024 - Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
• Aug. 14, 2024 - CISA & Microsoft Warn of 6 Actively Exploited Zero-Day Vulnerabilities
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited
• Aug. 12, 2024 - Dark Skippy: New Threat Steals Secret Keys from Signing Devices

CVE-2024-38106

HIGH CVSS 7.00 EPSS Score 0.04 EPSS Percentile 10.04

CISA Known Exploited

Published: Aug. 13, 2024

Windows Kernel Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows, Windows 11 21h2, Windows 10 21h2, Windows 10 1607, Windows 11 23h2, Windows 10 1507, Windows 11 24h2, Windows 10 22h2, Windows Server 2022 23h2, Windows Server 2022, Windows Server 2016, Windows 10 1809

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• Microsoft lists exploit complexity as high due to the attacker needing to win a race condition
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
• These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

CVE-2024-21302

MEDIUM CVSS 6.70 EPSS Score 0.04 EPSS Percentile 9.51

Risk Context N/A

Published: Aug. 8, 2024

Summary: Microsoft was notified that an elevation of privilege vulnerability exists in Windows based systems supporting Virtualization Based Security (VBS), including a subset of Azure Virtual Machine SKUS. This vulnerability enables an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS. Microsoft is developing a security update to mitigate this threat, but it is not yet available. Guidance to help customers reduce the risks associated with this vulnerability and to protect their systems until the mitigation is available in a Windows security update is provided in the Recommended Actions section of this CVE. This CVE will be updated when the mitigation is available in a Windows security update. We highly encourage customers to subscribe to Security Update Guide notifications to receive an alert when this update occurs. Update: August 13, 2024 Microsoft has released the August 2024 security updates that include an opt-in revocation policy mitigation to address this vulnerability. Customers running affected versions of Windows are encouraged to review KB5042562: Guidance for blocking rollback of virtualization-based security related updates to assess if this opt-in policy meets the needs of their environment before implementing this mitigation. There are risks associated with this mitigation that should be understood prior to applying it to your systems. Detailed information about these risks is also available in KB5042562. Details: A security researcher informed Microsoft of an elevation...
Please see the NVD entry for the full description.

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 15, 2024 - August Patch Tuesday goes big
• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft Fixes Nine Zero-Days on Patch Tuesday
• Aug. 14, 2024 - Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
• Aug. 14, 2024 - CISA & Microsoft Warn of 6 Actively Exploited Zero-Day Vulnerabilities
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Talos discovers Microsoft kernel mode driver vulnerabilities that could lead to SYSTEM privileges; Seven other critical issues disclosed
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited
• Aug. 12, 2024 - Dark Skippy: New Threat Steals Secret Keys from Signing Devices

CVE-2024-38213

MEDIUM CVSS 6.50 EPSS Score 1.42 EPSS Percentile 86.75

CISA Known Exploited

Published: Aug. 13, 2024

Windows Mark of the Web Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 11 22h2, Windows Server 2019, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 21h2, Windows 10 1607, Windows 11 23h2, Windows 10 1507, Windows 10 22h2, Windows Server 2022 23h2, Windows Server 2022, Windows Server 2016, Windows 10 1809

Quotes

• Successful exploitation of this vulnerability requires an attacker to win a race condition
• Microsoft lists exploit complexity as high due to the attacker needing to win a race condition
• An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email
• Basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)
• An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution
• An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. An attacker must send the user a malicious file and convince them to open it
• An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW
• These types of bugs are typically paired with a code execution bug to take over a target. Microsoft doesn't provide any indication of how broadly this is being exploited, but considering the source, if it's not in ransomware already, it likely will be soon
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 16, 2024 - ZDI Details Copy2Pwn: Zero-Day CVE-2024-38213 Evades Windows Security Measures
• Aug. 15, 2024 - August Patch Tuesday goes big
• Aug. 14, 2024 - August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• Aug. 14, 2024 - Microsoft Fixes Nine Zero-Days on Patch Tuesday
• Aug. 14, 2024 - Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
• Aug. 14, 2024 - Microsoft patches CVE-2024-38063 IPv6 RCE vulnerability
• Aug. 14, 2024 - Patch Tuesday: 6 Microsoft fixes for flaws already exploited
• Aug. 13, 2024 - New Windows SmartScreen bypass exploited as zero-day since March
• Aug. 13, 2024 - Six 0-Days Lead Microsoft’s August 2024 Patch Push –
• Aug. 13, 2024 - Microsoft Discloses 10 Zero-Day Bugs in Patch Tuesday Update
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited

CVE-2024-38200

MEDIUM CVSS 6.50 EPSS Score 0.32 EPSS Percentile 70.82

Remote Code Execution

Published: Aug. 12, 2024

Microsoft Office Spoofing Vulnerability

Vendor Impacted: Microsoft

Products Impacted: 365 Apps, Office, Office Long Term Servicing Channel

Quotes

• Not as a result of any technical issues on our side or action taken by us
• Successful exploitation of this vulnerability requires an attacker to win a race condition
• An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email
• An attacker who convinces a user to open a malicious file could bypass SmartScreen, which would normally warn the user about files downloaded from the internet, which Windows would otherwise have tagged with MotW
• In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability
• While [Microsoft Edge in Internet Explorer Mode] is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration

Headlines

• Aug. 15, 2024 - AI, election security headline discussions at Black Hat and DEF CON
• Aug. 14, 2024 - Microsoft Fixes Nine Zero-Days on Patch Tuesday
• Aug. 14, 2024 - Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits
• Aug. 14, 2024 - CISA & Microsoft Warn of 6 Actively Exploited Zero-Day Vulnerabilities
• Aug. 13, 2024 - Microsoft fixes 6 zero-days under active attack
• Aug. 13, 2024 - Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited
• Aug. 12, 2024 - Unpatched MS Office flaw may leak NTLM hashes to attackers (CVE-2024-38200)
• Aug. 11, 2024 - CVE-2024-38200: Zero-Day Vulnerability in Microsoft Office: A Call for Urgent Action
• Aug. 10, 2024 - Microsoft reveals Office security flaw that has not yet been patched