VULNERA Pulse

Palo Alto Networks — Expedition

CVE-2024-9465 / Added: Nov. 14, 2024

CRITICAL CVSS 9.10 EPSS Score 94.77 EPSS Percentile 99.35

Palo Alto Networks Expedition contains a SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Headlines

• Nov. 15, 2024 - Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465)
• Nov. 15, 2024 - U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
• Nov. 15, 2024 - CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild
• Nov. 15, 2024 - CISA Flags Critical Exploits in Palo Alto Networks' Expedition with Public PoC Code
• Nov. 14, 2024 - CISA warns of more Palo Alto Networks bugs exploited in attacks
• Nov. 14, 2024 - PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover
• Oct. 11, 2024 - CVE-2024-9465 (CVSS 9.2) SQLi Flaw in Palo Alto Expedition Revealed: Full Exploit & PoC Published
• Oct. 10, 2024 - CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches
• Oct. 10, 2024 - Palo Alto fixed critical flaws in PAN-OS firewalls that allow for full compromise of the devices
• Oct. 9, 2024 - Palo Alto Networks Issues Fix for Critical Vulnerabilities, Including CVE-2024-9463 (CVSS 9.9)

Back to top ↑

Palo Alto Networks — Expedition

CVE-2024-9463 / Added: Nov. 14, 2024

HIGH CVSS 7.50 EPSS Score 96.23 EPSS Percentile 99.58

Palo Alto Networks Expedition contains an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Headlines

• Nov. 15, 2024 - Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465)
• Nov. 15, 2024 - CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild
• Nov. 15, 2024 - CISA Flags Critical Exploits in Palo Alto Networks' Expedition with Public PoC Code
• Nov. 14, 2024 - CISA warns of more Palo Alto Networks bugs exploited in attacks
• Oct. 10, 2024 - CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches

Back to top ↑

Microsoft — Windows

CVE-2024-49039 / Added: Nov. 12, 2024

HIGH CVSS 8.80 EPSS Score 0.13 EPSS Percentile 48.53

Microsoft Windows Task Scheduler contains a privilege escalation vulnerability that can allow an attacker-provided, local application to escalate privileges outside of its AppContainer, and access privileged RPC functions.

Headlines

• Nov. 13, 2024 - November Patch Tuesday loads up everyone’s plate
• Nov. 13, 2024 - Microsoft Fixes Four More Zero-Days in November Patch Tuesday
• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 13, 2024 - Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws

Back to top ↑

Metabase — Metabase

CVE-2021-41277 / Added: Nov. 12, 2024

HIGH CVSS 7.50 EPSS Score 97.29 EPSS Percentile 99.90

Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.

Headlines

• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog

Back to top ↑

Microsoft — Windows

CVE-2024-43451 / Added: Nov. 12, 2024

MEDIUM CVSS 6.50 EPSS Score 0.47 EPSS Percentile 76.18

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a file open operation. The attacker could then leverage this hash to impersonate that user.

Headlines

• Nov. 14, 2024 - How a Windows zero-day was exploited in the wild for months (CVE-2024-43451)
• Nov. 14, 2024 - Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails
• Nov. 14, 2024 - Right-Click to Hack: Zero-Day CVE-2024-43451 Vulnerability Targets Windows Users
• Nov. 13, 2024 - Microsoft patches Windows zero-day exploited in attacks on Ukraine
• Nov. 13, 2024 - November Patch Tuesday loads up everyone’s plate
• Nov. 13, 2024 - Microsoft Fixes Four More Zero-Days in November Patch Tuesday
• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 13, 2024 - Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws

Back to top ↑

Cisco — Adaptive Security Appliance (ASA)

CVE-2014-2120 / Added: Nov. 12, 2024

MEDIUM CVSS 6.10 EPSS Score 0.25 EPSS Percentile 65.21

Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.

Headlines

• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog

Back to top ↑

Atlassian — Jira Server and Data Center

CVE-2021-26086 / Added: Nov. 12, 2024

MEDIUM CVSS 5.30 EPSS Score 97.11 EPSS Percentile 99.83

Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.

Headlines

• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog

Back to top ↑

CVE-2024-43602

CRITICAL CVSS 9.90 EPSS Score 0.05 EPSS Percentile 20.56

Remote Code Execution

Published: Nov. 12, 2024

Azure CycleCloud Remote Code Execution Vulnerability

Quotes

• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later)
• An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability
• Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems

Headlines

• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 13, 2024 - Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days
• Nov. 12, 2024 - November Patch Tuesday release contains three critical remote code execution vulnerabilities
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –

CVE-2024-43498

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 40.25

Remote Code Execution

Published: Nov. 12, 2024

.NET and Visual Studio Remote Code Execution Vulnerability

Quotes

• CSAF files are meant to be consumed by computers more so than by humans
• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later)
• To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024
• An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability
• Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems

Headlines

• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 13, 2024 - Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days
• Nov. 12, 2024 - November Patch Tuesday release contains three critical remote code execution vulnerabilities
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)

CVE-2024-5910

CRITICAL CVSS 9.80 EPSS Score 97.10 EPSS Percentile 99.83

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: July 10, 2024

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.

Vendors Impacted: Paloaltonetworks, Palo Alto Networks

Product Impacted: Expedition

Quotes

• May be under limited, targeted exploitation
• If the management interface access is restricted to IPs, the risk of exploitation is greatly limited, as any potential attack would first require privileged access to those IPs. CVSS for this scenario is 7.5 High
• Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system
• Although [Binding Operational Directive (BOD) 22-01] only applies to [Federal Civilian Executive Branch] agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice

Headlines

• Nov. 15, 2024 - Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Act
• Nov. 15, 2024 - Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465)
• Nov. 15, 2024 - U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
• Nov. 15, 2024 - CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild
• Nov. 14, 2024 - CISA warns of more Palo Alto Networks bugs exploited in attacks
• Nov. 11, 2024 - THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 - Nov 10)
• Nov. 10, 2024 - Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability

CVE-2024-43639

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 40.25

Remote Code Execution

Published: Nov. 12, 2024

Windows KDC Proxy Remote Code Execution Vulnerability

Quotes

• CSAF files are meant to be consumed by computers more so than by humans
• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024
• An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability

Headlines

• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 12, 2024 - November Patch Tuesday release contains three critical remote code execution vulnerabilities
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)

CVE-2024-9465

CRITICAL CVSS 9.10 EPSS Score 94.77 EPSS Percentile 99.35

CISA Known Exploited Public Exploits Available

Published: Oct. 9, 2024

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Vendors Impacted: Paloaltonetworks, Palo Alto Networks

Product Impacted: Expedition

Quotes

• Aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465
• Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system
• Although [Binding Operational Directive (BOD) 22-01] only applies to [Federal Civilian Executive Branch] agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice

Headlines

• Nov. 15, 2024 - Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465)
• Nov. 15, 2024 - U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
• Nov. 15, 2024 - CISA Flags Critical Palo Alto Network Flaws Actively Exploited in the Wild
• Nov. 15, 2024 - CISA Flags Critical Exploits in Palo Alto Networks' Expedition with Public PoC Code
• Nov. 14, 2024 - CISA warns of more Palo Alto Networks bugs exploited in attacks
• Nov. 14, 2024 - PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover

CVE-2024-49039

HIGH CVSS 8.80 EPSS Score 0.13 EPSS Percentile 48.53

CISA Known Exploited

Published: Nov. 12, 2024

Windows Task Scheduler Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1809, Windows 10 1507, Windows 11 23h2, Windows Server 2022, Windows Server 2022 23h2, Windows 10 1607, Windows 10 21h2, Windows Server 2019, Windows 11 22h2, Windows 10 22h2, Windows 11 24h2, Windows Server 2016, Windows, Windows Server 2025

Quotes

• CSAF files are meant to be consumed by computers more so than by humans
• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later)
• To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024
• An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability
• Authentication bypass by assumed-immutable data on airlift.microsoft.com allow[ed] an authorized attacker to elevate privileges over a network
• Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems
• This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems

Headlines

• Nov. 13, 2024 - November Patch Tuesday loads up everyone’s plate
• Nov. 13, 2024 - Microsoft Fixes Four More Zero-Days in November Patch Tuesday
• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 13, 2024 - Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws

CVE-2024-49019

HIGH CVSS 7.80 EPSS Score 0.04 EPSS Percentile 10.16

Risk Context N/A

Published: Nov. 12, 2024

Active Directory Certificate Services Elevation of Privilege Vulnerability

Quotes

• CSAF files are meant to be consumed by computers more so than by humans
• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024
• Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems
• This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems

Headlines

• Nov. 13, 2024 - Microsoft Fixes Four More Zero-Days in November Patch Tuesday
• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws

CVE-2017-0199

HIGH CVSS 7.80 EPSS Score 97.50 EPSS Percentile 99.99

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: April 12, 2017

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Vendors Impacted: Philips, Microsoft

Products Impacted: Office And Wordpad, Windows Vista, Intellispace Portal, Windows Server 2012, Office, Windows Server 2008, Windows 7

Quotes

• Provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer
• Remcos is a commercial RAT… however, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts
• Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis
• The malicious code performs process hollowing to put itself into a newly created Vaccinerende.exe process (copied from dllhost.exe). To do this, it calls the API CreateProcessInternalW() with CreatFlags of CREATE_SUSPENDED (0x4), which will suspend the new process after it is created. It then calls some related APIs to transfer all the malicious code to the new process and run it

Headlines

• Nov. 11, 2024 - Revamped Remcos RAT Deployed Against Microsoft Users
• Nov. 11, 2024 - New Remcos RAT Variant Targets Windows Users Via Phishing
• Nov. 11, 2024 - A new fileless variant of Remcos RAT observed in the wild
• Nov. 11, 2024 - A new fileless variant of Remcos RAT observed in the wild –
• Nov. 11, 2024 - Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware
• Nov. 11, 2024 - Researcher Uncovers New Phishing Campaign Deploying Remcos RAT with Advanced Evasion Techniques

CVE-2024-49040

HIGH CVSS 7.50 EPSS Score 0.05 EPSS Percentile 19.09

Actively Exploited Remote Code Execution

Published: Nov. 12, 2024

Microsoft Exchange Server Spoofing Vulnerability

Quotes

• CSAF files are meant to be consumed by computers more so than by humans
• The problem is that SMTP servers parse the recipient address differently, which leads to email spoofing
• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• Authentication bypass by assumed-immutable data on airlift.microsoft.com allow[ed] an authorized attacker to elevate privileges over a network
• We are continuing the investigation and are working on a permanent fix to address this issue. We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update
• Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems
• This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems

Headlines

• Nov. 15, 2024 - Microsoft pulls Exchange security updates over mail delivery issues
• Nov. 13, 2024 - November Patch Tuesday loads up everyone’s plate
• Nov. 13, 2024 - Microsoft Fixes Four More Zero-Days in November Patch Tuesday
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft Exchange adds warning to emails abusing spoofing flaw
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws

CVE-2024-43451

MEDIUM CVSS 6.50 EPSS Score 0.47 EPSS Percentile 76.18

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Nov. 12, 2024

NTLM Hash Disclosure Spoofing Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1809, Windows Server 2016, Windows 10 1507, Windows 11 23h2, Windows Server 2022, Windows Server 2022 23h2, Windows 10 1607, Windows Server 2012, Windows 10 21h2, Windows Server 2019, Windows 11 22h2, Windows 10 22h2, Windows 11 24h2, Windows Server 2008, Windows, Windows Server 2025

Quotes

• CSAF files are meant to be consumed by computers more so than by humans
• The malicious files were downloaded from an official Ukrainian government site
• This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user
• When the user interacts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered
• Microsoft lists three of these CVEs as publicly known, but I disagree and put the count at five (more on that later)
• To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024
• An attacker must first gain access to the system, subsequently running a specifically crafted application to exploit the vulnerability
• Authentication bypass by assumed-immutable data on airlift.microsoft.com allow[ed] an authorized attacker to elevate privileges over a network
• Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability
• On Windows 7, 8, and 8.1, the file did not initiate communication when dragged or deleted, unless the target folder was open at the time of dragging (this did not happen on the first attempt but was observed only after 2-3 attempts)
• Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems
• This vulnerability is particularly effective in phishing scenarios, where users might be deceived into interacting with malicious files. Once NTLM hashes are obtained, attackers can combine them with other network vulnerabilities to extend their access and compromise additional systems

Headlines

• Nov. 14, 2024 - How a Windows zero-day was exploited in the wild for months (CVE-2024-43451)
• Nov. 14, 2024 - Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails
• Nov. 14, 2024 - Right-Click to Hack: Zero-Day CVE-2024-43451 Vulnerability Targets Windows Users
• Nov. 13, 2024 - Microsoft patches Windows zero-day exploited in attacks on Ukraine
• Nov. 13, 2024 - November Patch Tuesday loads up everyone’s plate
• Nov. 13, 2024 - Microsoft Fixes Four More Zero-Days in November Patch Tuesday
• Nov. 13, 2024 - Microsoft Fixes 90 New Flaws, Including Actively Exploited NTLM and Task Scheduler Bugs
• Nov. 13, 2024 - CISA Adds Five Actively Exploited Vulnerabilities to KEV Catalog
• Nov. 13, 2024 - November delivers a heap of Microsoft patches for admins
• Nov. 13, 2024 - Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days
• Nov. 12, 2024 - 2 Zero-Day Bugs in Microsoft's Nov. Update Under Exploit
• Nov. 12, 2024 - Microsoft Patch Tuesday, November 2024 Edition –
• Nov. 12, 2024 - Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039)
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws
• Nov. 12, 2024 - Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws