Expert Analysis: Satnam Narang from Tenable Discusses November 2024 Patch Tuesday
“CVE-2024-43451 is a spoofing vulnerability in all supported versions of Microsoft Windows that was exploited in the wild. When exploited, it reveals a user’s NTLMv2 hash, which an attacker can use to authenticate to a system using a technique called pass-the-hash. To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024. In February, Microsoft patched CVE-2024-21410 in Microsoft Exchange Server and CVE-2024-38021 in Microsoft Office in July. Both of these flaws were higher in severity (based on CVSS scores) compared to CVE-2024-43451. While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451 at this time, one thing is certain: attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems.
“CVE-2024-49039 is a vulnerability in the Windows Task Scheduler. This vulnerability is only exploitable when an authenticated attacker on a vulnerable system opens a malicious application. Once exploited, an attacker can elevate their privileges and gain access to resources that would otherwise be unavailable to them as well as execute code, such as remote procedure call (RPC) functions. Whenever I see a zero-day privilege escalation vulnerability that was exploited in the wild, I typically conclude that it’s likely part of a targeted attack of some sort. Once again, we don’t have much insight into the in-the-wild exploitation of this flaw, though we know that this flaw is attributed to multiple individuals, including members of Google’s Threat Analysis Group (TAG). Based on this attribution, we can infer that there is some advanced persistent threat (APT) or nation-state aligned activity associated with the zero-day exploitation of this flaw.
“There were two other zero-day vulnerabilities patched this month – CVE-2024-49019, an elevation of privilege flaw in Active Directory Certificate Services (AD CS) and CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server. CVE-2024-49019 is considered more likely to be exploited and has to do with the configuration of version 1 certificate templates being overly permissive. We don’t have much insight into CVE-2024-49040, but we do know that there’s potential for spoofing attacks against Microsoft Exchange Server due to the implementation of email header verification of P2 FROM.
“The highest rated vulnerability in this month’s release is CVE-2024-43602, a remote code execution flaw in Microsoft’s Azure CycleCloud, which is a tool that helps in managing and orchestrating the High Performance Computing (HPC) environments in Azure. A user with the most basic permission could exploit CVE-2024-43602 to gain root level privileges. Ease of exploitation was as simple as sending a request to a vulnerable AzureCloud CycleCloud cluster that would modify its configuration. As organizations continue to shift into utilizing cloud resources, the attack surface widens as a result. Therefore, it’s extremely valuable when there is a way to gain insight into what that attack surface looks like, so assigning CVEs to cloud vulnerabilities is extremely valuable.” — Satnam Narang, Sr. Staff Research Engineer, Tenable