The three CVSS 9.8 vulnerabilities included in this month’s patch drop are likely to be the first thing that catches anyone’s attention this month. All three are remote, unauthenticated code execution, the very type of vulnerability where we previously would have used the word, “wormable.”
All three of these issues have mitigations available if you are unable to patch immediately because they only apply to specific configurations.
CVE-2024-38063 allows an unauthenticated attacker to send IPv6 packets that could allow for code execution. If a system is not running IPv6, it is not vulnerable. This vulnerability likely provides the most risk to enterprises of the three CVSS 9.8 vulnerabilities today since IPv6 is enabled by default.
CVE-2024-38140 allows an unauthenticated attacker to send packets to a program listening on a Pragmatic General Multicast (PGM) port. PGM must be installed, enabled, and a program that listens on a PGM port must be installed and listening to be vulnerable. This should minimize the risk of exploitation for most enterprises.
CVE-2024-38199 is the third vulnerability that allows an unauthenticated attacker to execute code remotely. In this case, the deprecated Line Printer Daemon (LPD) service must be enabled. Most organizations should not have this running, although it is worth reviewing legacy servers to ensure they don’t have the service enabled. This vulnerability has been publicly disclosed, so there are likely already details floating around for attackers to review.
In total today, there are 10 vulnerabilities that have already been exploited or publicly disclosed. Specifically, the split is 6 exploited and 4 publicly disclosed according to Microsoft, which means that 6 of the CVEs patched today are 0-days that should be dealt with as soon as possible. These include vulnerabilities in: Scripting Engine, WinSock, SmartScreen, Windows Kernel, Windows Power Dependency Coordinator, and Microsoft Project.
Between the number of 0-days and the number of remote, unauthenticated code execution vulnerabilities, this is a month where patching should take a little bit more priority than it usually does. I think that it is critical that cumulative updates are applied as quickly as possible and that mitigations are reviewed and implemented wherever that isn’t possible.
There are a large number of standards, benchmarks, and frameworks that recommend limiting your network footprint and reducing / removing unused services and features. Today’s mitigations for the three CVSS 9.8 remote, unauthenticated code execution vulnerabilities are a good reminder of why that step is so important in the world of compliance.
If you do not use IPv6, LDP, or PGM, but have them enabled within your environment, this would be a great time to plan a project that reviews the network footprint of all devices and ensures that unused services and features are disabled to limit risk within your organization.
Click here for more Patch Tuesday analysis.