This month everyone is going to be talking about CVE-2024-30051 since it is known that it is being used in QakBot and other malware. This is an update that should be applied as soon as possible given the nature of the vulnerability and the fact that real world exploitation has been confirmed.
Given this information, it was surprising to me that Microsoft’s announcement only indicated that the monthly SharePoint patch was Critical due to CVE-2024-30044, and everything else, including CVE-2024-30051, was considered Important.
It is worth talking about the SharePoint vulnerability since it is on Microsoft’s Critical list this month. The vulnerability requires an attacker with Site Owner permissions. Someone who has Site Owner positions is likely already in a position of trust as that presents a significant amount of access including the ability to edit the site, add users, edit both site and user settings, and delete the entire site. This trusted user could upload a malicious file to the SharePoint server and use an API call to trigger a deserialization attack, executing code in the context of the server.
Something that I found interesting this month was the lack of vulnerabilities with a CVSSv3.1 score of 9.0 or higher. There were 7 vulnerabilities this month with a score of 8.8, but nothing above that. Under the CVSS qualitative severity rating scale, an 8.8 would be a High, yet Microsoft has rated one of these as Critical and the rest as Important. Note: Important severity for Microsoft is equivalent to CVSS’s High severity.
Given Microsoft’s own definitions, I’m surprised to see that the QakBot exploited vulnerability only rated an Important, while the SharePoint vulnerability was deemed Critical. I would love to see more of an explanation of that difference, but it seems unlikely that we’ll ever get one.
Click here for more Patch Tuesday analysis.