We’re looking at a relatively large patch drop this month with 118 vulnerabilities included in the October Patch Tuesday. Of those vulnerabilities, 117 CVEs were issued by Microsoft, while one CVE, impacting curl, was issued by Hackerone. The thing that will most likely catch everyone’s attention is the vulnerability in Microsoft Configuration Manager, CVE-2024-43468, since Microsoft has given it a severity of Critical and the CVSS 3.1 score for said vulnerability is a 9.8.
According to Microsoft, an unauthenticated attacker could utilize custom, malicious requests to execute commands on the server and/or the underlying database. Thankfully, Microsoft expects exploitation to be less likely and there is no evidence that this vulnerability has been disclosed or exploited publicly. Unfortunately, the update process for this vulnerability is not as simple as installing a patch.
The update process requires the installation of an in-console update, which means that users log in and manage the updates via the Configuration Manager console, selecting the individual updates that they want to install. This process does not update secondary sites and there is a manual process that administrators must perform in order to update secondary sites that is detailed in the KB Article. It is situations like this that are often overlooked resulting in the existence of vulnerable environments within the enterprise.
Today, Microsoft is patching 5 vulnerabilities that have been publicly disclosed, two of which have also seen active exploitation. The two that have seen active exploitation include CVE-2024-43573, a vulnerability in MSHTML Platform that allows spoofing, and CVE-2024-43572, a vulnerability in Microsoft Management Console that allows for code execution when opening untrusted, malicious Microsoft Saved Console (MSC) files. The others that have been publicly disclosed, but are not yet seeing active exploitation include CVE-2024-6197 - a vulnerability in curl, CVE-2024-20659 – a security feature bypass in Hyper-V, and CVE-2024-43583 – a privilege escalation in winlogon.
The Winlogon vulnerability has to do with the use of third-party Input Method Editors (IMEs) at the Windows sign-in screen. Microsoft has released a detailed KB describing what has changed and how it will impact login, which should be reviewed if you are using a third-party IME when you sign into Windows.
Thankfully for the Hyper-V vulnerability, there are a number of criteria that make it less likely that we’ll see this vulnerability exploited. Microsoft indicates that only certain hardware is impacted, which could allow the bypass of UEFI and lead to a compromise of the hypervisor, this would require that the system first be rebooted and that the attacker have access to the local network, as Microsoft has marked the Attack Vector in the CVSS score with the rarely seen adjacent value meaning the attack must originate from the same physical or logical network.
Click here for more Patch Tuesday analysis.