August 2024 – Microsoft Patch Tuesday Highlights
Background
Microsoft’s August 2024 Patch Tuesday release includes security patches for 85 vulnerabilities. These are six actively exploited zero-day vulnerabilities (CVE-2024-38213, CVE-2024-38193, CVE-2024-38189, CVE-2024-38178, CVE-2024-38107, and CVE-2024-38106). Among the updates is a remedy for one of the vulnerabilities associated with a ‘downgrade’ attack (CVE-2024-21302). Six vulnerabilities are classified as Critical, with the remaining 79 rated Important or Moderate.
The Microsoft vulnerabilities of August 2024 are categorized as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 5 | Important: 5 |
| Denial of Service Vulnerability | 6 | Important: 6 |
| Elevation of Privilege Vulnerability | 34 | Critical: 1
Important: 33 |
| Information Disclosure Vulnerability | 7 | Critical: 1
Important: 6 |
| Remote Code Execution Vulnerability | 28 | Critical: 4
Important: 24 |
| Security Feature Bypass Vulnerability | 4 | Important: 2 |
| Cross-site Scripting Vulnerability | 1 | Critical: 1 |
Critical vulnerabilities:
- CVE-2024-38159 & CVE-2024-38160 (Windows Network Virtualization RCE):
Developers can send on-demand policy requests to an orchestrator or data center management server using Windows Network Virtualization (WNV). These requests can address events in the virtual machine life cycle, like provisioning and live migration.
The wnv. sys component of Windows Server 2016 has an unchecked return value that an attacker might use to exploit the issue. By altering the Memory Descriptor List (MDL) information, an attacker can release a legitimate block currently in use or induce unauthorized memory writes. If the vulnerability is successfully exploited, a critical guest-to-host escape could result.
- CVE-2023-40547 (Shim RCE):
A vulnerability in Linux Shim boot is present. Under certain conditions, successfully exploiting the vulnerability could expose sensitive data, crash, denial of service, and remote code execution.
- CVE-2024-38063 (Windows TCP/IP RCE):
The industry-standard protocol suite known as Transmission Control Protocol/Internet Protocol (TCP/IP) was created for large networks made up of network segments connected by routers. The primary set of protocols used on the Internet is TCP/IP.
Remote code execution may result from an unauthenticated attacker sending IPv6 packets, including ones that have been carefully crafted, to a Windows computer.
- CVE-2024-38140 (RMCAST RCE):
A computer networking technique called reliable multicast transport makes sure that all intended recipients receive messages precisely and in the right order when they are sent from one sender to several receivers in a distributed system.
By delivering specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, an unauthenticated attacker may take advantage of the vulnerability. It doesn’t take user interaction to exploit the issue.
- CVE-2024-38166 (Microsoft Dynamics 365 XSS):
Microsoft Dynamics 365 is an integrated suite of customer relationship management and enterprise resource planning software. On a single platform, it integrates several different services, including project service automation, operations, finance, field service, sales, and customer support.
In Microsoft Dynamics 365, incorrect input neutralization during web page generation can be used by an unauthenticated attacker to spoof over a network. To properly exploit the vulnerability, an attacker needs to persuade a victim to click on a link.
- CVE-2024-38206 (Microsoft Copilot Studio Information Disclosure Vulnerability):
A graphical low-code tool for building and managing copilots is Microsoft Copilot Studio. An AI-powered conversational interface called a copilot is built using large language models (LLMs) and additional information sources.
Microsoft Copilot Studio’s Server-Side Request Forgery (SSRF) protection can be circumvented by an authorized attacker by leaking sensitive information across a network.
- CVE-2024-38109 (Azure Health Bot EoP):
A Microsoft Azure Health Bot Server-Side Request Forgery (SSRF) vulnerability could be used by an authorized attacker. If an attacker is successful in their exploitation, they could gain more network privileges.
| Critical | 9.8 | CVE-2024-38063 | Windows TCP/IP Remote Code Execution Vulnerability |
| Critical | 9.8 | CVE-2024-38140 | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability |
| Critical | 9.1 | CVE-2024-38109 | Azure Health Bot Elevation of Privilege Vulnerability |
| Critical | 9.1 | CVE-2024-38159 | Windows Network Virtualization Remote Code Execution Vulnerability |
| Critical | 9.1 | CVE-2024-38160 | Windows Network Virtualization Remote Code Execution Vulnerability |
| Critical | 8.8 | CVE-2023-40547 | Redhat: CVE-2023-40547 Shim – RCE in HTTP boot support may lead to secure boot bypass |
Zero-day vulnerabitiles:
- CVE-2024-38178 (Scripting Engine Memory Corruption Vulnerability):
By tricking a verified user into visiting a specifically crafted URL, an attacker can take advantage of the vulnerability.
By adding CVE-2024-38178 to its list of known exploited vulnerabilities and advising users to fix the vulnerability by September 3, 2024, CISA confirmed that the vulnerability was being exploited.
- CVE-2024-38193 (Windows Ancillary Function Driver for WinSock EoP):
The Winsock API’s kernel entry point is the Windows Ancillary Function Driver (AFD) for WinSock (afd.sys).
If the vulnerability is properly exploited, the attacker may be able to obtain SYSTEM privileges.
CISA added CVE-2024-38193 to its list of known exploited vulnerabilities and asked users to fix the vulnerability by September 3, 2024, in recognition of the vulnerability’s ongoing exploitation.
- CVE-2024-38213 (Windows SmartScreen Security Feature Bypass Vulnerability):
Microsoft Defender SmartScreen, sometimes referred to as SmartScreen Filter or Windows SmartScreen is a cloud-based service that guards against harmful downloads, websites, and programs.
The user must be sent a malicious file by an attacker, who must persuade them to open it. An attacker could get around the SmartScreen’s user interface with a successful exploitation.
To notify users of the ongoing exploitation of CVE-2024-38213, CISA added the vulnerability to its list of known exploited vulnerabilities and asked that users fix it by September 3, 2024.
- CVE-2024-38106 (Windows Kernel EoP):
The central component of the Windows operating system (OS) is the Windows kernel. It is a software application that performs crucial tasks for the operating system, such as low-level activities, thread scheduling, hardware interruption routing, and more.
To properly exploit the vulnerability, an attacker needs to win a race condition. If the vulnerability is properly exploited, the attacker may be able to obtain SYSTEM privileges.
To notify users of the ongoing exploitation of CVE-2024-38106, CISA added the vulnerability to its list of known exploited vulnerabilities and asked that users fix it by September 3, 2024.
- CVE-2024-38189 (Microsoft Project RCE):
Project managers can use Microsoft Project, a project management tool, to help with scheduling, allocating resources to tasks, monitoring progress, controlling costs, and workload analysis.
Two different attack techniques can make use of the vulnerability:
- Email attack scenario: In this attack, the attacker has to persuade the target audience to click on a malicious attachment that was given to them by email.
- Web-based attack scenario: In this kind of attack, a malicious file is designed and hosted on a website by the attacker.
CISA added CVE-2024-38189 to its list of known exploited vulnerabilities and asked users to fix the vulnerability by September 3, 2024, in recognition of the vulnerability’s ongoing exploitation.
- CVE-2024-38107 (Windows Power Dependency Coordinator EoP):
Modern Standby has a component called the Power Dependency Coordinator (PDC).
If the exploit is effective, the attacker might be able to obtain SYSTEM privileges.
By adding CVE-2024-38107 to its list of known exploited vulnerabilities and advising users to fix the vulnerability by September 3, 2024, CISA confirmed that the vulnerability was being exploited.
Other vulnerabilities:
- An elevation of privilege vulnerability in the Windows Common Log File System Driver is identified as CVE-2024-38196. If the exploit is effective, the attacker might be able to obtain SYSTEM privileges.
- An elevation of privilege vulnerability in Windows Print Spooler is identified as CVE-2024-38198. To take advantage of the vulnerability, an attacker needs to satisfy a race condition. If the vulnerability is successfully exploited, an attacker might be able to obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Kernel Streaming WOW Thunk Service Driver is identified as CVE-2024-38125. If the vulnerability is successfully exploited, an attacker might be able to obtain SYSTEM rights.
- A Windows Kernel elevation of privilege vulnerability is identified as CVE-2024-38133. Through persuasion, an attacker might take advantage of the vulnerability and submit a request to a hostile server. If this vulnerability is properly exploited, the attacker may obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock is identified as CVE-2024-38141. If the vulnerability is successfully exploited, an attacker might be able to obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Kernel Streaming WOW Thunk Service Driver is identified as CVE-2024-38144. If this vulnerability is properly exploited, the attacker may obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Microsoft DWM Core Library is identified as CVE-2024-38147. If this vulnerability is properly exploited, the attacker may obtain SYSTEM rights. An attacker has to log into the system in order to take advantage of this vulnerability.
- A denial-of-service vulnerability in Windows Secure Channel is identified as CVE-2024-38148.
- An elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock is identified as CVE-2024-38141. If the vulnerability is successfully exploited, an attacker might be able to obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Kernel Streaming WOW Thunk Service Driver is identified as CVE-2024-38144. If this vulnerability is properly exploited, the attacker may obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Microsoft DWM Core Library is identified as CVE-2024-38147. If this vulnerability is properly exploited, the attacker may obtain SYSTEM rights. An attacker has to log into the system in order to take advantage of this vulnerability.
- A denial-of-service vulnerability in Windows Secure Channel is identified as CVE-2024-38148.
- An elevation of privilege vulnerability in the Windows DWM Core Library is identified as CVE-2024-38150. If the vulnerability is successfully exploited, an attacker might be able to obtain SYSTEM rights.
- An elevation of privilege vulnerability in the Windows Update Stack is identified as CVE-2024-38163. If the vulnerability is successfully exploited, an attacker might be able to obtain SYSTEM rights.