Microsoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild as part of this month patch Tuesday.
The number of bugs in each vulnerability category is listed below:
- 27 Elevation of Privilege Vulnerabilities
- 30 Remote Code Execution Vulnerabilities
- 6 Information Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
- 1 Spoofing Vulnerabilities
Windows LDAP Remote Code Execution
The most severe flaw addressed by Microsoft is a Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability tracked as CVE-2024-49112 (CVSS score of 9.8).
A remote, unauthenticated attacker could exploit the flaw by sending a specially crafted set of LDAP calls. An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2024-49138, with a CVSS score of 7.8,is an Elevation of Privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) Driver. Notably, it was exploited in the wild as a zero-day, though detailed information about the specific nature of this exploitation was not available at the time of reporting.
In addition to CVE-2024-49138, Microsoft addressed two other EoP vulnerabilities in the CLFS driver: CVE-2024-49090 and CVE-2024-49088 Both of these vulnerabilities also received a CVSSv3 score of 7.8 and assessed as “Exploitation More Likely
This marks the ninth vulnerability in the Windows CLFS driver to be patched in 2024 and the first to be exploited as a zero-day this year. The previous year, 2023, saw ten CLFS vulnerabilities patched, including two zero-day vulnerabilities that were actively exploited (CVE-2023-28252 and CVE-2023-23376).
The CLFS driver has become a popular target for attackers, particularly ransomware operators, who have exploited these vulnerabilities to gain elevated privileges and control over affected systems. This trend underscores the critical importance of maintaining up-to-date security patches and monitoring systems for signs of potential exploitation.
Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2024-49070 with a CVSSv3 score of 7.4 is a Remote Code Execution (RCE) vulnerability in Microsoft SharePoint. According to Microsoft’s advisory, the complexity of exploiting this vulnerability is high, requiring the attacker to prepare the target environment to improve the reliability of an exploit. Despite the lack of detailed information, Microsoft has assessed this vulnerability as “Exploitation More Likely.”
In addition to CVE-2024-49070, Microsoft has addressed several other vulnerabilities in Microsoft SharePoint:
- CVE-2024-49062: An Information Disclosure vulnerability with a CVSSv3 score of 6.5. This vulnerability could potentially expose sensitive information to unauthorized users.
- CVE-2024-49064: Another Information Disclosure vulnerability, also with a CVSSv3 score of 6.5, posing similar risks.
- CVE-2024-49068: An Elevation of Privilege (EoP) vulnerability, which could allow attackers to gain higher privileges on the affected system. This vulnerability has also been rated as important and assessed as “Exploitation More Likely.”
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2024-49118 and CVE-2024-49122 are Remote Code Execution (RCE) vulnerabilities identified in Microsoft Message Queuing (MSMQ). Both vulnerabilities have been assigned a CVSSv3 score of 8.1. Successful exploitation of these vulnerabilities requires the attacker to win a race condition. Despite this requirement, Microsoft has assessed CVE-2024-49122 as “Exploitation More Likely,” while CVE-2024-49118 was assessed as “Exploitation Less Likely.” The distinction arises from the fact that for CVE-2024-49118, the race condition must occur “during the execution of a specific operation that recurs infrequently on the target system.”
For a system to be vulnerable, the MSMQ service must be added and enabled. If the service is enabled on a Windows installation, the “Message Queueing” service will be running on TCP port 1801.
In 2024 alone, there have been six RCE vulnerabilities affecting MSMQ that were patched. This includes one addressed in the June Patch Tuesday (CVE-2024-30080), two addressed in the April Patch Tuesday (CVE-2024-26232 and CVE-2024-26208), and one addressed in the February Patch Tuesday (CVE-2024-21363).
Windows Remote Desktop Services Remote Code Execution Vulnerability
CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128,, and CVE-2024-49132 are Remote Code Execution (RCE) vulnerabilities affecting Windows Remote Desktop Services. Each of these vulnerabilities has been rated as critical and assigned a CVSSv3 score of 8.1. The complexity of successful exploitation is high, as it requires an attacker to trigger a race condition to create a use-after-free scenario, which could potentially lead to arbitrary code execution. Due to the high complexity involved in the exploitation, Microsoft has assessed these vulnerabilities as “Exploitation Less Likely.”
In addition to these nine critical RCE vulnerabilities, Microsoft has also addressed CVE-2024-49075, a Denial of Service (DoS) vulnerability affecting Remote Desktop Services. While not rated as critical, this DoS vulnerability still poses a significant threat by potentially disrupting service availability.
