Crowdstrike Holdings Inc.

11/12/2024 | News release | Distributed by Public on 11/12/2024 19:11

November 2024 Patch Tuesday: Four Critical and Three Zero-Days Among 158 Vulnerabilities Patched

Microsoft Discloses Vulnerability within Airlift.microsoft.com

In an effort to provide additional transparency for Microsoft-hosted services, Microsoft has disclosed a Criticalprivilege escalation vulnerability within airlift.microsoft.com (CVE-2024-49056). This vulnerability has been fully mitigated by Microsoft and requires no customer interaction. Microsoft has stated that it is committed to transparency and has created a new classification of vulnerability that requires no customer interaction. More information about this commitment can be found here.

Two Zero-Days in Microsoft Windows

CVE-2024-49019 is an Importantprivilege escalation vulnerability within the Active Directory certificate services platform. This platform is responsible for issuing and managing Public Key Infrastructure (PKI). More information about this service can be found here. This vulnerability can allow an attacker to gain domain administrator privileges. This is one of the highest levels of privilege available in Active Directory. Only certificates generated using a version 1 template with a source of subject name field set to "Supplied in the request" are usable for this attack. In addition, the victim site must have overly broad Enroll permissions. Microsoft recommends removing Autoenroll permissions and auditing sites to ensure least privilege.

CVE-2024-43451 is an Importantspoofing vulnerability within the NTLM handling system in Windows. This vulnerability exposes the victim's NTLM hash to adversaries, allowing them to impersonate the victim. This vulnerability can be exploited by the user selecting (single-clicking), inspecting (right-clicking) or performing some other non-opening action on the malicious file.

Severity CVSS Score CVE Description
Important 7.8 CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability
Important 6.5 CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability

One Zero-Day in Microsoft Exchange Server

CVE-2024-49040 is an Importantspoofing vulnerability in which an attacker can bypass current spoofing protections within Exchange through use of a non-compliant header. This header is responsible for ensuring the integrity of the sender of an email. Once updated, the Exchange server will flag any non-compliant headers as suspicious. Additional information on this vulnerability can be found here.

Severity CVSS Score CVE Description
Important 7.5 CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability

Two Critical Vulnerabilities in Microsoft Windows

CVE-2024-43639 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Windows Kerberos and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted packet to leverage a cryptographic protocol within Windows Kerberos to allow for RCE. Due to the severe nature of this vulnerability, patching should be a high priority.

CVE-2024-43625 is a Criticalprivilege escalation vulnerability within the VMSwitch functionality of Hyper-V with a CVSS score of 8.1. This vulnerability could allow an unprivileged attacker within a low-privileged Hyper-V host to traverse the security boundary to execute code within the Hyper-V execution environment. Notably, Microsoft states that this vulnerability is not within the System Center Virtual Machine Manager. This vulnerability has a high complexity requirement, requiring a significant amount of information about the operating environment of the victim Hyper-V host.

Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-43639 Windows Kerberos Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

One Critical Vulnerability in .Net and Visual Studio Code

CVE-2024-43498 is a Critical remote code execution (RCE) vulnerability affecting Microsoft .Net and Visual Studio Code and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted request to a vulnerable .Net web app or by loading a specially crafted file into a vulnerable desktop application (Visual Studio Code).

Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it's critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities' severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources