11/12/2024 | News release | Distributed by Public on 11/12/2024 19:11
Microsoft Discloses Vulnerability within Airlift.microsoft.com
In an effort to provide additional transparency for Microsoft-hosted services, Microsoft has disclosed a Criticalprivilege escalation vulnerability within airlift.microsoft.com (CVE-2024-49056). This vulnerability has been fully mitigated by Microsoft and requires no customer interaction. Microsoft has stated that it is committed to transparency and has created a new classification of vulnerability that requires no customer interaction. More information about this commitment can be found here.
Two Zero-Days in Microsoft Windows
CVE-2024-49019 is an Importantprivilege escalation vulnerability within the Active Directory certificate services platform. This platform is responsible for issuing and managing Public Key Infrastructure (PKI). More information about this service can be found here. This vulnerability can allow an attacker to gain domain administrator privileges. This is one of the highest levels of privilege available in Active Directory. Only certificates generated using a version 1 template with a source of subject name field set to "Supplied in the request" are usable for this attack. In addition, the victim site must have overly broad Enroll permissions. Microsoft recommends removing Autoenroll permissions and auditing sites to ensure least privilege.
CVE-2024-43451 is an Importantspoofing vulnerability within the NTLM handling system in Windows. This vulnerability exposes the victim's NTLM hash to adversaries, allowing them to impersonate the victim. This vulnerability can be exploited by the user selecting (single-clicking), inspecting (right-clicking) or performing some other non-opening action on the malicious file.
Severity | CVSS Score | CVE | Description |
Important | 7.8 | CVE-2024-49019 | Active Directory Certificate Services Elevation of Privilege Vulnerability |
Important | 6.5 | CVE-2024-43451 | NTLM Hash Disclosure Spoofing Vulnerability |
One Zero-Day in Microsoft Exchange Server
CVE-2024-49040 is an Importantspoofing vulnerability in which an attacker can bypass current spoofing protections within Exchange through use of a non-compliant header. This header is responsible for ensuring the integrity of the sender of an email. Once updated, the Exchange server will flag any non-compliant headers as suspicious. Additional information on this vulnerability can be found here.
Severity | CVSS Score | CVE | Description |
Important | 7.5 | CVE-2024-49040 | Microsoft Exchange Server Spoofing Vulnerability |
Two Critical Vulnerabilities in Microsoft Windows
CVE-2024-43639 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Windows Kerberos and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted packet to leverage a cryptographic protocol within Windows Kerberos to allow for RCE. Due to the severe nature of this vulnerability, patching should be a high priority.
CVE-2024-43625 is a Criticalprivilege escalation vulnerability within the VMSwitch functionality of Hyper-V with a CVSS score of 8.1. This vulnerability could allow an unprivileged attacker within a low-privileged Hyper-V host to traverse the security boundary to execute code within the Hyper-V execution environment. Notably, Microsoft states that this vulnerability is not within the System Center Virtual Machine Manager. This vulnerability has a high complexity requirement, requiring a significant amount of information about the operating environment of the victim Hyper-V host.
Severity | CVSS Score | CVE | Description |
Critical | 9.8 | CVE-2024-43639 | Windows Kerberos Remote Code Execution Vulnerability |
Critical | 8.1 | CVE-2024-43625 | Microsoft Windows VMSwitch Elevation of Privilege Vulnerability |
One Critical Vulnerability in .Net and Visual Studio Code
CVE-2024-43498 is a Critical remote code execution (RCE) vulnerability affecting Microsoft .Net and Visual Studio Code and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted request to a vulnerable .Net web app or by loading a specially crafted file into a vulnerable desktop application (Visual Studio Code).
Severity | CVSS Score | CVE | Description |
Critical | 9.8 | CVE-2024-43498 | .NET and Visual Studio Remote Code Execution Vulnerability |
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it's critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities' severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources