Recently, Microsoft announced two security vulnerabilities in Windows NT LAN Manager (NTLM) and Task Scheduler that are actively being exploited in the wild.
These vulnerabilities are part of a total of 90 security flaws that the technology giant addressed in the November 2024 Patch Tuesday update. Among these, four vulnerabilities are classified as Critical, 85 as Important, and one as Medium. Notably, 52 vulnerabilities allow for remote code execution.
The two actively exploited vulnerabilities are as follows:
– CVE-2024-43451 (CVSS Score: 6.5): This vulnerability allows attackers to steal users’ NTLMv2 Hash information.
– CVE-2024-49039 (CVSS Score: 8.8): This vulnerability may allow attackers to escalate privileges within Windows Task Scheduler.
According to Microsoft, the CVE-2024-43451 vulnerability enables attackers to exploit NTLMv2 Hashes, thereby allowing them to authenticate users. This is the third vulnerability this year that has exposed NTLMv2 Hash information, following vulnerabilities patched in February and July.
Satnam Narang, an engineer at Tenable, noted that attackers are actively seeking vulnerabilities that may expose NTLMv2 Hashes, as these can be used to gain access to systems and move laterally within networks.
The CVE-2024-49039 vulnerability allows attackers to perform RPC functions that are normally restricted to privileged accounts. However, Microsoft emphasizes that successful exploitation requires the attacker to have authenticated access and to run a specifically designed application on the target system to elevate their privileges.
Currently, there is no specific information regarding how these vulnerabilities are being exploited in practice or the extent of these attacks, but the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its list of known exploited vulnerabilities.
Additionally, another vulnerability, CVE-2024-49019 (CVSS Score: 7.8), has been disclosed; however, this vulnerability has not yet been exploited in the wild. It could allow an attacker to achieve domain administrative privileges within Active Directory Certificate Services.
Another significant vulnerability is CVE-2024-43498 (CVSS Score: 9.8), which is a critical remote code execution vulnerability in .NET and Visual Studio. An attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable web application.
The update also addresses a critical encryption protocol vulnerability affecting Windows Kerberos (CVE-2024-43639, CVSS Score: 9.8) that could potentially be exploited by unauthenticated attackers to execute remote code.
The highest-rated vulnerability in this month’s release is a remote code execution flaw in Azure CycleCloud (CVE-2024-43602, CVSS Score: 9.9), which allows an attacker with basic user rights to gain root privileges.
Finally, a CVE not released by Microsoft that has been addressed is a remote code execution vulnerability in OpenSSL (CVE-2024-5535, CVSS Score: 9.1), which was initially patched in June 2024.
Alongside this update, Microsoft has also announced the adoption of the Common Security Advisory Framework (CSAF) to provide machine-readable information about vulnerabilities. This initiative aims to enhance transparency in the handling and remediation of vulnerabilities while improving organizations’ response capabilities to security threats.
In addition to Microsoft, several other vendors have recently released security updates to address vulnerabilities, including:
– Adobe
– Amazon Web Services
– AMD
– Apple
– ASUS
– Atlassian
– Bosch
– Broadcom (including VMware)
– Cisco
– Citrix
– CODESYS
– D-Link
– Dell
– Drupal
– F5
– Fortinet
– Fortra
– GitLab
– Google (Android, Pixel, Chrome, Cloud, Wear OS)
– Hikvision
– Hitachi Energy
– HMS Networks
– HP
– HP Enterprise (including Aruba Networking)
– IBM
– Intel
– Ivanti
– Juniper Networks
– Lenovo
– Linux distributions (Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, Ubuntu)
– MediaTek
– Mitel
– Mitsubishi Electric
– Mozilla (Firefox, Firefox ESR, Thunderbird)
– NETGEAR
– NVIDIA
– Okta
– Palo Alto Networks
– Progress Software
– QNAP
– Qualcomm
– Rockwell Automation
– Samsung
– SAP
– Schneider Electric
– Siemens
– SolarWinds
– Splunk
– Spring Framework
– Synology
– TP-Link
– Trend Micro
– Veeam
– Veritas
– Zimbra
– Zoom
– Zyxel
Source: The Hacker News
