Microsoft’s November Patch Tuesday contains 92 vulnerabilities, four of which are rated as critical vulnerabilities and four zero-day vulnerabilities, two of which are actively abused. Microsoft classifies a zero-day vulnerability if it has been made public or is being actively exploited, while no official fix is yet available. Below is a brief summary of the most important vulnerabilities discovered. For the full list of vulnerabilities, please visit Microsoft Security Updates.
CVE-2024-43451 | NTLM Hash Disclosure Spoofing Vulnerability
CVE-2024-43451 is an NTLM hash spoofing vulnerability in Microsoft Windows. This vulnerability received a CVSSv3 score of 6.5. An attacker could exploit this vulnerability by convincing a user to open a specially prepared file. Successful exploitation would result in unauthorised disclosure of the user’s NTLMv2 hash, which the attacker could then use to log on to the system as the user. According to Microsoft, this vulnerability was exploited in practice as a zero-day.
CVE-2024-49039 | Windows Task Scheduler Elevation of Privilege Vulnerability
CVE-2024-49039 is an EoP vulnerability in the Microsoft Windows Task Scheduler. This vulnerability received a CVSSv3 score of 8.8. An attacker with local access to a vulnerable system could exploit this vulnerability by running a specially prepared application. Successful exploitation allows an attacker to access resources that would not normally be available and execute code, such as remote procedure call (RPC) functions.
According to Microsoft, this vulnerability was exploited in practice as a zero-day. The vulnerability was reported to Microsoft by an anonymous researcher along with Vlad Stolyarov and Bahare Sabouri from Google’s Threat Analysis Group. At the moment, no further details on exploitation in practice are available.
CVE-2024-49019 | Active Directory Certificate Services Elevation of Privilege Vulnerability
CVE-2024-49019 is an EoP vulnerability affecting Active Directory Certificate Services. This vulnerability received a CVSSv3 score of 7.8. This vulnerability was made public before a patch was available. According to Microsoft, successful exploitation would allow an attacker to gain administrative privileges. The advisory states that “certificates created using a version 1 certificate template with Source of subject name set to ‘Supplied in the request'” may be affected if the template is not secured according to best practices. Microsoft’s advisory also includes several mitigating steps to secure certificate templates.
CVE-2024-49040 | Microsoft Exchange Server Spoofing Vulnerability
CVE-2024-49040 is a spoofing vulnerability affecting Microsoft Exchange Server 2016 and 2019. This vulnerability received a CVSSv3 score of 7.5. According to Microsoft, this vulnerability was made public before a patch was available. After applying the update, administrators should review the support article Exchange Server non-RFC compliant P2 FROM header detection. The supplementary guide states that the Exchange Server update for November, as part of a “secure by default” approach, will flag suspicious emails that may contain “malicious patterns in the P2 FROM header”. While this feature can be disabled, Microsoft strongly recommends leaving it enabled for added protection against phishing attempts and malicious emails.
CVE-2024-43639 | Windows Kerberos Remote Code Execution Vulnerability
CVE-2024-43639 is a critical RCE vulnerability that affects Windows Kerberos, an authentication protocol designed to verify the identity of users or hosts. This vulnerability received a CVSSv3 score of 9.8 and is rated “Exploitation Less Likely.” To exploit this vulnerability, an unauthenticated attacker must exploit a vulnerability in the cryptographic protocol to reach RCE. Microsoft has not provided further details on this vulnerability at this time.
CVE-2024-43602 | Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-43602 is an RCE vulnerability in Microsoft’s Azure CycleCloud, a tool for managing and orchestrating High Performance Computing (HPC) environments in Azure. This vulnerability received the highest CVSSv3 score of the month, 9.9, and is rated as important. A user with basic privileges could exploit CVE-2024-43602 by sending specially prepared requests to a vulnerable Azure CycleCloud cluster to change its configuration. Successful exploitation would result in the user gaining root privileges, allowing them to execute commands on any cluster in the Azure CycleCloud and steal administrator credentials.
Solution
Microsoft has released updates to fix the aforementioned vulnerabilities. It is important that organisations apply these updates in a timely manner to mitigate the risks of these vulnerabilities. For organisations unable to install the patches immediately, Microsoft offers temporary fixes and mitigations, as described under the specific vulnerabilities.