142 Major Vulnerabilities Uncovered in July's Patch Tuesday

July often sees an increased release of CVEs due to the timing of the Black Hat and DEF CON conferences. That means security researchers prioritize releasing patches before presenting their findings to address vulnerabilities promptly. So, be on the lookout for some interesting, and possibly familiar-looking vulnerabilities being discussed during hacker summer camp season. 

As always, be sure to listen to the Automox Patch [Fix] Tuesday podcast here, on YouTube, or wherever you normally get your podcasts.

One interesting thing to note about this July’s Patch Tuesday is that it highlights 38 CVEs related to Microsoft SQL Server, all rated with an 8.8/10 on the CVSS scale (that’s pretty high), revealing vulnerabilities that need immediate attention. 

These vulnerabilities have the potential to expose systems to remote code execution (RCE) attacks, potentially allowing attackers to gain unauthorized access to your databases. Understanding and promptly addressing these issues is crucial for maintaining the integrity of your data.

If you manage a Microsoft SQL Server, apply these patches immediately. It’s essential. Unpatched systems can become easy targets for exploitation, leading to data breaches and other significant consequences. The sheer number of similar CVEs for one product from an anonymous source means that someone thinks this is valuable enough to invest significant research time. If you believe your Microsoft SQL Servers are not exposed and don’t need immediate patching, consider the fact that an unknown party with significant technical capabilities appears to disagree.

– Jason Kikta, CISO / SVP of Product, Automox

This month's Patch Tuesday also brings attention to 3 CVEs (CVE-2024-38077, CVE-2024-38074, and CVE-2024-38076) in the Windows Remote Desktop Licensing Service. If exploited, these vulnerabilities allow attackers to execute arbitrary code on affected systems, posing a significant threat to your internal network security.

Immediate action is required to address these vulnerabilities. Also, we recommend making sure your licensing server is not exposed to the internet and the setup follows best practices. 

Often, these features are enabled by default within Windows Server, so it’s worth taking the time to check.

Note: School districts, government infrastructure, and SLED-type Windows environments are particularly vulnerable due to their widespread use of Remote Desktop services. Ensuring these systems are patched promptly will help protect against potential attacks that could disrupt critical operations.

– Tom Bowyer, Director IT Security, Automox

Windows Layer Two Bridge Network RCE

With a CVSS score of 8.8/10, CVE 2024-38053 presents a significant risk with its RCE capabilities within the Windows Layer Two Bridge Network. This vulnerability allows attackers to execute arbitrary code on Windows systems, simply by sending a malicious packet over Ethernet from the local network.

To address this flaw, prompt patching is necessary. Ensure your security teams are aware of this vulnerability and have implemented the appropriate patches. Regularly monitor for updates and practice thorough vulnerability management to protect your network infrastructure.

This is an interesting one, considering the WiFi driver vulnerability last month. Similar to that CVE, this requires close access to a target. While that precludes a ransomware actor in Russia, it is something that is outside of most current threat models. This type of exploit works in places like shared office environments, hotels, convention centers, and anywhere else where unknown computers might be using the same physical link as you. I would not only make this a high priority for frequent travelers in your organization,but even static internal systems to protect them from lateral movement.

– Jason Kikta, CISO / SVP of Product, Automox

Editor's Note: For a 90’s hacking tale about how Jason used the Ping of Death vulnerability to avoid doing his university-level math homework, listen to the Patch [FIX] Tuesday podcast.

Jason’s Note: In my defense, the class was really boring.

Microsoft Windows Codex Library RCE

CVE 2024-38060 is a critical vulnerability affecting the Microsoft Windows Codex Library, which handles the processing of multimedia file formats. This flaw allows attackers to execute arbitrary code by exploiting the way the library processes .TIFF files. When a malicious .TIFF file is uploaded, this vulnerability can be triggered, leading to remote code execution and potentially compromising system security.

The risk posed by CVE 2024-38060 is substantial due to the extensive use of the Windows Codex Library across various platforms and services. Once exploited, attackers can gain unauthorized access, execute malicious code, and compromise sensitive data. The minimal user interaction required to trigger this vulnerability makes it particularly dangerous, as it can be remotely exploited with ease.

This vulnerability shows the importance of adopting secure coding practices and using memory-safe languages like Rust, as non-memory-safe legacy codebases continue to become increasingly prevalent attack vectors.

Addressing this vulnerability requires immediate action. Apply the latest patches from Microsoft to keep your endpoints secure. 

– Tom Bowyer, Director IT Security, Automox

The recent vulnerabilities discovered by security researchers around PowerShell have raised significant concerns due to their potential impact on IT environments. This Patch Tuesday release included 3 Elevation of Privilege vulnerabilities pertaining to PowerShell, all with a CVSS Score of 7.8/10.

These vulnerabilities lie within the PowerShell scripting environment itself, which is commonly used for automating and managing various tasks across many systems. The flaws allow attackers to elevate privileges or execute unauthorized actions by running specially crafted PowerShell scripts. 

This presents a serious risk, as PowerShell is deeply integrated into many critical functions and operations.

Implementing strict security measures is essential to counter these vulnerabilities. Limiting remoting capabilities reduces exposure, but comprehensive security strategies, including regular patches and updates, are crucial for maintaining system integrity and preventing breaches.

– Ryan Braunstein, Team Lead of Security Operations, Automox

Xbox Wireless Adapter Remote Code Execution Vulnerability

The Xbox wireless adapter has an RCE vulnerability that emphasizes the importance of securing home networks, particularly for remote work environments. This flaw allows attackers to execute arbitrary code, putting both personal and professional data at risk.

In a work-from-home setup, securing all devices, including IoT devices like alarm systems and smart TVs, is essential. Attackers can exploit this vulnerability to gain unauthorized access and compromise sensitive information. The distance with which WiFi signals can be detected, intercepted, and broadcasted is commonly underestimated, further heightening the risk of this vulnerability.

To mitigate these threats, apply regular updates to all devices and adopt strong network security measures like robust passwords and encryption. Educating all employees, friends, and family members about the importance of keeping devices patched and updated may not make you popular at parties, but can definitely reduce the 2 am phone calls. 

A proactive approach to device management and security can help protect both personal and professional data from potential cyber threats.

– Ryan Braunstein, Team Lead of Security Operations, Automox

The recent OpenSSH vulnerability in version 8.5 has raised significant concerns, especially for IoT and OT environments where SSH is often exposed for remote management. These systems, typically running on 32-bit architectures with limited memory protections, are particularly vulnerable.

Although the exploit is complex and can take a long time to complete – the proof of concepts takes anywhere from 8-10 hours, and the attacker may have to initiate the attack thousands of times. Ideally, it would set off alarms or be detected before the attacker completes the attack. However, the critical role of OpenSSH in secure communications means that even a high-complexity exploit is a serious threat. Immediate patching is necessary to protect systems from potential breakthroughs in exploitation techniques that may outpace detection.

Given the widespread use of OpenSSH, administrators should not let the high-effort nature of the exploit lead to complacency. 

Regularly monitoring and updating systems, especially those in vulnerable environments like IoT (Internet of Things) and OT (Operational Technology), helps ensure infrastructure integrity and prevents potential breaches. Prioritizing the application of the latest OpenSSH patches and updates is essential.

– Jason Kikta, CISO / SVP of Product, Automox