Patch Tuesday Breakdown: 51 CVEs, 51 Fixes, and What You Should Look Out For

Windows WiFi Driver Remote Code Execution Vulnerability

CVE 2024-30078 is a remote code execution vulnerability targeting Windows WiFi drivers, and has a CVSS score of 9.8/10. An unauthenticated attacker can exploit this by sending a malicious networking packet to an adjacent system using a WiFi adapter or malicious access point. This vulnerability is particularly concerning because it can be executed wirelessly, enabling attackers to gain control over your system without physical access.

Given its nature, this vulnerability poses a significant risk in endpoint-dense environments including hotels, trade shows, or anywhere else numerous devices connect to WiFi networks. Attackers can easily target unsuspecting users in these environments, making it critical to understand and mitigate this threat.

To protect against this vulnerability, it's recommended that you apply the latest patches as soon as possible. If patching immediately isn't feasible, you must use endpoint detection to monitor for suspicious activity related to this vulnerability. Due to its unique nature, it is unlikely to be visible to network-level detection methods.

End-of-life operating systems are particularly vulnerable to CVE 2024-30078 since they no longer receive security updates. If you're running such systems, and do not have an extended service contract, the best mitigation strategy is to upgrade to supported versions promptly. The risk of running outdated software cannot be overstated.

Further, this represents a close access vector that potentially bypasses network-based detections and mitigations. It circumvents most threat modeling, so this is an immediate-patch priority for me. This will generate a high level of interest and I’d expect exploitation tools to be publicly available within days to weeks.

– Jason Kikta, CISO / SVP of Product, Automox

Windows Kernel Elevation of Privilege Vulnerability

CVE 2024-30064 and CVE 2024-30068 are elevation of privilege vulnerabilities within the Windows kernel, both rated with a CVSS score of 8.8/10. Exploitation of these vulnerabilities allows attackers to gain elevated privileges: CVE 2024-30068 grants system-level access, while CVE 2024-30064 elevates privileges within the running process.

These vulnerabilities are particularly dangerous because they can provide attackers with significant control over the affected systems.

The primary mitigation for these vulnerabilities is to ensure all systems are patched with the latest security updates. Regularly updating your systems helps protect against both known and emerging threats. It's also essential to follow best practices for security configuration and monitoring.

– Tom Bowyer, Director IT Security, Automox

When dealing with containers and virtualized environments, never assume they are secure by default. Checking and configuring container defaults is vital, as failing to do so can expose your system to unnecessary risks. Containers often share resources and environments, meaning vulnerabilities in one tenant can affect others. Always review and adjust your container settings to ensure only necessary permissions are granted.

Shared tenancy attacks are a significant concern in virtual environments. When multiple tenants share the same underlying infrastructure, a vulnerability in one tenant's environment can potentially be exploited to affect others. This lack of isolation can lead to severe security breaches, especially if one tenant's container is compromised. 

Proactively securing your containers by setting strict permissions and regularly auditing your configurations can help mitigate these risks. Always assume that escape is possible and build your security strategy around this assumption to protect both your containerized applications and the underlying host.

–Mat Lee, Security Engineer, Automox

Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability

CVE 2024-30072 is a remote code execution vulnerability with a CVSS score of 7.8/10. The vulnerability arises from parsing Microsoft Event Trace Log files, and has the potential to be exploited by convincing a user to open a malicious trace file. 

To guard against this threat, it is critical to validate and verify the source of trace files before opening them. Implement strict policies around handling diagnostic files, and educate your team about the risks associated with such files. Using up-to-date security tools that can scan and detect malicious content within these files is also beneficial.

Phishing remains a prevalent attack vector, with threat actors frequently posing as legitimate IT support to exploit vulnerabilities like CVE 2024-30072. With the commonality of IT teams using Event Trace Log files to debug user systems, and given the high privileges often associated with IT support roles, exploiting this vulnerability could provide attackers with substantial access to sensitive systems.

Continuous training and awareness programs for employees can significantly reduce the risk of falling victim to such tactics.

– Henry Smith, Senior Application Security Engineer, Automox