Automox Experts Analyze 118 New CVEs from Microsoft's Patch Tuesday

Welcome to October 2024 Patch Tuesday! Here, you can stay informed about the released vulnerabilities and how they impact your IT environment. This Patch Tuesday saw an impressive 118 vulnerabilities released, which is the third highest CVE release in the last 12 months.

Check out the Patch [FIX] Tuesday podcast for more in-depth coverage of these vulnerabilities. 

Before we see what Automox cybersecurity experts have to say about the vulnerabilities released this month, let’s see how this Patch Tuesday stacks up. 

Windows Netlogon Elevation of Privilege Vulnerability

CVE 2024-38124 is a vulnerability in the Windows Netlogon process, allowing an attacker with LAN access to impersonate domain controllers. This vulnerability could enable unauthorized elevation of privileges, potentially granting the attacker domain admin rights and access to an entire network. 

The attacker must predict the name of a new domain controller and rename their machine accordingly, establishing a secure channel to exploit the system. Once domain administrator rights are established, the attacker gains full control over the network, allowing them to access sensitive data, create new accounts, modify security settings, and potentially disrupt or further compromise systems across the entire domain.

To mitigate this threat, employ secure channel validation and enhanced authentication mechanisms to thwart possible exploits. It's also recommended to avoid predictable naming conventions for domain controllers. Given the severity of this vulnerability, prompt patching is essential to prevent unauthorized access and control over your network's Active Directory structure. 

— Seth Hoyt, Senior Security Engineer

Microsoft Configuration Manager Remote Code Execution Vulnerability

CVE 2024-43468 (CVSS 9.8/10) affects Microsoft Configuration Manager, presenting an opportunity for remote code execution by an unauthenticated attacker. This vulnerability is exploited by utilizing a specially crafted packet and highlights possible memory safety concerns within Microsoft Configuration Manager. 

Successful exploitation of this vulnerability can allow for lateral movement throughout a network and offers the potential to deploy malicious configurations to other systems. 

Immediate action is necessary to update Microsoft Configuration Manager. Additionally, using an alternate service account in place of the computer account is recommended to mitigate risk. 

— Cody Dietz, Team Lead, Security Engineering

Remote Desktop Client Remote Code Execution Vulnerability

CVE 2024-43533 (CVSS 8.8/10)  is a remote code execution vulnerability within the Remote Desktop Client. It enables malicious actors to execute code on a client machine by manipulating RDP sessions. 

Unlike typical RDP vulnerabilities targeting servers, this one flips the script, offering a unique attack vector against clients.

This vulnerability opens the door for back-hacks, where attackers set up rogue RDP servers to exploit scanning activities from entities like nation-states or security companies. Back-hacks represent a sophisticated method of exploiting cyber vulnerabilities by turning the tables on those conducting scanning activities, such as nation-states or security companies. 

Attackers can use rogue Remote Desktop Protocol (RDP) servers to lure scanners into a trap, effectively gaining access to the systems of those scanning entities. This technique exploits the very tools meant to safeguard networks, making it a particularly insidious form of attack.

Protect your network by updating the Remote Desktop Client and employing robust network monitoring. Ensure your RDP configurations are secure, and educate users on safe RDP practices to mitigate potential threats.

– Tom Bowyer, Director IT Security, Automox

The CUPS vulnerability affects systems with the Common UNIX Printing System exposed to the internet. This vulnerability, often overlooked, can grant unauthorized access to systems if CUPS is enabled by default on certain distributions. The risk is amplified when systems are misconfigured, exposing print services to external networks.

Understanding system defaults is crucial in maintaining security. Many servers are deployed with default configurations that can be exploited if not properly managed. Regularly audit and adjust configurations to close unnecessary exposure and reduce potential points of intrusion.

Always disable unnecessary services, ensure only essential ports are open,  implement strict access controls, and make sure firewall rules are set to limit inbound and outbound traffic. 

— Cody Dietz, Team Lead, Security Engineering

The macOS Sequoia update has introduced compatibility issues with various security tools on version 15.0. This has led to disruptions highlighting the need for caution when deploying updates. Apple's approach to quick updates without prior notification poses challenges for IT teams needing to maintain security tool functionality.

macOS Sequoia 15.0 addressed several critical vulnerabilities, enhancing security by improving permission logic, refining code-signing restrictions, and tightening sandbox measures. Regular updates are essential to protect against known risks and maintain system integrity. 

It's advisable to delay updates briefly, allowing time to test for potential impacts on essential applications. Apple's security posture, while proactive, requires users to be vigilant about the changes and be prepared for quick adaptations. Awareness and planning are key to navigating these updates effectively.

– Tom Bowyer, Director IT Security, Automox