@RISK: The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft August 2024 Patch Tuesday

Published: 2024-08-13. Last Updated: 2024-08-13 20:14:47 UTC

by Renato Marinho (Version: 1)

This month we got patches for 92 vulnerabilities. Of these, 9 are critical, and 9 are zero-days (3 previously disclosed, and 6 are already being exploited).

The CVEs CVE-2024-38189, CVE-2024-38178, CVE-2024-38193, CVE-2024-38106, CVE-2024-38213, and CVE-2024-38107 are related to the already exploited vulnerabilities and the CVEs CVE-2024-38202, CVE-2024-21302, and CVE-2024-38200 are related to previously disclosed ones.

Amongst exploited vulnerabilities, the highest CVSS (CVSS 8.8) is related to the Microsoft Project Remote Code Execution Vulnerability (CVE-2024-38189) rated as Important. According to the advisory, Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the Block macros from running in Office files from the Internet policy is disabled and VBA Macro Notification Settings are not enabled allowing the attacker to perform remote code execution.

Amongst critical vulnerabilities, one of the two 9.8 CVSS this month is associated to the Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability (CVE-2024-38140). According to the exploit, this vulnerability is exploitable only if there is a program listening on a Pragmatic General Multicast (PGM) port. If PGM is installed or enabled but no programs are actively listening as a receiver, then this vulnerability is not exploitable. An unauthenticated attacker could exploit the vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, without any interaction from the user.

The other CVSS 9.8 is associated with the Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063). Systems are not affected if IPv6 is disabled on the target machine. The advisory says that an unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.

Read the full entry:

https://isc.sans.edu/diary/Microsoft+August+2024+Patch+Tuesday/31164/

Multiple Malware Dropped Through MSI Package

Published: 2024-08-14. Last Updated: 2024-08-14 08:15:29 UTC

by Xavier Mertens (Version: 1)

One of my hunting rules hit on potentially malicious PowerShell code. The file was an MSI package (not an MSIX, these are well-known to execute malicious scripts). This file was a good old OLE package ...

The file (SHA256: 69cad2bf6d63dfc93b632cfd91b5182f14b5140da22f9a0ce82c8b459ad76c38) has a low score on VT (1/32). I tried to install the package in my sandbox but it failed with an error message “This package can only be run from a bootstrapper”. After Googling more info, I found this:

If you get this error while attempting to uninstall or update a package with an EXE file, it may be because you're using a multilingual package with a display language selection dialog (for multi-language packages) in the Languages Tab. This is a known issue that occurs when your different language installations have different Product Codes.

It could be related to the language used ...

Read the full entry:

https://isc.sans.edu/diary/Multiple+Malware+Dropped+Through+MSI+Package/31168/

Video: Same Origin, CORS, DNS Rebinding and Localhost (2024.08.12)

https://isc.sans.edu/diary/Video+Same+Origin+CORS+DNS+Rebinding+and+Localhost/31158/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2024-38189 - Microsoft Project Remote Code Execution VulnerabilityProduct: Microsoft ProjectCVSS Score: 8.8** KEV since 2024-08-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38189ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38189CVE-2024-38106 - Windows Kernel Elevation of Privilege VulnerabilityProduct: Microsoft Windows KernelCVSS Score: 7.0** KEV since 2024-08-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38106ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38106CVE-2024-38107 - Windows Power Dependency Coordinator Elevation of Privilege VulnerabilityProduct: Microsoft Windows Power Dependency CoordinatorCVSS Score: 7.8** KEV since 2024-08-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38107ISC Diary:https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38107CVE-2024-38178 - Scripting Engine Memory Corruption VulnerabilityProduct: Microsoft Scripting EngineCVSS Score: 7.5** KEV since 2024-08-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38178ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38178CVE-2024-38193 - Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityProduct: Microsoft Windows Ancillary Function Driver for WinSockCVSS Score: 7.8** KEV since 2024-08-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38193ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193CVE-2024-38213 - Windows Mark of the Web Security Feature Bypass VulnerabilityProduct: Microsoft Windows Mark of the WebCVSS Score: 6.5** KEV since 2024-08-13 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38213ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38213CVE-2024-38063 - Windows TCP/IP Remote Code Execution VulnerabilityProduct: Microsoft WindowsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38063ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063CVE-2024-38140 - Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution VulnerabilityProduct: Windows Reliable Multicast Transport DriverCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38140ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38140CVE-2024-38200 - Microsoft Office Spoofing VulnerabilityProduct: Microsoft 365 AppsCVSS Score: 6.5NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38200ISC Diary: https://isc.sans.edu/diary/31164ISC Podcast: https://isc.sans.edu/podcastdetail/9092NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200CVE-2024-38202 - Windows Backup in Microsoft is vulnerable to an elevation of privilege attack, requiring additional user interaction for successful exploitation.Product: Microsoft Windows BackupCVSS Score: 7.3NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38202ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202CVE-2024-38108 - Azure Stack Hub Spoofing VulnerabilityProduct: Microsoft Azure Stack HubCVSS Score: 9.3NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38108ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38108CVE-2024-38109 - Microsoft Azure Health Bot is vulnerable to SSRF, allowing an authenticated attacker to gain network privileges.Product: Microsoft Azure Health BotCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38109ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38109CVE-2024-38159 & CVE-2024-38160 - Windows Network Virtualization Remote Code Execution VulnerabilitiesProduct: Microsoft Windows Network VirtualizationCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38159NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38160ISC Diary: https://isc.sans.edu/diary/31164NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38159NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38160CVE-2024-38199 - Windows Line Printer Daemon (LPD) Service Remote Code Execution VulnerabilityProduct: Windows Line Printer Daemon (LPD…