Report Name: Microsoft Patch Tuesday, October 2024
Generated: 2024-10-09 00:45:43

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9				6		6	Windows Kernel
BitLocker	0.8				1		1	A full volume encryption feature included with Microsoft Windows versions starting with Windows Vista
Chromium	0.8			1	19	1	21	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Edge	0.8			3	1		4	Web browser
Microsoft Office	0.8			2	1		3	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft OpenSSH for Windows	0.8			1	2		3	Windows component
Microsoft Windows Storage Port Driver	0.8				1		1	Windows component
Sudo for Windows	0.8				1		1	Windows component
Windows Ancillary Function Driver for WinSock	0.8				1		1	Windows component
Windows Common Log File System Driver	0.8				1		1	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows Cryptographic	0.8				1		1	Windows component
Windows Graphics Component	0.8				4		4	Windows component
Windows Kerberos	0.8				2		2	Windows component
Windows Kernel-Mode Driver	0.8				2		2	Windows component
Windows Local Security Authority (LSA)	0.8				1		1	Windows component
Windows MSHTML Platform	0.8		1				1	Windows component
Windows Mobile Broadband Driver	0.8				15		15	Windows component
Windows Netlogon	0.8				1		1	Windows component
Windows Network Address Translation (NAT)	0.8				2		2	Windows component
Windows Online Certificate Status Protocol (OCSP) Server	0.8				1		1	Windows component
Windows Print Spooler	0.8				1		1	Windows component
Windows Remote Desktop Client	0.8			2			2	Remote Desktop Protocol Client
Windows Remote Desktop Licensing Service	0.8			1			1	Windows component
Windows Remote Desktop Services Tampering Vulnerability	0.8				1		1	Windows component
Windows Resilient File System (ReFS)	0.8				2		2	Windows component
Windows Resume Extensible Firmware Interface	0.8				3		3	Windows component
Windows Routing and Remote Access Service (RRAS)	0.8			12			12	Windows component
Windows Scripting Engine	0.8				1		1	Windows component
Windows Secure Channel	0.8				1		1	Windows component
Windows Secure Kernel Mode	0.8				2		2	Windows component
Windows Shell	0.8				1		1	Windows component
Windows Standards-Based Storage Management Service	0.8				1		1	Windows component
Windows Storage	0.8				1		1	Windows component
Windows Telephony Server	0.8			1			1	Windows component
.NET and Visual Studio	0.7				2		2	.NET and Visual Studio
Microsoft SharePoint	0.7				1		1	Microsoft SharePoint
Microsoft Excel	0.6				1		1	MS Office product
Microsoft Office Visio	0.6				2		2	Microsoft Visio
Windows Hyper-V	0.6			1	4		5	Hardware virtualization component of the client editions of Windows NT
.NET, .NET Framework, and Visual Studio	0.5				2		2	.NET, .NET Framework, and Visual Studio
Azure Command Line Integration (CLI)	0.5				1		1	Azure Command Line Integration (CLI)
Azure Monitor Agent	0.5				1		1	Azure Monitor Agent
Azure Service Fabric for Linux	0.5				1		1	Azure Service Fabric for Linux
Azure Stack Hyperconverged Infrastructure (HCI)	0.5				1		1	Azure Stack Hyperconverged Infrastructure (HCI)
BranchCache	0.5				2		2	BranchCache
Code Integrity Guard	0.5				1		1	Code Integrity Guard
DeepSpeed	0.5				1		1	DeepSpeed
Dynamics 365 Business Central	0.5				1		1	Product detected by a:microsoft:dynamics_365_business_central (exists in CPE dict)
Internet Small Computer Systems Interface (iSCSI)	0.5				1		1	Internet Small Computer Systems Interface (iSCSI)
Microsoft ActiveX Data Objects	0.5				1		1	Microsoft ActiveX Data Objects
Microsoft Configuration Manager	0.5				1		1	Microsoft Configuration Manager
Microsoft Defender for Endpoint for Linux	0.5				1		1	Microsoft Defender for Endpoint for Linux
Microsoft Management Console	0.5		1				1	Microsoft Management Console
Microsoft Simple Certificate Enrollment Protocol	0.5				2		2	Microsoft Simple Certificate Enrollment Protocol
Microsoft Speech Application Programming Interface (SAPI)	0.5				1		1	Microsoft Speech Application Programming Interface (SAPI)
Microsoft WDAC OLE DB provider for SQL Server	0.5				1		1	Microsoft WDAC OLE DB provider for SQL Server
NT OS Kernel	0.5				1		1	NT OS Kernel
Open Source Curl	0.5		1				1	Open Source Curl
Outlook for Android	0.5				1		1	Outlook for Android
Power BI Report Server	0.5				2		2	Power BI Report Server
Remote Desktop Protocol Server	0.5				1		1	Remote Desktop Protocol Server
Remote Registry Service	0.5				1		1	Remote Registry Service
Visual C++ Redistributable Installer	0.5				1		1	Visual C++ Redistributable Installer
Visual Studio Code for Linux	0.5				1		1	Visual Studio Code for Linux
Visual Studio Collector Service	0.5				1		1	Visual Studio Collector Service
Winlogon	0.5				1		1	Winlogon
groupme	0.5			1			1	Product detected by a:microsoft:groupme (does NOT exist in CPE dict)
Visual Studio	0.3				1		1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		2	22	23		47
Security Feature Bypass	0.9			1	8		9
Elevation of Privilege	0.85			1	29		30
Information Disclosure	0.83			1	6		7
Denial of Service	0.7				26		26
Incorrect Calculation	0.5				2		2
Memory Corruption	0.5				11		11
Spoofing	0.4		1		10		11
Tampering	0.3				1		1
Unknown Vulnerability Type	0				1	1	2

Source	U	C	H	M	L	A
MS PT Extended			5	22	1	28
Qualys		3	1	11		15
Tenable		2	15	7		24
Rapid7		3	1	5		9
ZDI		2		2		4

Urgent (0)

Critical (3)

1. Remote Code Execution - Microsoft Management Console (CVE-2024-43572) - Critical [692]

Description: Microsoft Management Console Remote Code Execution Vulnerability

Qualys: CVE-2024-43572: Microsoft Management Console Remote Code Execution Vulnerability Microsoft Management Console (MMC) is a tool that allows users and system administrators to configure, monitor, and manage Microsoft Windows systems. MMC provides a unified interface for managing, administering, and configuring systems. Microsoft has not released any information about the vulnerability. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before October 29, 2024.

Tenable: Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)

Tenable: CVE-2024-43572 | Microsoft Management Console Remote Code Execution Vulnerability

Tenable: CVE-2024-43572 is a RCE vulnerability in Microsoft Management Console (MMC). It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability by convincing a vulnerable target through the use of social engineering tactics to open a specially crafted file. Successful exploitation would allow the attacker to execute arbitrary code. According to Microsoft, CVE-2024-43572 was exploited in the wild as a zero-day. This is the second month in a row that Microsoft patched a RCE vulnerability in the MMC, as Microsoft addressed CVE-2024-38259 in its September 2024 Patch Tuesday release.

Tenable: As part of its patch for CVE-2024-43572, Microsoft has altered the behavior for Microsoft Saved Console (MSC) files, preventing untrusted MSC files from being opened on a system.

Rapid7: CVE-2024-43572 rounds out today’s five zero-day vulnerabilities, and describes a low-complexity, no-user-interaction RCE in Microsoft Management Console. Microsoft is aware of both public functional exploit code and in-the-wild exploitation. The vulnerability is exploited when a user downloads and opens a specially-crafted malicious Microsoft Saved Console (MSC) file, so there’s no suggestion here that the Management Console is vulnerable via network attack. Today’s patches prevent untrusted MSC files from being opened, although the advisory does not describe how Windows will know what’s trusted and what isn’t. Microsoft has chosen to map CVE-2024-43572 to CWE-70, which is a very broad category, the use of which is explicitly discouraged by MITRE.

ZDI: CVE-2024-43572 - Microsoft Management Console Remote Code Execution Vulnerability. Here’s another Moderate-severity bug listed as being actively attacked. In this instance, a threat actor would need to send a malicious MMC snap-in and have a user load the file. While this does sound unlikely, it’s clearly happening. Microsoft doesn’t say how widespread these attacks are, but considering the amount of social engineering required to exploit this bug, I would think attacks would be limited at this point. Still considering the damage that could be caused by an admin loading a malicious snap-in, I would test and deploy this update quickly.

2. Spoofing - Windows MSHTML Platform (CVE-2024-43573) - Critical [623]

Description: Windows MSHTML Platform Spoofing Vulnerability

Qualys: CVE-2024-43573: Windows MSHTML Platform Spoofing Vulnerability Windows MSHTML is a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still relevant today and are being patched by Microsoft. Microsoft has not shared any detailed information about the exploitation of this vulnerability. However, Microsoft mentioned in the advisory that exploitation of the vulnerability involves the MSHTML platform, previously used by Internet Explorer and Legacy Microsoft Edge, whose components are still installed in Windows. CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before October 29, 2024.

Tenable: Microsoft’s October 2024 Patch Tuesday Addresses 117 CVEs (CVE-2024-43572, CVE-2024-43573)

Tenable: CVE-2024-43573 | Windows MSHTML Platform Spoofing Vulnerability

Tenable: CVE-2024-43573 is a spoofing vulnerability in the Windows MSHTML Platform. It was assigned a CVSSv3 score of 6.5 and is rated as moderate. An unauthenticated, remote attacker could exploit this vulnerability by convincing a potential target to open a malicious file. According to Microsoft, CVE-2024-43573 was exploited in the wild as a zero-day.

Rapid7: CVE-2024-43573 is an exploited-in-the-wild spoofing vulnerability in MSHTML for which Microsoft is also aware of functional public exploit code; the advisory lists CWE-79 as the weakness, which translates to cross-site scripting (XSS). The advisory is sparse on further detail, although Windows Server 2012/2012 R2 admins who typically install Security Only updates should note that Microsoft is encouraging installation of the Monthly Rollups to ensure remediation in this case. The low CVSSv3 base score of 6.5 reflects the requirement for user interaction and the lack of impact to integrity or availability; a reasonable assumption might be that exploitation leads to improper disclosure of sensitive data, but no other direct effect on the target asset.

ZDI: CVE-2024-43573 - Windows MSHTML Platform Spoofing Vulnerability. While only listed as Moderate, this is one of the bugs listed as actively exploited this month. This is also very similar to the bug patched back in July in the same component, which was used by the APT group known as Void Banshee. You can read out full analysis of that bug here. There’s no word from Microsoft on whether it’s the same group, but considering there is no acknowledgment here, it makes me think the original patch was insufficient. Either way, don’t ignore this based on the severity rating. Test and deploy this update quickly.

3. Remote Code Execution - Open Source Curl (CVE-2024-6197) - Critical [607]

Description: Open Source Curl Remote Code Execution Vulnerability

Qualys: CVE-2024-6197: Open Source Curl Remote Code Execution Vulnerability Microsoft states, “While the upstream advisory applies to curl, the command line tool, and libcurl as embedded in all software, Windows does not ship libcurl but only ships the curl command line. This vulnerability requires user interaction to select the server and to communicate with it.” Successful exploitation of the vulnerability requires a client to connect to a malicious server, which could allow the attacker to gain code execution on the client.

Rapid7: Microsoft is most famous for its closed source products, but has cautiously softened its stance on open source considerably in the past quarter century or so. Windows has included components of cURL for almost seven years at this point, along with various other open source components; Microsoft does patch these from time to time, although not always as quickly as defenders might like. Today’s patches for CVE-2024-6197, a publicly-disclosed RCE vulnerability in cURL, continue that trend.

Rapid7: The Microsoft advisory for CVE-2024-6197 clarifies that Windows does not ship libcurl, only the curl command line, but that’s still vulnerable and thus in scope for a fix. Exploitation requires that the user connect to a malicious server controlled by the attacker, and code execution is presumably in the context of the user launching the curl CLI tool on the Windows asset. The cURL project advisory for CVE-2024-6197 was originally published on 2024-07-24, and offers further detail from their perspective. Interestingly, the cURL project describes the most likely outcome of exploitation as a crash, and does not specifically mention RCE, although it is careful not to exclude the possibility of unspecified “more serious results,” which could well mean RCE. Microsoft rates this vulnerability as important, which is on track with the CVSS base score of 8.8.

High (25)

4. Information Disclosure - Microsoft Edge (CVE-2024-38222) - High [493]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2024-38222 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

5. Remote Code Execution - Microsoft Edge (CVE-2024-43496) - High [466]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2024-43496 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

6. Security Feature Bypass - Windows Hyper-V (CVE-2024-20659) - High [465]

Description: Windows Hyper-V Security Feature Bypass Vulnerability

Qualys: CVE-2024-20659: Windows Hyper-V Security Feature Bypass Vulnerability Hyper-V is a virtualization technology in Windows that allows users to run multiple operating systems as virtual machines (VMs) on a physical host computer. An attacker must first gain access to the restricted network before running an attack. Successful exploitation of the vulnerability may allow an attacker to compromise the hypervisor and kernel. This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine. An attacker may bypass the UEFI on some specific hardware, which could compromise the hypervisor and the secure kernel.

Tenable: CVE-2024-20659 | Windows Hyper-V Security Feature Bypass Vulnerability

Tenable: CVE-2024-20659 is a security feature bypass vulnerability in Windows Hyper-V. It was assigned a CVSSv3 score of 7.1, is rated as important and assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index. This is likely due to the fact that there are multiple conditions that need to be met in order for exploitation to be feasible, such as a user rebooting their machine and application specific behavior among other user-required actions. Successful exploitation would allow an attacker to bypass a Virtual Machine’s Unified Extensible Firmware Interface (UEFI) on the host machine, resulting in both the hypervisor and secure kernel being compromised. According to Microsoft, CVE-2024-20659 was publicly disclosed prior to a patch being made available.

Tenable: In addition to CVE-2024-20659, Microsoft also addressed three denial of service (DoS) vulnerabilities and one RCE in Windows Hyper-V:

Rapid7: CVE-2024-20659 describes a publicly-disclosed security feature bypass in Hyper-V. Microsoft describes exploitation as both less likely and highly complex. An attacker must be both lucky and resourceful, since only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and exploitation requires coordination of a number of factors followed by a well-timed reboot. All this after first achieving a foothold on the same network — although in this context, this likely means access to a VM on the target hypervisor, rather than some other location on the same subnet. The prize for successful exploitation is compromise of the hypervisor kernel.

7. Remote Code Execution - Microsoft Edge (CVE-2024-43489) - High [454]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2024-43489 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

8. Remote Code Execution - Chromium (CVE-2024-7970) - High [430]

Description: Chromium: CVE-2024-7970 Out of bounds write in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-7970 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

9. Remote Code Execution - Windows Remote Desktop Client (CVE-2024-43533) - High [419]

Description: Remote Desktop Client Remote Code Execution Vulnerability

Tenable: CVE-2024-43533 and CVE-2024-43599 | Remote Desktop Client Remote Code Execution Vulnerability

Tenable: CVE-2024-43533 and CVE-2024-43599 are a pair of RCE vulnerabilities in Microsoft Remote Desktop Client, both with a CVSSv3 score of 8.8 and flagged by Microsoft as “Exploitation Less Likely.” The attack vector noted by Microsoft lists a prerequisite of an attacker first compromising a Remote Desktop Server. Once compromised, the attacker can leverage RCE against vulnerable connecting devices. As a mitigating factor and part of security best practices, it is suggested that the Remote Desktop service should be disabled if not needed. Microsoft’s advisory further explains that disabling unused services can help reduce exposure.

10. Remote Code Execution - Windows Remote Desktop Client (CVE-2024-43599) - High [419]

Description: Remote Desktop Client Remote Code Execution Vulnerability

Tenable: CVE-2024-43533 and CVE-2024-43599 | Remote Desktop Client Remote Code Execution Vulnerability

Tenable: CVE-2024-43533 and CVE-2024-43599 are a pair of RCE vulnerabilities in Microsoft Remote Desktop Client, both with a CVSSv3 score of 8.8 and flagged by Microsoft as “Exploitation Less Likely.” The attack vector noted by Microsoft lists a prerequisite of an attacker first compromising a Remote Desktop Server. Once compromised, the attacker can leverage RCE against vulnerable connecting devices. As a mitigating factor and part of security best practices, it is suggested that the Remote Desktop service should be disabled if not needed. Microsoft’s advisory further explains that disabling unused services can help reduce exposure.

11. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-38212) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

12. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-38265) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

13. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43453) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

14. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43549) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

15. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43564) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

16. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43589) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

17. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43592) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

18. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43593) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

19. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43607) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

20. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43608) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

21. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-43611) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

22. Remote Code Execution - Windows Telephony Server (CVE-2024-43518) - High [419]

Description: Windows Telephony Server Remote Code Execution Vulnerability

23. Remote Code Execution - Microsoft Office (CVE-2024-43576) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

24. Remote Code Execution - Microsoft Office (CVE-2024-43616) - High [407]

Description: Microsoft Office Remote Code Execution Vulnerability

25. Remote Code Execution - Microsoft OpenSSH for Windows (CVE-2024-38029) - High [407]

Description: Microsoft OpenSSH for Windows Remote Code Execution Vulnerability

26. Remote Code Execution - Windows Remote Desktop Licensing Service (CVE-2024-38262) - High [407]

Description: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

27. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-38261) - High [407]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608, CVE-2024-43611 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

Tenable: CVE-2024-38212, CVE-2024-38261, CVE-2024-38265, CVE-2024-43453, CVE-2024-43549, CVE-2024-43564, CVE-2024-43589, CVE-2024-43592, CVE-2024-43593, CVE-2024-43607, CVE-2024-43608 and CVE-2024-43611 are a series of RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) accounting for 10% of the vulnerabilities in the October Microsoft Patch Tuesday update. All 12 of these vulnerabilities share a common CVSSv3 score of 8.8 with the exception of CVE-2024-38261 which was assigned a score of 7.8. Each of these vulnerabilities are rated by Microsoft as “Exploitation Less Likely” and share similar attack paths based on Microsoft's descriptions of the vulnerabilities. An attacker with no authentication could leverage this vulnerability by targeting a vulnerable server with a specially crafted protocol message or tricking a user to submit a request to a malicious server resulting in a malicious message being returned, which could lead to RCE on the vulnerable machine.

28. Elevation of Privilege - groupme (CVE-2024-38183) - High [401]

Description: {'ms_cve_data_all': 'GroupMe Elevation of Privilege Vulnerability. An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.\n', 'nvd_cve_data_all': 'An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2024-38183 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

Medium (117)

29. Elevation of Privilege - Windows Kernel (CVE-2024-43527) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability

30. Remote Code Execution - Microsoft Office Visio (CVE-2024-38016) - Medium [397]

Description: Microsoft Office Visio Remote Code Execution Vulnerability

MS PT Extended: CVE-2024-38016 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

31. Remote Code Execution - Microsoft OpenSSH for Windows (CVE-2024-43581) - Medium [395]

Description: Microsoft OpenSSH for Windows Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-43502 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-43581 and CVE-2024-43615 are remote code execution vulnerabilities in Microsoft OpenSSH for Windows. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server. CVE-2024-43609 is a spoofing vulnerability in Microsoft Office. In a web-based attack scenario, an attacker may host a website or server containing a specially crafted file to exploit the vulnerability. An attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. CVE-2024-43509 and CVE-2024-43556 are elevation of privileges vulnerabilities in the Windows Graphics Component. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges. CVE-2024-43560 is an elevation of privilege vulnerability in the Microsoft Windows Storage Port Driver. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges.

32. Remote Code Execution - Microsoft OpenSSH for Windows (CVE-2024-43615) - Medium [395]

Description: Microsoft OpenSSH for Windows Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-43502 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-43581 and CVE-2024-43615 are remote code execution vulnerabilities in Microsoft OpenSSH for Windows. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server. CVE-2024-43609 is a spoofing vulnerability in Microsoft Office. In a web-based attack scenario, an attacker may host a website or server containing a specially crafted file to exploit the vulnerability. An attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. CVE-2024-43509 and CVE-2024-43556 are elevation of privileges vulnerabilities in the Windows Graphics Component. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges. CVE-2024-43560 is an elevation of privilege vulnerability in the Microsoft Windows Storage Port Driver. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges.

33. Remote Code Execution - Windows Mobile Broadband Driver (CVE-2024-43523) - Medium [395]

Description: Windows Mobile Broadband Driver Remote Code Execution Vulnerability

34. Remote Code Execution - Windows Mobile Broadband Driver (CVE-2024-43524) - Medium [395]

Description: Windows Mobile Broadband Driver Remote Code Execution Vulnerability

35. Remote Code Execution - Windows Mobile Broadband Driver (CVE-2024-43525) - Medium [395]

Description: Windows Mobile Broadband Driver Remote Code Execution Vulnerability

36. Remote Code Execution - Windows Mobile Broadband Driver (CVE-2024-43526) - Medium [395]

Description: Windows Mobile Broadband Driver Remote Code Execution Vulnerability

37. Remote Code Execution - Windows Mobile Broadband Driver (CVE-2024-43536) - Medium [395]

Description: Windows Mobile Broadband Driver Remote Code Execution Vulnerability

38. Remote Code Execution - Windows Mobile Broadband Driver (CVE-2024-43543) - Medium [395]

Description: Windows Mobile Broadband Driver Remote Code Execution Vulnerability

39. Remote Code Execution - Windows Shell (CVE-2024-43552) - Medium [395]

Description: Windows Shell Remote Code Execution Vulnerability

40. Elevation of Privilege - Windows Netlogon (CVE-2024-38124) - Medium [392]

Description: Windows Netlogon Elevation of Privilege Vulnerability

Tenable: CVE-2024-38124 | Windows Netlogon Elevation of Privilege Vulnerability

Tenable: CVE-2024-38124 is a EoP vulnerability in Windows Netlogon assessed as “Exploitation Less Likely” with a CVSSv3 score of 9, the second highest in the October Patch Tuesday update. An attacker would need authenticated access to the same network as a vulnerable device and rename their machine to match the domain controller in order to establish a secure channel. If these prerequisites are met, the attacker would then need to rename their machine back to its original name and “once the new domain controller is promoted, the attacker could use the secure channel to impersonate the domain controller and potentially compromise the entire domain.”

41. Remote Code Execution - .NET and Visual Studio (CVE-2024-38229) - Medium [390]

Description: .NET and Visual Studio Remote Code Execution Vulnerability

42. Security Feature Bypass - Chromium (CVE-2024-8907) - Medium [389]

Description: Chromium: CVE-2024-8907 Insufficient data validation in Omnibox. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8907 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

43. Security Feature Bypass - Windows Scripting Engine (CVE-2024-43584) - Medium [389]

Description: Windows Scripting Engine Security Feature Bypass Vulnerability

44. Elevation of Privilege - Windows Kernel (CVE-2024-37979) - Medium [385]

Description: Windows Kernel Elevation of Privilege Vulnerability

45. Elevation of Privilege - Windows Kernel (CVE-2024-43502) - Medium [385]

Description: Windows Kernel Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-43502 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-43581 and CVE-2024-43615 are remote code execution vulnerabilities in Microsoft OpenSSH for Windows. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server. CVE-2024-43609 is a spoofing vulnerability in Microsoft Office. In a web-based attack scenario, an attacker may host a website or server containing a specially crafted file to exploit the vulnerability. An attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. CVE-2024-43509 and CVE-2024-43556 are elevation of privileges vulnerabilities in the Windows Graphics Component. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges. CVE-2024-43560 is an elevation of privilege vulnerability in the Microsoft Windows Storage Port Driver. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges.

46. Elevation of Privilege - Windows Kernel (CVE-2024-43511) - Medium [385]

Description: Windows Kernel Elevation of Privilege Vulnerability

47. Elevation of Privilege - Microsoft Windows Storage Port Driver (CVE-2024-43560) - Medium [380]

Description: Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-43502 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-43581 and CVE-2024-43615 are remote code execution vulnerabilities in Microsoft OpenSSH for Windows. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server. CVE-2024-43609 is a spoofing vulnerability in Microsoft Office. In a web-based attack scenario, an attacker may host a website or server containing a specially crafted file to exploit the vulnerability. An attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. CVE-2024-43509 and CVE-2024-43556 are elevation of privileges vulnerabilities in the Windows Graphics Component. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges. CVE-2024-43560 is an elevation of privilege vulnerability in the Microsoft Windows Storage Port Driver. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges.

48. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-43563) - Medium [380]

Description: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

49. Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-43501) - Medium [380]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

50. Elevation of Privilege - Windows Graphics Component (CVE-2024-43509) - Medium [380]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-43502 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-43581 and CVE-2024-43615 are remote code execution vulnerabilities in Microsoft OpenSSH for Windows. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server. CVE-2024-43609 is a spoofing vulnerability in Microsoft Office. In a web-based attack scenario, an attacker may host a website or server containing a specially crafted file to exploit the vulnerability. An attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. CVE-2024-43509 and CVE-2024-43556 are elevation of privileges vulnerabilities in the Windows Graphics Component. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges. CVE-2024-43560 is an elevation of privilege vulnerability in the Microsoft Windows Storage Port Driver. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges.

51. Elevation of Privilege - Windows Graphics Component (CVE-2024-43556) - Medium [380]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-43502 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-43581 and CVE-2024-43615 are remote code execution vulnerabilities in Microsoft OpenSSH for Windows. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server. CVE-2024-43609 is a spoofing vulnerability in Microsoft Office. In a web-based attack scenario, an attacker may host a website or server containing a specially crafted file to exploit the vulnerability. An attacker would have to convince the user to click a link, typically through an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. CVE-2024-43509 and CVE-2024-43556 are elevation of privileges vulnerabilities in the Windows Graphics Component. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges. CVE-2024-43560 is an elevation of privilege vulnerability in the Microsoft Windows Storage Port Driver. Successful exploitation of the vulnerabilities may allow an attacker to gain SYSTEM privileges.

52. Elevation of Privilege - Windows Kerberos (CVE-2024-38129) - Medium [380]

Description: Windows Kerberos Elevation of Privilege Vulnerability

53. Elevation of Privilege - Windows Resilient File System (ReFS) (CVE-2024-43514) - Medium [380]

Description: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

54. Elevation of Privilege - Windows Secure Kernel Mode (CVE-2024-43516) - Medium [380]

Description: Windows Secure Kernel Mode Elevation of Privilege Vulnerability

55. Elevation of Privilege - Windows Secure Kernel Mode (CVE-2024-43528) - Medium [380]

Description: Windows Secure Kernel Mode Elevation of Privilege Vulnerability

56. Elevation of Privilege - Windows Storage (CVE-2024-43551) - Medium [380]

Description: Windows Storage Elevation of Privilege Vulnerability

57. Remote Code Execution - Microsoft Configuration Manager (CVE-2024-43468) - Medium [380]

Description: Microsoft Configuration Manager Remote Code Execution Vulnerability

Qualys: CVE-2024-43468: Microsoft Configuration Manager Remote Code Execution Vulnerability Microsoft Configuration Manager (ConfigMgr) is a systems management software that helps IT professionals manage large groups of computers and servers. The software deploys operating systems to devices and manages hardware and software inventory. An unauthenticated attacker may exploit this vulnerability by sending specially crafted requests to the target environment, which are processed unsafely. Successful exploitation of the vulnerability may allow the attacker to execute commands on the server and/or underlying database.

Tenable: CVE-2024-43468 | Microsoft Configuration Manager Remote Code Execution Vulnerability

Tenable: CVE-2024-43468 is a RCE in Microsoft Configuration Manager listed as “Exploitation Less Likely” by Micorosft despite having a critical CVSSv3 score of 9.8, the highest in October's Patch Tuesday update. An attacker can leverage this vulnerability without prior authentication by sending a specially crafted request to a vulnerable machine resulting in RCE on the machine or its underlying database.

Rapid7: Somewhat unusually, we’ll take a look at two of the three critical RCEs published today — CVE-2024-43468 and CVE-2024-43582 — before moving on to the arguably somewhat-less- threatening zero-day vulnerabilities patched today.

Rapid7: Microsoft Configuration Manager receives a patch for the only vulnerability published by Microsoft today with a CVSS base score of 9.8. Although Microsoft doesn’t tag it as either publicly disclosed or exploited-in-the-wild, the advisory for CVE-2024-43468 appears to describe a no-interaction, low complexity, unauthenticated network RCE against Microsoft Configuration Manager. Exploitation is achieved by sending specially-crafted malicious requests, and leads to code execution in the context of the Configuration Manager server or its underlying database. The relevant update is installed within the Configuration Manager console, and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. Further information and several specific required steps are described in KB29166583.

Rapid7: Confusingly, this KB29166583 was first published over a month ago on 2024-09-04, and was then subsequently unpublished and republished on 2024-09-18, all without any mention of CVE-2024-43468, which was published only today and which KB29166583 apparently remediates. Defenders should read the available documentation carefully, and then probably read it again for good measure.

Rapid7: Today sees the end of support for Windows 11 22H2 for Home, Pro, Pro Education, Pro for Workstations, and SE editions, as well as for Windows 11 21H2 for Education, Enterprise, and Enterprise multi-session editions. Server 2012 and Server 2012 R2 pass into Year 2 of ESU. Windows Embedded POSReady — the POS stands for Point-of-Sale — receives its final ESU updates today, and that might just be the last gasp for Windows 7 as a whole. As well as patching today’s critical RCE CVE-2024-43468, Intune admins still using Configuration Manager 2303 should look to upgrade to a newer version immediately, because support ends (somewhat unusually) on Thursday this week.

ZDI: CVE-2024-43468 - Microsoft Configuration Manager Remote Code Execution Vulnerability. Not to be confused with MMC, here’s a bug in the Configuration Manager that doesn’t require user interaction. In fact, this CVSS 9.8 bug could be hit by a remote, unauthenticated attacker sending specially crafted requests, resulting in arbitrary code execution on the target server. In addition to the patch, you’ll need to install an in-console update to be protected. Microsoft provides this guide for those affected. This is another example of why the “Just Patch” advice is short-sighted.

58. Security Feature Bypass - Windows Resume Extensible Firmware Interface (CVE-2024-37976) - Medium [377]

Description: Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability

59. Security Feature Bypass - Windows Resume Extensible Firmware Interface (CVE-2024-37982) - Medium [377]

Description: Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability

60. Security Feature Bypass - Windows Resume Extensible Firmware Interface (CVE-2024-37983) - Medium [377]

Description: Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability

61. Elevation of Privilege - Windows Kernel (CVE-2024-43570) - Medium [373]

Description: Windows Kernel Elevation of Privilege Vulnerability

62. Remote Code Execution - Microsoft Excel (CVE-2024-43504) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

63. Remote Code Execution - Microsoft Office Visio (CVE-2024-43505) - Medium [373]

Description: Microsoft Office Visio Remote Code Execution Vulnerability

64. Remote Code Execution - Windows Hyper-V (CVE-2024-30092) - Medium [373]

Description: Windows Hyper-V Remote Code Execution Vulnerability

Tenable: CVE-2024-30092 | RCE | Important | 8 |

65. Remote Code Execution - Microsoft ActiveX Data Objects (CVE-2024-43517) - Medium [369]

Description: Microsoft ActiveX Data Objects Remote Code Execution Vulnerability

66. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-43519) - Medium [369]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

67. Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-43535) - Medium [368]

Description: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

68. Elevation of Privilege - Windows Local Security Authority (LSA) (CVE-2024-43522) - Medium [368]

Description: Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability

69. Elevation of Privilege - Windows Print Spooler (CVE-2024-43529) - Medium [368]

Description: Windows Print Spooler Elevation of Privilege Vulnerability

70. Memory Corruption - Chromium (CVE-2024-8636) - Medium [365]

Description: Chromium: CVE-2024-8636 Heap buffer overflow in Skia. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8636 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

71. Memory Corruption - Chromium (CVE-2024-8637) - Medium [365]

Description: Chromium: CVE-2024-8637 Use after free in Media Router. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8637 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

72. Memory Corruption - Chromium (CVE-2024-8638) - Medium [365]

Description: Chromium: CVE-2024-8638 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8638 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

73. Memory Corruption - Chromium (CVE-2024-8639) - Medium [365]

Description: Chromium: CVE-2024-8639 Use after free in Autofill. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8639 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

74. Security Feature Bypass - BitLocker (CVE-2024-43513) - Medium [365]

Description: BitLocker Security Feature Bypass Vulnerability

75. Information Disclosure - Windows Graphics Component (CVE-2024-43534) - Medium [364]

Description: Windows Graphics Component Information Disclosure Vulnerability

76. Information Disclosure - Windows Kerberos (CVE-2024-43547) - Medium [364]

Description: Windows Kerberos Information Disclosure Vulnerability

77. Elevation of Privilege - Microsoft SharePoint (CVE-2024-43503) - Medium [363]

Description: Microsoft SharePoint Elevation of Privilege Vulnerability

Rapid7: A sparse advisory for CVE-2024-43503, which is an elevation of privilege vulnerability which leads to SYSTEM. Advisories for similar vulnerabilities typically describe the specific SharePoint privileges required, but this one does not, so a reasonable assumption might be that the requirement here is simply minimal Site Member privileges.

78. Remote Code Execution - DeepSpeed (CVE-2024-43497) - Medium [357]

Description: DeepSpeed Remote Code Execution Vulnerability

79. Remote Code Execution - Microsoft Speech Application Programming Interface (SAPI) (CVE-2024-43574) - Medium [357]

Description: Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability

80. Remote Code Execution - Remote Desktop Protocol Server (CVE-2024-43582) - Medium [357]

Description: Remote Desktop Protocol Server Remote Code Execution Vulnerability

Qualys: CVE-2024-43582: Remote Desktop Protocol Server Remote Code Execution Vulnerability Remote DesktopProtocol (RDP) is a secure network communication protocol that allows users to access and control a computer remotely through a network connection. RDP is a technical standard for remote desktop software that is available for most Windows and Mac operating systems. To exploit the vulnerability, an unauthenticated attacker must send malicious packets to a RPC host. Successful exploitation of the vulnerability may result in remote code execution on the server side with the same permissions as the RPC service.

Rapid7: Somewhat unusually, we’ll take a look at two of the three critical RCEs published today — CVE-2024-43468 and CVE-2024-43582 — before moving on to the arguably somewhat-less- threatening zero-day vulnerabilities patched today.

Rapid7: Any RDP Server critical RCE is worth patching quickly. CVE-2024-43582 is a pre-auth critical RCE in the Remote Desktop Protocol Server. Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset. One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.

ZDI: CVE-2024-43582 - Remote Desktop Protocol Server Remote Code Execution Vulnerability. This bug also allows a remote, unauthenticated attacker to gain arbitrary code execution at elevated levels simply by sending specially crafted RPC requests. Microsoft notes that the attacker would need to win a race condition, but we’ve seen plenty of successful Pwn2Own entries win race conditions. While this bug is wormable, it’s unlikely to actually result in a worm. RPC should be blocked at your perimeter, and it isn’t, now’s a good time to check. That limits this to internal systems only, but it could be used for lateral movement within an enterprise.

81. Elevation of Privilege - Dynamics 365 Business Central (CVE-2024-43460) - Medium [354]

Description: {'ms_cve_data_all': 'Dynamics 365 Business Central Elevation of Privilege Vulnerability. Improper authorization in Dynamics 365 Business Central resulted in a vulnerability that allows an authenticated attacker to elevate privileges over a network.\n', 'nvd_cve_data_all': 'Improper authorization in Dynamics 365 Business Central resulted in a vulnerability that allows an authenticated attacker to elevate privileges over a network.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Improper authorization in Dynamics 365 Business Central resulted in a vulnerability that allows an authenticated attacker to elevate privileges over a network.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2024-43460 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

82. Denial of Service - Windows Network Address Translation (NAT) (CVE-2024-43562) - Medium [353]

Description: Windows Network Address Translation (NAT) Denial of Service Vulnerability

83. Denial of Service - Windows Network Address Translation (NAT) (CVE-2024-43565) - Medium [353]

Description: Windows Network Address Translation (NAT) Denial of Service Vulnerability

84. Denial of Service - Windows Online Certificate Status Protocol (OCSP) Server (CVE-2024-43545) - Medium [353]

Description: Windows Online Certificate Status Protocol (OCSP) Server Denial of Service Vulnerability

85. Memory Corruption - Chromium (CVE-2024-8194) - Medium [353]

Description: Chromium: CVE-2024-8194 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8194 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

86. Memory Corruption - Chromium (CVE-2024-8198) - Medium [353]

Description: Chromium: CVE-2024-8198 Heap buffer overflow in Skia. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-8198 was published before October 2024 Patch Tuesday from 2024-09-11 to 2024-10-07

87. Information Disclosure - Windows Cryptographic (CVE-2024-43546) - Medium [352]

Description: Windows Cryptographic Information Disclosure Vulnerability

88. Information Disclosure - Windows Graphics Component (CVE-2024-43508) - Medium [352]

Description: Windows Graphics Component Information Disclosure Vulnerability

89. Information Disclosure - Windows Kernel-Mode Driver (CVE-2024-43554) - Medium [352]

Description: Windows Kernel-Mode Driver Information Disclosure Vulnerability

90. Information Disclosure - Windows Resilient File System (ReFS) (CVE-2024-43500) - Medium [352]

Description: Windows Resilient File System (ReFS) Information Disclosure Vulnerability

91. Remote Code Execution - Azure Service Fabric for Linux (CVE-2024-43480) - Medium [345]

Description: Azure Service Fabric for Linux Remote Code Execution Vulnerability

92. Remote Code Execution - Visual Studio Code for Linux (CVE-2024-43601) - Medium [345]

Description: Visual Studio Code for Linux Remote Code Execution Vulnerability

93. Elevation of Privilege - Azure Command Line Integration (CLI) (CVE-2024-43591) - Medium [342]

Description: Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability

94. Elevation of Privilege - Azure Stack Hyperconverged Infrastructure (HCI) (CVE-2024-38179) - Medium [342]

Description: Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability

95. Elevation of Privilege - Remote Registry Service (CVE-2024-43532) - Medium [342]

Description: Remote Registry Service Elevation of Privilege Vulnerability

96. Denial of Service - Windows Mobile Broadband Driver (CVE-2024-43537) - Medium [341]

Description: Windows Mobile Broadband Driver Denial of Service Vulnerability

97. Denial of Service - Windows Mobile Broadband Driver (CVE-2024-43538) - Medium [341]

Description: Windows Mobile Broadband Driver Denial of Service Vulnerability

98. Denial of Service - Windows Mobile Broadband Driver (CVE-2024-43540) - Medium [341]

Description: Windows Mobile Broadband Driver Denial of Service Vulnerability

99. Denial of Service - Windows Mobile Broadband Driver (CVE-2024-43542) - Medium [341]

Description: Windows Mobile Broadband Driver Denial of Service Vulnerability

100. Denial of Service - Windows Mobile Broadband Driver (CVE-2024-43555) - Medium [341]

Description: Windows Mobile Broadband Driver Denial of Service Vulnerability

101. Denial of Service - Windows Mobile Broadband Driver (CVE-2024-43557) - Medium [341]

Description: Windows Mobile Broadband Driver Denial of Service Vulnerability