Breaking Down the Latest November 2024 Patch Tuesday Report

Microsoft has kicked off November by disclosing fixes for 89 vulnerabilities across Windows, Office, Exchange Server, Azure, Dynamics, and other products. This release addresses concerns rated as Critical for four flaws while giving an Important ranking to 82 bugs and one rated as Moderate. The updates include patches for four zero-day vulnerabilities, with two being actively exploited in the wild.

The four zero-days are a Windows Task Scheduler elevation of privilege vulnerability (CVE-2024-49039) and NTLM Hash Disclosure spoofing vulnerability (CVE-2024-43451) that are being actively exploited, along with a publicly disclosed Active Directory Certificate Services elevation of privilege vulnerability (CVE-2024-49019) and Microsoft Exchange Server spoofing vulnerability (CVE-2024-49040).

The Critical flaws include a remote code execution vulnerability in Windows Kerberos (CVE-2024-43639), elevation of privilege vulnerabilities in Microsoft Windows VMSwitch (CVE-2024-43625) and Airlift.microsoft.com (CVE-2024-49056), and a remote code execution vulnerability in .NET and Visual Studio (CVE-2024-43498).

Additional key fixes address various remote code execution vulnerabilities in SQL Server Native Client, Windows Telephony Service, Microsoft Office applications and other components. There are also multiple elevation of privilege flaws in Windows kernel components, and spoofing vulnerabilities in Microsoft Exchange Server.

In this monthly report, we'll analyze severity ratings, exploitation vectors, and remediation advice to help prioritize patching. Whether you manage Windows clients and servers or cloud-based services, applying these latest critical and important updates helps secure environments from emerging threats.

Update for Windows 11 users: Microsoft has published KB5046617 for Windows 11. Visit [this page] to learn what is there in the KB5046617 update.

Update for Windows 10 users: Microsoft has published KB5046613 for Windows 10. Visit [this page] to learn what is there in the KB5046613 update.

Key Highlights - Patch Tuesday November 2024

In November's Patch Tuesday, Microsoft addressed 89 flaws, including four zero-day vulnerabilities, two of which were actively exploited in the wild. This update included patches across categories like elevation of privilege, remote code execution, spoofing, denial of service, security feature bypass, and information disclosure vulnerabilities.

The key affected products in this release span Microsoft's ecosystem, including Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, Windows Hyper-V, and Microsoft Edge. It is crucial for administrators and end users to apply these security updates promptly to protect their systems from these vulnerabilities.

Key Highlights are:

3. Vulnerability Types: The vulnerabilities addressed include:

4. Zero-Day Threats: The four zero-day vulnerabilities include:

5. Critical-Rated Bugs: Other notable critical issues include multiple remote code execution vulnerabilities in SQL Server Native Client and Windows Telephony Service.

6. Non-Critical Notables: Important-rated vulnerabilities include elevation of privilege flaws in Windows kernel components, information disclosure in Windows Package Library Manager, and multiple spoofing vulnerabilities in Microsoft Exchange Server.

Zero-day Vulnerabilities Patched in November 2024

Microsoft addressed four zero-day vulnerabilities in the November 2024 Patch Tuesday release. Out of these, two vulnerabilities (CVE-2024-49039 and CVE-2024-43451) were being actively exploited in the wild, while three were publicly disclosed. Let's examine each of these vulnerabilities in detail:

CVE-2024-43451 - NTLM Hash Disclosure Spoofing Vulnerability

This vulnerability allows an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as the user. The attack requires minimal interaction with a malicious file, such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file.

Microsoft notes that this vulnerability was both publicly disclosed and actively exploited in the wild. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog and urges users to patch before December 3, 2024.

CVE-2024-49039 - Windows Task Scheduler Elevation of Privilege Vulnerability

This vulnerability allows an authenticated attacker to execute RPC functions that are normally restricted to privileged accounts. The attack could be performed from a low privilege AppContainer, and successful exploitation would allow attackers to elevate their privileges and execute code at a higher integrity level than that of the AppContainer execution environment.

The flaw was discovered by Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group and is being actively exploited in the wild. CISA has added this to their Known Exploited Vulnerabilities Catalog with a remediation date of October 29, 2024.

CVE-2024-49019 - Active Directory Certificate Services Elevation of Privilege Vulnerability

This vulnerability allows attackers to gain domain administrator privileges by abusing built-in default version 1 certificate templates. The vulnerability affects environments where certificates are created using a version 1 certificate template with the source of subject name set to "Supplied in the request" and Enroll permissions granted to a broader set of accounts.

The flaw was discovered by Lou Scicchitano, Scot Berner, and Justin Bollinger with TrustedSec, who disclosed the "EKUwu" vulnerability in October. Microsoft assesses future exploitation of this vulnerability as "more likely."

CVE-2024-49040 - Microsoft Exchange Server Spoofing Vulnerability

This vulnerability allows threat actors to spoof the sender's email address in emails to local recipients. The vulnerability is caused by the current implementation of the P2 FROM header verification in transport.

Starting with this month's Microsoft Exchange security updates, Microsoft is now detecting and flagging spoofed emails with an alert prepended to the email body. The flaw was discovered by Slonser at Solidlab, who publicly disclosed it. Patches are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23.

Critical Vulnerabilities Patched in November 2024

Four vulnerabilities have been rated as Critical in the November 2024 Patch Tuesday release. Let's examine each of these critical vulnerabilities in detail:

CVE-2024-43639 - Windows Kerberos Remote Code Execution Vulnerability

Windows Kerberos is a protocol that verifies user and host identities on a network. Kerberos uses a Key Distribution Center (KDC) and symmetric key cryptography to authenticate users. An unauthenticated attacker could use a specially crafted application to exploit a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.

While Microsoft rates this bug as "Exploitation Less Likely," the high CVSS score and the potential for unauthenticated remote code execution make this a priority for patching.

CVE-2024-43625 - Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

A Microsoft Windows VMSwitch, or virtual switch, is a software program that allows virtual machines (VMs) to communicate with each other and physical networks. VMSwitches are available in Hyper-V Manager when the Hyper-V server role is installed.

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and prepare the target environment. Upon successful exploitation, an attacker may gain SYSTEM privileges.

CVE-2024-49056 - Airlift.microsoft.com Elevation of Privilege Vulnerability

The authentication bypass vulnerability by assumed-immutable data on airlift.microsoft.com may allow an authorized attacker to elevate privileges over a network. Microsoft has provided limited details about the exploitation methods or potential impact.

CVE-2024-43498 - .NET and Visual Studio Remote Code Execution Vulnerability

This vulnerability could allow a remote unauthenticated attacker to execute code by either:

The CVSS v3 base score of 9.8 reflects the critical nature of this vulnerability, as it requires no privileges or user interaction and can be exploited with low attack complexity. While Microsoft assesses exploitation as less likely, the potential for unauthenticated network-based attacks makes this a high-priority patch.

Vulnerabilities by Category

In total, 89 vulnerabilities were addressed in November's Patch Tuesday. Remote code execution issues top the list with 52 patches, followed by elevation of privilege vulnerabilities at 26 occurrences. The rest consist of spoofing, denial of service, security feature bypass, and information disclosure vulnerabilities.

Here is the breakdown of the categories patched this month:

Here is a table with the vulnerability categories and associated CVE IDs from Microsoft's November 2024 Patch Tuesday:

List of Products Patched in November 2024 Patch Tuesday Report

Microsoft's November 2024 Patch Tuesday includes updates for a wide range of its products, applications, and services. Here are the applications and product components that received patches:

Complete List of Vulnerabilities Patched in November 2024 Patch Tuesday.

Download the complete list of vulnerabilities by products patched in November 2024 Patch Tuesday here. 

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Mariner System Center vulnerabilities

Microsoft Office vulnerabilities

Open Source Software vulnerabilities

SQL Server vulnerabilities

Server Software vulnerabilities

Windows vulnerabilities

Bottom Line

Microsoft's November 2024 Patch Tuesday addressed 89 total vulnerabilities, headlined by fixes for four zero-day flaws, two of which were actively exploited in the wild:

The release included four critical vulnerabilities:

In total, the vulnerabilities addressed were categorized as follows:

The extensive patch load stresses the importance of continuous monitoring, vulnerability management, and updating to counter sophisticated multi-stage attacks targeting enterprise networks. Prioritizing remediation efforts by potential business impact is crucial.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website [website_name] or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

Overall, this month's patches reflect Microsoft's continued commitment to addressing security vulnerabilities across its product portfolio, with particular emphasis on remote code execution and privilege escalation flaws. Organizations should prioritize the actively exploited zero-days and critical vulnerabilities in their patch deployment strategy.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: