Microsoft has released its June 2024 Patch Tuesday security updates, addressing 58 vulnerabilities across various products. This month's release includes patches for one critical vulnerability, 50 important vulnerabilities, and one actively exploited zero-day vulnerability.
The June 2024 Patch Tuesday covers a range of Microsoft products and services, including Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, and Microsoft Edge. Of particular note is a critical remote code execution vulnerability in Microsoft Message Queuing (MSMQ) and an actively exploited zero-day vulnerability in the DNS protocol.
This month's leading vulnerability categories are elevation of privilege (25 vulnerabilities), remote code execution (18 vulnerabilities), and denial of service (5 vulnerabilities). Microsoft Windows received the most patches this month with 33 vulnerabilities addressed.
In this article, we'll break down the key highlights of the June 2024 Patch Tuesday report, focusing on the most critical vulnerabilities and their potential impact on users and administrators. We'll also provide guidance on prioritizing these patches to help maintain the security of your systems.
Microsoft's June 2024 Patch Tuesday addressed 58 vulnerabilities, including one actively exploited zero-day vulnerability. This update included patches for a variety of vulnerability types such as elevation of privilege, remote code execution, denial of service, and information disclosure across Microsoft's product range.
Key highlights are:
Total Flaws and Zero-Day Vulnerability: The June update includes 58 flaws, with one zero-day vulnerability (CVE-2023-50868) that was being actively exploited in the wild.
Critical Vulnerability: One critical vulnerability (CVE-2024-30080) affecting Microsoft Message Queuing (MSMQ) was patched, with a CVSS score of 9.8.
Variety of Vulnerability Types: The vulnerabilities addressed include 25 Elevation of Privilege vulnerabilities, 18 Remote Code Execution vulnerabilities, 5 Denial of Service vulnerabilities, and 3 Information Disclosure vulnerabilities.
Actively Exploited Zero-Day: CVE-2023-50868, a denial-of-service vulnerability in the DNS protocol, was disclosed in February and is now patched across numerous DNS implementations.
Notable Critical-Rated Bug: The critical MSMQ vulnerability (CVE-2024-30080) could allow an unauthenticated attacker to execute arbitrary code on the MSMQ Server.
Affected Products: Key affected products include Windows, Office, Exchange Server, Azure, Dynamics 365, .NET Framework, and Microsoft Edge (Chromium-based).
This June's Patch Tuesday highlights Microsoft's ongoing commitment to addressing security vulnerabilities across its wide range of products. Administrators and users are advised to apply these security updates promptly to protect their systems from potential exploits.
In June 2024, Microsoft addressed one zero-day vulnerability that was being actively exploited in the wild:
CVE ID
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 Base Score
|
Severity
|
CVE-2023-50868
|
MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU
|
Yes
|
Yes
|
7.5
|
Important
|
Vulnerability Type: Denial of Service (DoS)
Affected Product: DNS protocol
CVSS v3 Base Score: 7.5
Severity Rating: Important
This vulnerability exists in DNSSEC validation and could allow an attacker to exploit standard DNSSEC protocols intended for DNS integrity. By using excessive resources on a resolver, the attacker can cause a denial of service for legitimate users.
The vulnerability is present in the DNSSEC specification itself, and Microsoft's implementation of DNSSEC is subject to the same attack as other implementations. An attacker can exhaust CPU resources on a DNSSEC-validating DNS resolver by demanding responses from a DNSSEC-signed zone, if the resolver uses NSEC3 to respond to the request.
NSEC3 is designed to provide a safe way for a DNSSEC-validating DNS resolver to indicate that a requested resource does not exist. Under certain circumstances, the DNS resolver must perform thousands of iterations of a hash function to calculate an NSEC3 response, which forms the foundation of this DoS exploit.
Interestingly, this vulnerability on February 13, 2024, by researchers from the German National Research Centre for Applied Cybersecurity (ATHENE). Microsoft's advisory doesn't provide insight into why this vulnerability wasn't patched sooner, but it's possible that Microsoft assessed it as less urgent than other vulnerabilities.
All current versions of Windows Server receive a patch for this vulnerability. Administrators should prioritize applying this update, especially for systems running DNSSEC-validating DNS resolvers.
Microsoft addressed one critical vulnerability in the June 2024 Patch Tuesday release:
CVE ID
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 Base Score
|
Severity
|
CVE-2024-30080
|
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
|
No
|
No
|
9.8
|
Critical
|
Vulnerability Type: Remote Code Execution (RCE)
Affected Product: Microsoft Message Queuing (MSMQ)
CVSS v3 Base Score: 9.8
Severity Rating: Critical
This critical remote code execution vulnerability affects the Microsoft Message Queuing (MSMQ) service. MSMQ is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages).
To exploit this vulnerability, an attacker must send a specially crafted malicious packet to an MSMQ server. The Windows message queuing service needs to be enabled, and network traffic allowed on TCP port 1801, for an attacker to successfully exploit this vulnerability on a target system.
Key points about this vulnerability:
The attacker does not need to be authenticated to take advantage of this vulnerability.
It has a low attack complexity, making it a particularly severe issue.
Successful exploitation would allow an attacker to execute arbitrary code on the MSMQ Server.
The code execution is presumably in a SYSTEM context, although the advisory does not specify.
Microsoft urges customers to check whether they are potentially vulnerable by looking to see if the service named Message Queuing is enabled and TCP port 1801 is listening on the machine.
As is typical of MSMQ RCE vulnerabilities, CVE-2024-30080 receives a high CVSSv3 base score due to the network attack vector, low attack complexity, and lack of required privileges.
It's important to note that while the Windows message queuing service is not enabled by default, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.
Given the critical nature of this vulnerability and its high CVSS score, administrators should prioritize patching systems with MSMQ enabled or disable the service if it's not required.
In total, 58 vulnerabilities were addressed in June's Patch Tuesday. Elevation of privilege vulnerabilities lead the count this month, followed closely by remote code execution flaws. Here is the breakdown of the categories patched this month:
Elevation of Privilege - 25
Denial of Service – 5
Information Disclosure - 3
Security Feature Bypass – 3
Spoofing – 4
Elevation of privilege vulnerabilities continue to be prevalent, representing 43% of the June updates. These vulnerabilities, if exploited, could allow attackers to gain higher levels of access on compromised systems.
Remote code execution vulnerabilities are the second most common, accounting for 31% of this month's fixes. Successful exploitation of these could enable attackers to run arbitrary code on targeted systems.
While less frequent, denial of service, information disclosure, security feature bypass, and spoofing flaws should also be addressed promptly as they can be leveraged in attack chains or to facilitate further compromise.
Here is a table with the vulnerability categories and associated CVE IDs from Microsoft's June 2024 Patch Tuesday:
Vulnerability Category
|
CVE IDs
|
Elevation of Privilege
|
CVE-2024-30082, CVE-2024-30084, CVE-2024-30085, CVE-2024-30086, CVE-2024-30087, CVE-2024-30088, CVE-2024-30089, CVE-2024-30091, CVE-2024-30093, CVE-2024-30099, CVE-2024-35248, CVE-2024-35250, CVE-2024-35253, CVE-2024-35254, CVE-2024-35255, CVE-2024-35265, CVE-2024-37325 (and 8 others)
|
Remote Code Execution
|
CVE-2024-30062, CVE-2024-30063, CVE-2024-30072, CVE-2024-30077, CVE-2024-30078, CVE-2024-30080, CVE-2024-30094, CVE-2024-30095, CVE-2024-30097, CVE-2024-30100, CVE-2024-30101, CVE-2024-30102, CVE-2024-30103, CVE-2024-30104, CVE-2024-35249 (and 3 others)
|
Denial of Service
|
CVE-2023-50868, CVE-2024-30065, CVE-2024-30070, CVE-2024-30083, CVE-2024-35252
|
Information Disclosure
|
CVE-2024-30069, CVE-2024-30096, CVE-2024-35263
|
Security Feature Bypass
|
CVE-2024-29060, CVE-2024-30052, CVE-2024-35255
|
Spoofing
|
CVE-2024-30057, CVE-2024-30058, CVE-2024-35255, CVE-2024-35263
|
Microsoft's June 2024 Patch Tuesday includes updates for a wide range of its products, applications, and services. Here are the key products and components that received patches:
Product Name
|
No. of Vulnerabilities Patched
|
Windows
|
33
|
Azure
|
5
|
Microsoft Office
|
5
|
Microsoft Edge (Chromium-based)
|
7
|
Visual Studio
|
2
|
Windows Server Service
|
1
|
Windows Distributed File System (DFS)
|
1
|
Windows Kernel
|
4
|
Windows Themes
|
1
|
Microsoft Dynamics
|
3
|
Windows Cloud Files Mini Filter Driver
|
1
|
Windows Win32 Kernel Subsystem
|
1
|
Microsoft Streaming Service
|
2
|
Windows Cryptographic Services
|
1
|
Windows Remote Access Connection Manager
|
1
|
Windows Perception Service
|
1
|
Windows Container Manager Service
|
1
|
Microsoft Message Queuing (MSMQ)
|
1
|
Windows Wi-Fi Driver
|
1
|
Windows OLE
|
1
|
Windows Standards-Based Storage Management Service
|
2
|
Windows Routing and Remote Access Service (RRAS)
|
2
|
Win32k
|
3
|
DHCP Server Service
|
1
|
Windows Storage
|
1
|
Winlogon
|
2
|
Microsoft Speech Application Programming Interface (SAPI)
|
1
|
Download the complete list of vulnerabilities by products patched in July 2024 Patch Tuesday here.
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerability
|
No
|
No
|
8.1
|
|
Azure Storage Movement Client Library Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
Azure Monitor Agent Elevation of Privilege Vulnerability
|
No
|
No
|
7.1
|
|
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
|
No
|
No
|
5.5
|
|
Microsoft Azure File Sync Elevation of Privilege Vulnerability
|
No
|
No
|
4.4
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Chromium: CVE-2024-5499 Out of bounds write in Streams API
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-5498 Use after free in Presentation API
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-5497 Out of bounds memory access in Keyboard Inputs
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-5496 Use after free in Media Session
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-5495 Use after free in Dawn
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-5494 Use after free in Dawn
|
No
|
No
|
N/A
|
|
Chromium: CVE-2024-5493 Heap buffer overflow in WebRTC
|
No
|
No
|
N/A
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
GitHub: CVE-2024-29187 WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM
|
No
|
No
|
7.3
|
|
Visual Studio Elevation of Privilege Vulnerability
|
No
|
No
|
6.7
|
|
Visual Studio Remote Code Execution Vulnerability
|
No
|
No
|
4.7
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
|
No
|
No
|
8
|
|
Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability
|
No
|
No
|
8
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Dynamics 365 Business Central Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
|
No
|
No
|
7.3
|
|
Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
|
No
|
No
|
5.7
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Outlook Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft SharePoint Server Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
7.5
|
|
Microsoft Office Remote Code Execution Vulnerability
|
No
|
No
|
7.3
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
8.8
|
|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
8.8
|
|
Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Streaming Service Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Perception Service Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Kernel Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Container Manager Service Elevation of Privilege Vulnerability
|
No
|
No
|
6.8
|
|
Windows Cryptographic Services Information Disclosure Vulnerability
|
No
|
No
|
5.5
|
|
Windows Remote Access Connection Manager Information Disclosure Vulnerability
|
No
|
No
|
4.7
|
CVE
|
Title
|
Exploited?
|
Publicly disclosed?
|
CVSSv3 base score
|
---|---|---|---|---|
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
|
No
|
No
|
9.8
|
|
Windows Wi-Fi Driver Remote Code Execution Vulnerability
|
No
|
No
|
8.8
|
|
Windows OLE Remote Code Execution Vulnerability
|
No
|
No
|
8
|
|
Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Standards-Based Storage Management Service Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
|
No
|
No
|
7.8
|
|
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Win32k Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Win32k Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Win32k Elevation of Privilege Vulnerability
|
No
|
No
|
7.8
|
|
Windows Standards-Based Storage Management Service Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU
|
No
|
Yes
|
7.5
|
|
DHCP Server Service Denial of Service Vulnerability
|
No
|
No
|
7.5
|
|
Windows Storage Elevation of Privilege Vulnerability
|
No
|
No
|
7.3
|
|
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Microsoft Streaming Service Elevation of Privilege Vulnerability
|
No
|
No
|
7
|
|
Windows Distributed File System (DFS) Remote Code Execution Vulnerability
|
No
|
No
|
6.7
|
|
Winlogon Elevation of Privilege Vulnerability
|
No
|
No
|
5.5
|
|
Winlogon Elevation of Privilege Vulnerability
|
No
|
No
|
5.5
|
|
Windows Themes Denial of Service Vulnerability
|
No
|
No
|
5.5
|
Microsoft's June 2024 Patch Tuesday addressed a total of 58 vulnerabilities, including one critical vulnerability and one actively exploited zero-day. This release underscores Microsoft's ongoing commitment to securing its wide range of products against evolving cybersecurity threats.
Key points from this month's updates include:
Total Vulnerabilities: 58 vulnerabilities were patched, with 1 rated Critical, 50 rated Important, and 7 moderate.
Zero-Day Vulnerability: One zero-day vulnerability (CVE-2023-50868) affecting the DNS protocol was patched. This vulnerability was being actively exploited in the wild.
Critical Vulnerability: A critical remote code execution vulnerability (CVE-2024-30080) in Microsoft Message Queuing (MSMQ) was addressed, with a high CVSS score of 9.8.
Vulnerability Types: The most common vulnerability types were Elevation of Privilege (25), Remote Code Execution (18), and Denial of Service (5).
Affected Products: A wide range of Microsoft products received updates, with Windows having the most patches (33).
Notable Vulnerabilities: Alongside the critical MSMQ vulnerability, other significant issues included remote code execution flaws in Office applications and Windows components.
Here's a summary table of the June 2024 Patch Tuesday updates:
Severity
|
Number of Vulnerabilities
|
Important
|
50
|
Moderate
|
7
|
Critical
|
1
|
Total
|
58
|
This Patch Tuesday emphasizes the importance of prompt patching, especially for the critical MSMQ vulnerability and the actively exploited zero-day. Organizations should prioritize these updates based on their specific risk profiles and the criticality of affected systems.
As always, it's recommended to test these patches in a controlled environment before deploying them across production systems. Continuous monitoring and a robust vulnerability management program remain crucial for maintaining a strong security posture against emerging threats.
We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.