Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs


  1. 1Critical
  2. 48Important
  3. 0Moderate
  4. 0Low

Microsoft addresses 49 CVEs in its June 2024 Patch Tuesday release with one rated as critical and no zero-day or publicly disclosed vulnerabilities. Our counts omitted two CVEs that were not issued by Microsoft, which include CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub).

Microsoft patched 49 CVEs in its June 2024 Patch Tuesday release, with one rated critical and 48 rated as important

.

This month’s update includes patches for:

  • Azure Data Science Virtual Machines
  • Azure File Sync
  • Azure Monitor
  • Azure SDK
  • Azure Storage Library
  • Dynamics Business Central
  • Microsoft Dynamics
  • Microsoft Office
  • Microsoft Office Outlook
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Streaming Service
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Speech
  • Visual Studio
  • Windows Cloud Files Mini Filter Driver
  • Windows Container Manager Service
  • Windows Cryptographic Services
  • Windows DHCP Server
  • Windows Distributed File System (DFS)
  • Windows Event Logging Service
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows Link Layer Topology Discovery Protocol
  • Windows NT OS Kernel
  • Windows Perception Service
  • Windows Remote Access Connection Manager
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Server Service
  • Windows Standards-Based Storage Management Service
  • Windows Storage
  • Windows Themes
  • Windows Wi-Fi Driver
  • Windows Win32 Kernel Subsystem
  • Windows Win32K GRFX
  • Winlogon

A bar chart showing the distribution of CVEs based on impact, with Elevation of Privilege accounting for nearly half (24) flaws in the June 2024 release, followed by Remote Code Execution (18), Denial of Service (4) and Information Disclosure (3).

Elevation of Privilege (EoP) vulnerabilities accounted for 49% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) at 36.7%.

CVE-2024-30080 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

CVE-2024-30080 is a RCE vulnerability in the Microsoft Message Queuing (MSMQ) component of Windows operating systems that was assigned a CVSSv3 score of 9.8 and rated critical. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted packet to a vulnerable target. Microsoft rates this vulnerability as “Exploitation More Likely” according to the Microsoft Exploitability Index.

In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin 174933 to identify systems that have this service running.

CVE-2024-30080 is the fourth RCE affecting MSMQ patched in 2024, with two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in Februrary’s Patch Tuesday (CVE-2024-21363) release.

CVE-2024-30082, CVE-2024-30087 and CVE-2024-30091 | Win32k Elevation of Privilege Vulnerability

CVE-2024-30064, CVE-2024-30068, CVE-2024-30088 and CVE-2024-30099 | Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-30064, CVE-2024-30068, CVE-2024-30088, CVE-2024-30099 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and two of the four were assigned a CVSSv3 score of 7.0 while CVE-2024-30064 and CVE-2024-30068 were assigned a CVSSv3 score of 8.8. Despite the higher CVSS scores, CVE-2024-30064 and CVE-2024-30068 were both rated as “Exploitation Less Likely,” while the other two flaws were rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining elevated privileges and Microsoft’s advisories for CVE-2024-30068, CVE-2024-30088 and CVE-2024-30099 make mention that an attacker could gain SYSTEM privileges.

CVE-2024-30085 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

CVE-2024-30085 is an EoP vulnerability in the Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It was assigned a CVSSv3 score of 7.8 and is rated as important. Additionally, Microsoft rates this flaw as “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM. This is the second EoP affecting Windows Cloud Files Mini Filter Driver patched in 2024. The first was CVE-2024-21310 which was patched as part of the January 2024 Patch Tuesday release.

CVE-2024-30089 | Microsoft Streaming Service Elevation of Privilege Vulnerability

CVE-2024-30089 is an EoP vulnerability in the Microsoft Streaming Service. It was assigned a CVSSv3 score of 7.8 and is rated as important. An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

It is credited to Valentina Palmiotti, a security researcher at IBM X-Force. Palmiotti is also credited with discovering CVE-2023-36802, a separate flaw in the Microsoft Streaming Service that was exploited in the wild.

Windows 10 21H2 End Of Life

Microsoft announced that Windows 10 21H2 has reached its end of life for Enterprise, Education, IoT Enterprise, and Enterprise multi-session editions. This means that users of these versions of Windows 10 21H2 will no longer receive security updates and should upgrade as soon as possible. Plugin ID 192847 can be used to identify hosts that have unsupported installations of Windows 10 version 21H2.

ZDI-24-581 | Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability

On June 6, 2024, Trend Micro’s Zero Day Initiative (ZDI) published an advisory detailing a vulnerability relating to Managed MS SQL Server Instances within Azure. While not directly related to the June 2024 Patch Tuesday release, Tenable has received some inbound requests seeking clarification on ZDI’s advisory.

The ZDI advisory is titled “Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability” and states that the reported flaw is specific to the permissions granted to a shared access signature (SAS) token.

As information in the advisory is vague and there has been no corresponding publication from Microsoft, we can only speculate as to the actual issue being disclosed here. In an effort to provide some clarity to our customers, Tenable Research was able to put together the following timeline:

  • October 3, 2023 – ZDI reported an issue to MSRC detailing a flaw in the documentation for Microsoft Azure SQL Managed Instances.
  • October 31, 2023 – MSRC publishes acknowledgement to the ZDI researcher for an issue in “Online Services.”
  • June, 2024 – ZDI publishes ZDI-24-581.

In September 2023, there was an overly permissive SAS token included in the documentation detailing the Backup Restoration process for Azure SQL Managed Instances: https://web.archive.org/web/20230907041433/https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/restore-sample-database-quickstart?view=azuresql.

The next available archival of this documentation is from December, 2023, which shows that this SAS token has been removed: https://web.archive.org/web/20231210164343/https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/restore-sample-database-quickstart?view=azuresql.

On June 7, CyberNews published an article summarizing this vulnerability. In an update to their article dated June 8th, CyberNews quotes a Microsoft spokesperson stating “This was addressed in November 2023, and customers are already protected.”

According to Microsoft, no CVE was issued for this vulnerability, and no customer action was needed. Based on this information and our analysis, this aligns with the above timeline. It is likely that the advisory release from ZDI is simply a delay in publication.

Tenable Solutions

A list of all the plugins released for Microsoft’s June 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.



Source link