VERT Threat Alert: November 2024 Patch Tuesday Analysis
Today’s VERT Alert addresses Microsoft’s November 2024 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1132 as soon as coverage is completed.
In-The-Wild & Disclosed CVEs
A vulnerability that allows for NTLMv2 hash disclosure has been both publicly disclosed and actively exploited. According to Microsoft, only minimal interaction is required and a user left or right clicking on a malicious file is enough to trigger this vulnerability. Microsoft has reported this vulnerability as Exploitation Detected.
Microsoft is reporting that a privilege escalation exists within Windows Task Scheduler that could allow a low privilege user to elevate their permissions to a Medium Integrity Level. For example, an attacker could escalate their permissions from a low privilege AppContainer to a higher integrity level and execute code. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in Microsoft Exchange Server allows non-RFC 5322 compliant P2 FROM headers to pass to the email client, which can allow the sender of an email to be spoofed. After installing the Exchange update, a new disclaimer will be prepended to the message body and a new header will be added. Users can then follow guidance from Microsoft to take additional steps, such as rejecting the email if the header is detected. Users can also disable this functionality. Microsoft has reported this vulnerability as Exploitation More Likely.
A vulnerability in Active Directory Certificate Services could allow an attacker to gain domain administrator privileges. According to Microsoft, you may be vulnerable if your PKI environment has the following:
- A published certificate using the version 1 certificate template.
- The Source of subject name is set to “Supplied in the request”
- The Enroll permissions are granted to a broad set of accounts,
Microsoft has reported this vulnerability as Exploitation More Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted
| Tag | CVE Count | CVEs |
| Windows Update Stack | 1 | CVE-2024-43530 |
| .NET and Visual Studio | 2 | CVE-2024-43499, CVE-2024-43498 |
| Azure CycleCloud | 1 | CVE-2024-43602 |
| Windows NT OS Kernel | 1 | CVE-2024-43623 |
| Windows VMSwitch | 1 | CVE-2024-43625 |
| Windows Telephony Service | 7 | CVE-2024-43626, CVE-2024-43627, CVE-2024-43628, CVE-2024-43620, CVE-2024-43621, CVE-2024-43622, CVE-2024-43635 |
| Windows Kernel | 1 | CVE-2024-43630 |
| Windows Secure Kernel Mode | 3 | CVE-2024-43631, CVE-2024-43646, CVE-2024-43640 |
| Windows USB Video Driver | 5 | CVE-2024-43634, CVE-2024-43637, CVE-2024-43638, CVE-2024-43643, CVE-2024-43449 |
| Windows CSC Service | 1 | CVE-2024-43644 |
| Windows Defender Application Control (WDAC) | 1 | CVE-2024-43645 |
| Windows SMBv3 Client/Server | 1 | CVE-2024-43447 |
| Microsoft Windows DNS | 1 | CVE-2024-43450 |
| Windows NTLM | 1 | CVE-2024-43451 |
| Windows Registry | 2 | CVE-2024-43452, CVE-2024-43641 |
| SQL Server | 31 | CVE-2024-38255, CVE-2024-43459, CVE-2024-43462, CVE-2024-48994, CVE-2024-48995, CVE-2024-48996, CVE-2024-49043, CVE-2024-48993, CVE-2024-48997, CVE-2024-48998, CVE-2024-48999, CVE-2024-49000, CVE-2024-49001, CVE-2024-49002, CVE-2024-49003, CVE-2024-49004, CVE-2024-49005, CVE-2024-49007, CVE-2024-49006, CVE-2024-49008, CVE-2024-49009, CVE-2024-49010, CVE-2024-49011, CVE-2024-49012, CVE-2024-49013, CVE-2024-49014, CVE-2024-49015, CVE-2024-49016, CVE-2024-49017, CVE-2024-49018, CVE-2024-49021 |
| Microsoft Virtual Hard Drive | 1 | CVE-2024-38264 |
| Microsoft Defender for Endpoint | 1 | CVE-2024-5535 |
| Microsoft Exchange Server | 1 | CVE-2024-49040 |
| Visual Studio | 1 | CVE-2024-49044 |
| Windows Win32 Kernel Subsystem | 1 | CVE-2024-49046 |
| Visual Studio Code | 2 | CVE-2024-49049, CVE-2024-49050 |
| Airlift.microsoft.com | 1 | CVE-2024-49056 |
| LightGBM | 1 | CVE-2024-43598 |
| Role: Windows Hyper-V | 2 | CVE-2024-43624, CVE-2024-43633 |
| Windows DWM Core Library | 2 | CVE-2024-43629, CVE-2024-43636 |
| Windows Kerberos | 1 | CVE-2024-43639 |
| Windows SMB | 1 | CVE-2024-43642 |
| Windows Package Library Manager | 1 | CVE-2024-38203 |
| Role: Windows Active Directory Certificate Services | 1 | CVE-2024-49019 |
| Microsoft Office Excel | 5 | CVE-2024-49026, CVE-2024-49027, CVE-2024-49028, CVE-2024-49029, CVE-2024-49030 |
| Microsoft Graphics Component | 2 | CVE-2024-49031, CVE-2024-49032 |
| Microsoft Office Word | 1 | CVE-2024-49033 |
| Windows Task Scheduler | 1 | CVE-2024-49039 |
| TorchGeo | 1 | CVE-2024-49048 |
| Microsoft PC Manager | 1 | CVE-2024-49051 |
| Microsoft Edge (Chromium-based) | 2 | CVE-2024-10826, CVE-2024-10827 |
Other Information
At the time of publication, there was one new advisory included with the November Security Guidance.
Microsoft SharePoint Server Defense in Depth Update [ADV240001]
Microsoft has published an advisory related to Microsoft SharePoint Server that provides a defense in depth update regarding redirections. Microsoft SharePoint Server Subscriber Edition, 2019, and 2016 have updates available for them.
