Patch Tuesday Microsoft kicked off our summer season with a relatively light June patch Tuesday, releasing updates for 49 CVE-marked security flaws in its products — including a bug that was considered critical, a pretty scary bug in wireless networking, and one that was made public.
The one that is publicly known and not yet publicly exploited is CVE-2023-50868 in both Windows Server and non-Microsoft software. It’s a vulnerability in DNSSEC implementations that we’ve known about since February; El Reg readers may remember this bug, called NSEC3 encloser, which can be exploited by a remote attacker to potentially exhaust CPU resources on a vulnerable system, causing it to stop working as intended.
“CVE-2023-50868 involves a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a Denial of Service for legitimate users” , Redmond stated on Tuesday.
Meanwhile, the only critical flaw announced – CVE-2024-30080 – is a remote code execution (RCE) issue in Microsoft Message Queuing (MSMQ) and is so severe that it has been given a CVSS severity rating of 9.8 out of 10 . Redmond describes this as ‘exploitation more likely’.
It could allow a remote, unauthenticated attacker to execute arbitrary code by sending a specially crafted malicious MSMQ package to a vulnerable Windows system, such as a Windows Server box.
“That makes this wormable between those servers, but not on systems where MSMQ is disabled,” said Dustin Childs of the Zero Day Initiative, who added: “It’s not clear how many affected systems are exposed to the Internet. Although it’s likely a is a low number, this would be a good time to check your networks to ensure that TCP port 1801 is unreachable.”
Indeed, Microsoft says: “You can check to see if a service called Message Queuing is running and that TCP port 1801 is listening on the machine.”
There’s also the scary-looking CVE-2024-30078, a remote code execution hole in a Wi-Fi driver with a severity of 8.8. It has not yet been made public, is not yet under attack, and exploitation is “less likely,” Redmond said.
“An unauthenticated attacker could send a malicious network packet to an adjacent system using a Wi-Fi network adapter, allowing remote code execution,” and thus remotely, silently and wirelessly deliver malware or spyware to the computer’s computer. nearby victim can perform. Microsoft relented.
Childs said: “Since it affects every supported version of Windows, it will likely attract a lot of attention from attackers and red teams alike.” Patch ASAP: This flaw can be exploited to run malicious software and hijack a nearby Windows PC over Wi-Fi without the need for authentication. Pretty bad.
Additionally, there are the usual issues of elevation of privilege and other code execution holes in Microsoft’s code, which should be closed with this month’s patches.
Adobe addresses 166 CVEs
Adobe has released ten patches covering a whopping 166 CVEs, 144 of which affect Experience Manager. Only one of the 144 – a security flaw – is considered critical, while the rest are rated as major and moderate. And thankfully, none appear to have been exploited in the wild.
Meanwhile, the Photoshop update fixed a critical vulnerability that could allow arbitrary code execution, and FrameMaker Publishing Server has two critical CVEs that could lead to escalation of privilege.
Adobe Substance 3D Stager also has a patch for a critical out-of-bounds write protection issue. And the Creative Cloud Desktop update fixes a critical, uncontrolled search path element that could allow arbitrary code execution.
The Adobe Commerce update resolves seven critical and three important vulnerabilities, which can be exploited to execute arbitrary code, bypass security features, and escalate privilege.
The patch for Audition fixes two major memory leaks and denial-of-service vulnerabilities in applications, while the ColdFusion update fixes two major bugs that could lead to arbitrary file system reads and allow an attacker to bypass security features.
There is one major out-of-bounds read vulnerability in Media Encoder, which has now been addressed. And finally, a major CVE in Adobe Acrobat Android could allow security features to be bypassed.
SAP security notices are a dime a dozen
SAP released a dozen new and updated security notes this month (behind a customer paywall), including two high-priority alerts for bugs affecting NetWeaver AS Java and Financial Consolidation on S/4HANA. Of these two, note #3457592, which addresses two cross-site scripting vulnerabilities in SAP Financial Consolidation, received the highest CVSS severity score of 8.1.
“The more critical method allows data to enter a web application from an untrusted source and manipulate the content of websites,” explains Thomas Fritsch, SAP security researcher at Onapsis. “This has a major impact on the confidentiality and integrity of the application.”
The second high priority comment, #3460407, addresses a denial-of-service vulnerability with a score of 7.5 in NetWeaver AS Java.
Ransomware criminals exploiting PHP
Open source scripting language PHP released version 8.2.20 this month, which includes a fix for an RCE tracked as CVE-2024-4577. This critical bug in PHP for Windows is now being actively exploited and at least one group of criminals is exploiting the flaw to spread TellYouThePass ransomware. So be sure to prioritize updating this code.
Arm under active exploitation
Arm has fixed a bug in the Bitfrost and Valhall GPU kernel drivers that has already been found and exploited by miscreants.
It is tracked as CVE-2024-4610 and affects all versions from r34p0 to r40p0.
“A local, unprivileged user could perform inappropriate GPU memory processing operations to access already freed memory,” Arm warned, noting that it is “aware of reports of this vulnerability being exploited in the wild.” If we learn more about this issue, we’ll let you know: it could be used by rogue apps and the like to compromise Arm-powered devices, we believe.
Apple Vision Pro plugs 21 holes, although Android has more
Apple fixed 21 bugs in the visionOS 1.2 release. It is reported that none of the bugs were exploited at the time of release.
Worst of all, it could cause an app to execute arbitrary code with kernel permissions – so if you’re using Apple’s 3D Camera, install the updated software stats.
Google’s June security update for Android has patched 37 holes in its Android services.
“The most serious of these issues is a major security vulnerability in the system component that could allow local escalation of privilege without the need for additional execution privileges,” Google said.
In fact, there are seven such high-severity EoPs in the System Component, plus another ten in Framework.
Um, oh, it’s a SolarWinds CVE
SolarWinds has fixed an 8.6-CVSS-classified directory traversal flaw – tracked as CVE-2024-28995 – in its managed file transfer tool Serv-U, which could grant sniffers read access to sensitive files on the host machine. Upgrade to SolarWinds Serv-U 15.4.2 HF 2 to close the vulnerability.
While there are currently no reports of this bug being exploited, Rapid7 researchers have confirmed that the vulnerability can be exploited trivially and allows adversaries to read any file on disk (including binaries) as long as the path is known and the file is not is locked. “
This could turn into something really bad.
Fortinet and Cisco are participating
Fortinet has fixed multiple stack-based buffer overflow vulnerabilities, tracked as CVE-2024-23110, in the FortiOS command-line interpreter that could allow an authenticated attacker to execute unauthorized code.
Meanwhile, Cisco released security updates for Webex and Cisco Finesse this month. The Webex Meetings flaw, spotted in late May, was reportedly used by snoopers to spy on government and military meetings. ®