August’s Patch Tuesday instalment addresses 91 vulnerabilities, a decrease from the 142 in July. This month sees 7 critical vulnerabilities patched, along with 3 publicly disclosed and 6 exploited in the wild.
This Windows TCP/IP remote code execution vulnerability has been assigned a max severity of Critical. Exploitation requires an unauthenticated attacker to repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine – if performed successfully, this could enable remote code execution.
Please note that this flaw only affects machines with IPv6 enabled; exploitation is not possible if IPv6 is disabled on the target machine.
The vulnerability assigned to this CVE is in Linux Shim boot. It is being documented in the Security Update Guide to announce that the latest builds of Microsoft Windows address this vulnerability by blocking old, unpatched, Linux boot loaders by applying SBAT (Secure Boot Advanced Targeting) EFI variables in the UEFI library.
To address this security issue, Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders that could have an impact on Windows security. The SBAT value is not applied to dual-boot systems that boot both Windows and Linux and should not affect these systems. You might find that older Linux distribution ISOs will not boot. If this occurs, work with your Linux vendor to get an update.
For more details on this vulnerability, see this Red Hat Security Advisory: CVE-2023-40547.
These two vulnerabilities in Windows Network Virtualization are considered critical and, if successfully exploited, could enable remote code execution.
To successfully exploit these vulnerabilities, an attacker needs elevated privileges on a compromised machine due to the requirement of manipulating processes beyond the reach of standard user permissions. Exploitation also involves taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016. By manipulating the content of the Memory Descriptor List (MDL), the attacker could cause unauthorized memory writes or even free a valid block currently in use, leading to a critical guest-to-host escape.
Exploitation of either vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content.
This important RCE flaw in Microsoft Project has been exploited in the wild, making patching a high priority. Exploitation requires the victim to open a malicious Microsoft Office Project file on a system where the "Block macros from running in Office files from the Internet" policy is disabled and VBA Macro Notification Settings are not enabled – this allows the attacker to perform remote code execution.
Microsoft has advised users not to disable the macro blocking policy, and that exploitation requires the user to open and accept macros to run for the project file.
Exploitation of this important RCE flaw requires an unauthenticated attacker to send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network and successful exploitation could result in remote code execution on the server. While this vulnerability has been publicly disclosed, the LPD service is not installed or enabled on Windows by default. Users are advised against installing the Line Printer Daemon service until updates have been performed.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.