Patch Tuesday August 2024: 6 Zero-Day Vulnerabilities Under Active Exploitation, and Windows Downgrade Attacks

Downgrade Attacks, a bundle of zero-days, and multiple vulnerabilities under Active Exploitation will add to the sense of urgency for Patch Tuesday this August. There’s lots to read-up on, so expect lots of links to extra reading. On top of Microsoft releasing fixes for an unusually high number of zero-days and vulnerabilities that are under Active Exploitation, there was also a demonstration of a new Downgrade Attack against Windows that was demonstrated at Black Hat 2024 and Def Con 32—where an NTLM hash attack was also demonstrated.
Microsoft Vulnerabilities
There are six zero-day vulnerabilities that are under Active Exploitation and three that have been publicly disclosed but are not under active exploitation in the wild as of publication. There is also a fourth publicly disclosed vulnerability, CVE-2024-38202 that while announced on August 7 has not yet received a published fix. The total number of vulnerabilities addressed this month is 89; this includes 9 rated as critical. If your teams prioritize based only on severity this month is a great a reminder that prioritizing which vulnerabilities to address based only on severity rating can leave an environment more exposed than you realize, the vulnerabilities under Active Exploitation are only rated as Important and Moderate.
CVE-2024-38178 Scripting Engine Memory Corruption is a vulnerability of note for the fact it dredges up Internet Explorer, or rather Internet Explorer mode for Microsoft Edge. Only requiring a user to click a link makes this trivial to exploit if Microsoft Edge is in Internet Explorer mode. While most environments have moved beyond a need for Internet Explorer there are many line of business applications and tools in use by SMBs that still require the use of this compatibility mode. As this was reported by the National Cyber Security Center (NCSC), Republic of Korea and AhnLab, it’s likely this is under Active Exploitation by nation state backed threat actors. Count this as one more piece of evidence as to why clients need to update business processes that rely on outdated and vulnerable legacy technologies.
CVE-2024-38199 Windows Line Printer Daemon (LPD) Service Remote Code Execution allows for an unauthenticated attacker to send a print task to a Windows Line Printer Daemon service and allow for remote code execution against the target system running the service. This publicly reported zero-day has not been detected in the wild as of publication. While LPD has been deprecated since Windows 2012 and is not enabled or installed by default, the chances of this being in your environment is low but you won’t know unless you check.
CVE-2024-38200 Microsoft Office Spoofing vulnerability is another in a long line of NTLM hash attacks that have surfaced this year. This vulnerability allows for exploitation via a link to an attacker-controlled website, upon clicking the attacker can record the NTLM hashes used during the authentication process. A Feature Flighting from July 30 this provided an alternative fix for this vulnerability in addition to KB5002625 and KB5002570 for Office 2016, as well as click-to-run updates for modern versions of Microsoft Office. If you would like to force an update of Microsoft Office products that support click-to-run update you can leverage items available in the Automation Cookbook:
- Download the Microsoft 365 Update With Version Check for N‑sight
- Download the Microsoft 365 Update With Version Check for N‑central
Windows OS-based Downgrade Attack
First demonstrated at Black Hat 2024 and Def Con 32, CVE-2024-21302 Windows Secure Kernel Mode Elevation of Privilege and CVE-2024-38202 are two of the zero-day vulnerabilities that exist in Windows systems that were leveraged by security researcher Alon Leviev with SafeBreach in their proof of concept for a Downgrade Attack with a tool named Windows Downdate. This Downgrade Attack allows for “Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components”. This can then place systems into an un-patched state against past vulnerabilities, making them susceptible to attacks leveraging old vulnerabilities.
Please read the research by Alon Leviev here for more details on the Windows Downdate tool and a demo of the attack.
Per Microsoft, “Microsoft is developing a security update that will revoke outdated, unpatched VBS system files to mitigate this vulnerability, but it is not yet available. Due to the complexity of blocking such a large quantity of files, rigorous testing is required to avoid integration failures or regressions.”
While we await additional fixes from Microsoft they have provided recommended actions for an opt-in mitigation available at KB5042562: Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates for CVE-2024-21302. For CVE-2024-38202 there are recommended actions for reducing the risk of exploitation but no mitigation instructions pending a future security update.
Microsoft Patch Tuesday Vulnerability Prioritization
Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available
CVE Number |
CVE Title |
Severity |
Status |
Microsoft Project Remote Code Execution Vulnerability |
I |
ED |
|
Windows Power Dependency Coordinator Elevation of Privilege Vulnerability |
I |
ED |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
ED |
|
Windows Mark of the Web Security Feature Bypass Vulnerability |
M |
ED |
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
I |
ED |
|
Scripting Engine Memory Corruption Vulnerability |
I |
ED |
|
Azure Health Bot Elevation of Privilege Vulnerability |
C |
ELL |
|
Redhat: CVE-2022-3775 grub2 – Heap based out-of-bounds write when rendering certain Unicode sequences |
C |
ELL |
|
Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability |
I |
ELL |
|
Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability |
C |
ELL |
|
Redhat: CVE-2023-40547 Shim – RCE in HTTP boot support may lead to secure boot bypass |
C |
ELL |
|
Windows Network Virtualization Remote Code Execution Vulnerability |
C |
ELL |
|
Windows Network Virtualization Remote Code Execution Vulnerability |
C |
ELL |
|
Windows DWM Core Library Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Secure Channel Denial of Service Vulnerability |
I |
EML |
|
Microsoft DWM Core Library Elevation of Privilege Vulnerability |
I |
EML |
|
Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability |
I |
EML |
|
Windows TCP/IP Remote Code Execution Vulnerability |
C |
EML |
|
Windows Print Spooler Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
I |
EML |
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out the Patch Management section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.
Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.
As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.