Last updated at Wed, 13 Nov 2024 04:01:51 GMT

Microsoft is addressing 90 vulnerabilities this November 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today, although as with last month’s batch, it does not evaluate any of these zero-day vulnerabilities as critical severity (yet). Of those four, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is aware of some level of public disclosure for three. Microsoft is also patching two further critical remote code execution (RCE) vulnerabilities today. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Active Directory Certificate Service: zero-day EoP aka EKUwu

CVE-2024-49019 describes an elevation of privilege vulnerability in Active Directory Certificate Services. While the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploits this vulnerability could gain domain admin privileges, so that doesn’t offer much comfort. Unsurprisingly, given the potential prize for attackers, Microsoft assesses future exploitation as more likely. Vulnerable PKI environments are those which include published certificates created using a version 1 certificate template with the source of subject name set to "Supplied in the request" and Enroll permissions granted to a broader set of accounts. Microsoft does not obviously provide any means of determining the certificate template version used to create a certificate, although the advisory does offer recommendations for anyone hoping to secure certificate templates.

There is a significant history of research and exploitation of Active Directory Certificate Services, including the widely-discussed Certified Pre-Owned series, and the discovering researchers have now added further to that corpus, tagging CVE-2024-49019 as ESC15. In keeping with another long-standing infosec tradition, the researcher has provided a fun celebrity vulnerability name — in this case, EKUwu, a portmanteau of EKU (Extended Key Usage) and UwU, an emoticon representing a cute face — as part of their detailed and insightful write-up.

MSHTML: zero-day NTLMv2 hash disclosure

Given the CVSSv3 base score of 6.0, one might almost be forgiven for overlooking CVE-2024-43451, which describes an NTLM hash disclosure spoofing vulnerability in the MSHTML platform which powered Internet Explorer. However, public disclosure and in-the-wild exploitation are always worth a look. Although exploitation requires that the user interact with a malicious file, a successful attacker receives the user’s NTLMv2 hash, and can then use that to authenticate as the user.

Microsoft has arguably scored CVE-2024-43451 correctly according to the CVSSv3.1 specification. However, although the Microsoft CVSSv3 vector describes an impact only to confidentiality, if an attacker can authenticate as the user post-exploitation, a further potential for subsequent impact to integrity and availability now exists; if we take that potential indirect effect into account, the CVSSv3 base score would look more like 8.8, which is the sort of number where alarm bells typically start ringing for many defenders. As a further sting in the tail, the advisory FAQ describes the required user interaction as minimal: left click, right click, or even the highly non-specific “performing an action other than opening or executing [the file]”. There’s certainly the potential for a long tail of exploitation here, especially in environments with more relaxed patching cadence.

The complete Windows catalog from Server 2025 and Windows 11 24H2 all the way back to Server 2008 receives patches for CVE-2024-43451. As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable — regardless of whether or not a Windows asset has Internet Explorer 11 disabled.

Exchange: zero-day sender spoofing

It’s been a few months since we’ve seen any security patches for Exchange, but the streak is now broken with a zero-day vulnerability. Mailserver admins should be paying attention to CVE-2024-49040, which is a publicly disclosed spoofing vulnerability. The specific weakness is CWE-451: User Interface (UI) Misrepresentation of Critical Information, which is often associated with phishing attacks, as well as browser vulnerabilities, and can describe a wide range of misdeeds, from visual truncation and UI overlay to homograph abuse. Microsoft does not yet claim knowledge of in-the-wild exploitation.

The advisory for CVE-2024-49040 hints that post-patching actions may be required for remediation of CVE-2024-49040, and links to further information in a separate article titled “Exchange Server non-RFC compliant P2 FROM header detection”. A careful read of the article doesn’t appear to list any mandatory post-patching actions; instead, there is an optional extra mitigation strategy action around Exchange Transport Rules, as well as an encouragingly detailed explanation of the protection offered by today’s patches. The article showcases that an Exchange-connected email client such as Outlook might display a forged sender as if it were legitimate, which we can all agree is not a good outcome. Attackers don’t have to look far to find other vulnerabilities to chain with this one, since today’s sibling zero-day vulnerability CVE-2024-43451 is certainly an option. On the other hand, let’s take a moment to appreciate the Exchange team’s blog title: “You Had Me at EHLO”.

Patches for CVE-2024-49040 are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23. It’s worth remembering that both Exchange 2016 and 2019 have an extended end date of 2025-10-14, which is now less than a year away; this despite the fact that the successor for 2016 and 2019, which Microsoft is unsubtly branding as Exchange Server Subscription Edition, isn’t due for release until early in 2025 Q3. Many admins would no doubt prefer a longer upgrade window.

The researcher who reported CVE-2024-49040 also discovered a means to impersonate Microsoft corporate email accounts earlier this year, but went public with his findings after Microsoft dismissed his report; it appears that the relationship has been at least somewhat repaired.

Task Scheduler: zero-day EoP (but not SYSTEM)

Windows Task Scheduler facilitates all sorts of useful outcomes, and if you’re a threat actor, it now offers one more: elevation of privilege via CVE-2024-49039. Microsoft is aware of exploitation in the wild. Given the low attack complexity and low privileges requirement, no requirement for user interaction, high impact across the CIA triad, and changed scope, it’s no surprise that the CVSSv3 base score comes out as a relatively zesty 8.8. However, Windows elevation of privilege vulnerabilities are always most exciting for attackers when they lead directly to SYSTEM privileges, but that’s not the case here. The attacker in this scenario starts out in a low-privileged AppContainer sandbox, and exploitation via a malicious app provides medium integrity level privileges, which is the same as a regular non-administrative user on the system. Still, every step forward for a threat actor is a step back for defenders.

.NET: critical RCE

This month brings patches for CVE-2024-43498, a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is so seldom a harbinger of good news. Exploitation might mean compromise of a desktop application by loading a malicious file, but most concerningly could also describe RCE in the context of a vulnerable .NET webapp via a specially crafted request. Microsoft assesses exploitation as less likely, but there’s nothing on the advisory which obviously supports that assessment, since this is a low-complexity network attack which requires neither privileges nor user interaction. CVE-2024-43498 is surely worthy of immediate patching. It’s also never a bad idea to review other options for protection, especially for internet-exposed services.

Kerberos: critical RCE

The advisory for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 9.8, although not in great detail. The FAQ explains that an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target, but without providing much information about the target or the precise context of code execution. The only safe assumption here is that code execution is in a highly-privileged context on a server which handles key authentication tasks. Patch accordingly.

Microsoft lifecycle update

In Microsoft lifecycle news, the most notable change is the arrival of Windows Server 2025 as a General Availability product at the start of November. Microsoft has announced a number of new features in Server 2025, which we will look forward to discussing in more detail in future editions of this blog.

At the other end of the lifecycle continuum, .NET 6.0 receives its final scheduled updates today; as .NET 6.0 is/was a Long Term Support (LTS) version, and .NET 7.0 is already beyond end of life, the only current upgrade path is to .NET 8.0.

Summary charts

A bar chart showing the distribution of vulnerabilities by affected component for Microsoft Patch Tuesday November 2024.
A bar chart showing the distribution of vulnerabilities by impact type for Microsoft Patch Tuesday November 2024.
A heatmap showing the distribution of vulnerabilities by impact and affected component for Microsoft Patch Tuesday November 2024.
SQL server dominating the heatmap, but it's mostly a group of closely-related client vulns.

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability No No 7.8

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability No No 9.9
CVE-2024-49056 Airlift.microsoft.com Elevation of Privilege Vulnerability No No 7.3
CVE-2024-49042 Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability No No 7.2
CVE-2024-43613 Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability No No 7.2

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-10827 Chromium: CVE-2024-10827 Use after free in Serial No No N/A
CVE-2024-10826 Chromium: CVE-2024-10826 Use after free in Family Experiences No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability No No 9.8
CVE-2024-49050 Visual Studio Code Python Extension Remote Code Execution Vulnerability No No 8.8
CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2024-49049 Visual Studio Code Remote Extension Elevation of Privilege Vulnerability No No 7.1
CVE-2024-49044 Visual Studio Elevation of Privilege Vulnerability No No 6.7

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-43639 Windows Kerberos Remote Code Execution Vulnerability No No 9.8
CVE-2024-43627 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43628 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43620 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43621 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43622 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-43635 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2024-49046 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43626 Windows Telephony Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43641 Windows Registry Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43623 Windows NT OS Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43644 Windows Client-Side Caching Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43636 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability No Yes 7.8
CVE-2024-43452 Windows Registry Elevation of Privilege Vulnerability No No 7.5
CVE-2024-43450 Windows DNS Spoofing Vulnerability No No 7.5
CVE-2024-43634 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43637 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43638 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43643 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43449 Windows USB Video Class System Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Yes Yes 6.5
CVE-2024-38203 Windows Package Library Manager Information Disclosure Vulnerability No No 6.2

Mariner System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-5535 OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread No No 9.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49031 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2024-49032 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2024-49026 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49027 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49028 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49029 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49030 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49033 Microsoft Word Security Feature Bypass Vulnerability No No 7.5

Open Source Software vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49048 TorchGeo Remote Code Execution Vulnerability No No 8.1
CVE-2024-43598 LightGBM Remote Code Execution Vulnerability No No 7.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-38255 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-43459 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-43462 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48994 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48995 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48996 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48993 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48997 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48998 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-48999 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49000 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49001 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49002 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49003 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49004 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49005 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49007 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49006 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49008 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49009 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49010 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49011 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49012 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49013 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49014 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49015 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49016 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49017 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49018 SQL Server Native Client Remote Code Execution Vulnerability No No 8.8
CVE-2024-49043 Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability No No 7.8
CVE-2024-49021 Microsoft SQL Server Remote Code Execution Vulnerability No No 7.8

Server Software vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability No Yes 7.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Yes No 8.8
CVE-2024-43624 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability No No 8.8
CVE-2024-43447 Windows SMBv3 Server Remote Code Execution Vulnerability No No 8.1
CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability No No 8.1
CVE-2024-43530 Windows Update Stack Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43640 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43630 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43629 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2024-43642 Windows SMB Denial of Service Vulnerability No No 7.5
CVE-2024-43631 Windows Secure Kernel Mode Elevation of Privilege Vulnerability No No 6.7
CVE-2024-43646 Windows Secure Kernel Mode Elevation of Privilege Vulnerability No No 6.7
CVE-2024-43645 Windows Defender Application Control (WDAC) Security Feature Bypass Vulnerability No No 6.7
CVE-2024-43633 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2024-38264 Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability No No 5.9

Updates

  • 2024-11-12: corrected CVSSv3 base score for CVE-2024-43639.