Patch Tuesday Microsoft kicked off our summer season with a relatively light June release on Tuesday, releasing updates for 49 CVE-tagged security flaws in its products — including one considered critical, a pretty scary problem in wireless networks. and one listed as publicly disclosed.
The one listed as publicly known and not yet publicly exploited is CVE-2023-50868 in Windows Server as well as non-Microsoft software. It’s a vulnerability in DNSSEC implementations that we’ve known about since February; El Reg readers may remember this flaw, called NSEC3-encloser, which can be exploited by a remote attacker to potentially consume CPU resources on a vulnerable system, causing it to stop working as intended.
“CVE-2023-50868 concerns a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources in a resolver, causing a denial of service to legitimate users,” Redmond declared on Tuesday.
Meanwhile, one critical flaw announced – CVE-2024-30080 – is a remote code execution (RCE) issue in Microsoft Message Queuing (MSMQ) and is serious enough to have received a severity rating of 9.8 out of 10 CVSS. Redmond describes this as “the most likely exploit.”
It could allow a remote, unauthenticated attacker to execute arbitrary code by sending a specially crafted malicious MSMQ packet to a vulnerable Windows system, such as a Windows Server box.
“This makes this possible among those servers, but not on systems where MSMQ is disabled,” according to Dustin Childs of the Zero Day Initiative, who added “it’s not clear how many affected systems are exposed to the Internet. While likely a low number, now would be a good time to audit your networks to ensure that TCP port 1801 is not reachable.”
Indeed, Microsoft says: “You can check if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.”
There’s also the scary-looking CVE-2024-30078, a Wi-Fi driver remote code execution hole rated at severity 8.8. It has not been publicly disclosed, is not yet under attack, and exploitation is “less likely,” according to Redmond.
“An unauthenticated attacker could send a malicious network packet to an adjacent system using a Wi-Fi network adapter, which could enable remote code execution,” and thus execute remotely, silently, and wirelessly malware or spyware to the victim’s nearby computer. Microsoft agreed.
Childs said: “Given that it hits every supported version of Windows, it’s likely to attract a lot of attention from attackers and red teams alike.” Patch as soon as you can: This flaw can be abused to run malicious software and hijack a nearby Windows PC via their Wi-Fi without requiring authentication. Pretty bad.
Additionally, there are the usual load of privilege escalation and other code execution holes in Microsoft’s code to close with this month’s patches.
Adobe addresses 166 CVEs
Adobe released ten patches covering a whopping 166 CVEs, with 144 of them affecting Experience Manager. Only one of the 144 — a security bypass flaw — is considered critical, with the rest rated important and moderate. And fortunately none appear to have been exploited in the wild.
Meanwhile, the Photoshop update resolved a critical vulnerability that could allow arbitrary code execution, and FrameMaker Publishing Server has two critical CVEs that could lead to privilege escalation.
Adobe Substance 3D Stager also has a fix for a critical out-of-bounds write security issue. And the update for Creative Cloud Desktop fixes a critical element of the unchecked search path that could allow arbitrary code execution.
The Adobe Commerce update addresses seven critical vulnerabilities and three important vulnerabilities that could be exploited for arbitrary code execution, a security feature bypass, and privilege escalation.
The Audition patch fixes two important memory leak and application denial of service vulnerabilities, while the ColdFusion update fixes two important bugs that could lead to arbitrary file system reading and allow an attacker to bypass security features .
There is an important out-of-bounds read vulnerability in Media Encoder that now has a fix. And finally, an important CVE in Adobe Acrobat Android can lead to security features being bypassed.
SAP security is a dime a dozen
SAP released a dozen new and updated security notes (behind a customer paywall) this month, including two high-priority alerts for flaws affecting NetWeaver AS Java and Financial Consolidation in S/4HANA. Of the two, issue #3457592, which fixes two cross-site scripting vulnerabilities in SAP Financial Consolidation, received the highest CVSS severity score of 8.1.
“The most critical one allows data to enter a web application through an untrusted source and by manipulating the content of the web page,” explained Thomas Fritsch, SAP security researcher at Onapsis. “This causes a high impact on the confidentiality and integrity of the application.”
The second high-priority patch, #3460407, addresses a 7.5-score denial-of-service vulnerability in NetWeaver AS Java.
Ransomware crimes that exploit PHP
The open-source scripting language PHP released 8.2.20 this month, which includes a fix for an RCE tracked as CVE-2024-4577. This critical bug in PHP for Windows is now under active exploitation, and at least one group of criminals is abusing the flaw to distribute TellYouThePass ransomware – so definitely prioritize updating this code.
Arm under active use
Arm has fixed a bug in the Bitfrost and Valhall GPU kernel drivers that has already been found and exploited by attackers.
It is tracked as CVE-2024-4610 and affects all versions from r34p0 to r40p0.
“A non-privileged local user could perform improper GPU memory processing operations to gain access to already freed memory,” Arm warned, noting that it is “aware of reports of exploitation of this vulnerability in the wild “. When we learn more about this issue, we’ll let you know: we imagine it could be used by rogue apps and the like to compromise arm-powered devices.
Apple Vision Pro closes 21 holes, although Android has more
Apple addressed 21 bugs in its visionOS 1.2 release. None of the flaws are reported to be in use at the time of release.
The worst of the bunch could allow an app to execute arbitrary code with kernel privileges — so if you use Apple’s 3D camera, install the updated software update.
Google’s June security update for Android harvested 37 holes in its Android services.
“The most serious of these issues is an elevated security vulnerability in the System component that could lead to local privilege escalation without the need for additional execution privileges,” Google noted.
In fact, there are seven such high-severity EoPs in the System component, plus another ten in the Frame.
Uh, oh, it’s a SolarWinds CVE
SolarWinds has fixed an 8.6-CVSS-rated directory traversal flaw — tracked as CVE-2024-28995 — in its Serv-U managed file transfer tool that could give snoops read access to files sensitive on the host machine. Upgrade to SolarWinds Serv-U 15.4.2 HF 2 to close the security hole.
While there are currently no reports of exploits for this flaw, “Rapid7 researchers have confirmed that the vulnerability is trivially exploitable and allows adversaries to read any file on disk (including binary files) as long as the path is known and the file is not locked.”
This can turn into something pretty bad.
Fortinet and Cisco join the fun
Fortinet fixed multiple stack-based buffer overflow vulnerabilities, tracked as CVE-2024-23110, in the FortiOS command-line interpreter that could allow an authenticated attacker to execute unauthorized code.
Meanwhile, Cisco released security updates for Webex and Cisco Finesse this month. The Webex Meetings flaw, spotted in late May, is said to have been used by snoops to spy on government and military meetings. ®