Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs

CVE-2024-38206 | Microsoft Copilot Studio Information Disclosure Vulnerability

CVE-2024-38206 is a critical severity information disclosure vulnerability affecting Microsoft’s Copilot Studio, an AI-powered chatbot. This vulnerability received a CVSSv3 score of 8.5 and could be abused by an authenticated attacker to bypass server-side request forgery (SSRF) protections in order to leak potentially sensitive information. The vulnerability was released by Microsoft on August 6, with the advisory noting that no user action is required as the issue has been patched by Microsoft. This vulnerability was discovered and reported to Microsoft by Tenable researcher Evan Grant.

CVE-2024-38109 | Azure Health Bot Elevation of Privilege Vulnerability

CVE-2024-38109 is a critical severity EoP vulnerability affecting Azure Health Bot. This vulnerability received a CVSSv3 score of 9.1 and is the result of a SSRF vulnerability in Azure Health Bot that can be abused to escalate privileges. This vulnerability was discovered by Tenable researcher Jimi Sebree and responsibly disclosed to Microsoft. The issue has been patched by Microsoft and no action is required for users of the Health Bot service. For more information on this vulnerability, please refer to Tenable Research Advisories TRA-2024-27 and TRA-2024-28, as well as our blog post.

CVE-2024-38106, CVE-2024-38133 and CVE-2024-38153 | Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-38106, CVE-2024-38133 and CVE-2024-38153 are EoP vulnerabilities affecting the Windows Kernel. CVE-2024-38133 and CVE-2024-38153 received CVSSv3 scores of 7.8, while CVE-2024-38106 was scored as a 7. Despite the lower severity and the exploitability requirements of the attacker needing to win a race condition for successful exploitation, CVE-2024-38106 was reportedly exploited in the wild as a zero-day. CVE-2024-38133 and CVE-2024-38153 were not listed as being exploited, however CVE-2024-38133 was rated as “Exploitation More Likely” according to the Microsoft Exploitability Index. Successful exploitation of these vulnerabilities could allow the attacker to elevate privileges to SYSTEM.

CVE-2024-38107 | Windows Power Dependency Coordinator Elevation of Privilege Vulnerability

CVE-2024-38107 is an EoP Vulnerability affecting Windows Power Dependency Coordinator (pdc.sys), a driver responsible for power management on a Windows system. This vulnerability was exploited in the wild as a zero-day, though no specific details about exploitation were available at the time this blog was published. Microsoft provided a CVSSv3 score of 7.8 for this vulnerability and patches are available for all supported versions of Windows and Windows Server.

CVE-2024-38178 | Scripting Engine Memory Corruption Vulnerability

CVE-2024-38178 is a Scripting Engine memory corruption vulnerability in Windows Scripting. This vulnerability was assigned a CVSSv3 score of 7.5 and Microsoft notes that exploitation has been observed. According to Microsoft, an authenticated victim must have Edge in Internet Explorer Mode as a prerequisite for exploitation prior to an unauthenticated attacker convincing the victim to click a specially crafted URL to obtain RCE.

CVE-2024-38189 | Microsoft Project Remote Code Execution Vulnerability

CVE-2024-38189 is a RCE vulnerability affecting Microsoft Project, a project management tool. This vulnerability received a CVSSv3 score of 8.8 and was exploited in the wild. According to the advisory, exploitation requires an unsuspecting victim to open a crafted Microsoft Office Project file. Additionally, the system must be configured to have the “Block macros from running in Office files from the Internet policy” disabled as well as have the VBA Macro Notification Settings disabled in order for a successful attack. Micsoft’s advisory does clarify that the Preview Pane is not an attack vector for this vulnerability and offers mitigation options to protect systems if immediate patching cannot be immediately performed.

CVE-2024-38141 and CVE-2024-38193 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2024-38141 and CVE-2024-38193 are EoP vulnerabilities affecting the Windows Ancillary Function Driver for Winsock (afd.sys). Both of these vulnerabilities were given CVSSv3 scores of 7.8 and can allow an attacker to escalate privileges to SYSTEM. CVE-2024-38141 is rated as “Exploitation More Likely” and CVE-2024-38193 was reported to have been exploited in the wild as a zero-day vulnerability.

CVE-2024-38213 | Windows Mark of the Web Security Feature Bypass Vulnerability

CVE-2024-38213 is a security feature bypass vulnerability with an assigned CVSSv3 score of 6.5. Exploitation of this vulnerability requires a user to open a specially crafted file, which could be hosted on a file server, website or sent via a phishing email. If the attacker is successful in convincing a victim to open this file, they could bypass the Windows SmartScreen user experience. Microsoft has flagged this as “Exploitation Detected” as they are aware of an instance of this vulnerability being exploited.

CVE-2024-38163 and CVE-2024-38202 | Windows Update Stack Elevation of Privilege Vulnerability

CVE-2024-38163 and CVE-2024-38202 are both EoP vulnerabilities in Windows Update Stack and were assigned CVSSv3 scores of 7.8 and 7.3 respectively. CVE-2024-38163, if successfully exploited could result in gaining SYSTEM privileges. Microsoft has noted that users don’t need to take any action for this vulnerability as it is only exploitable at run time and the impacted version of WinRE has been superseded by a new version.

CVE-2024-38202 was disclosed and presented at BlackHat USA 2024 and DEF CON 32 by SafeBreach Labs researcher Alon Leviev prior to the August 2024 Patch Tuesday release. The vulnerability which exists in Windows Backup, allows a user with basic privileges to “reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)”. Leviev identified the vulnerability in the Windows Update mechanism that could allow unauthorized elevation of privileges by enforcing the downgrade of system components. This vulnerability exposes systems to previously patched exploits, making them susceptible to attacks that could leverage these old vulnerabilities. Microsoft has noted that “an attacker attempting to exploit this vulnerability requires additional interaction by a privileged user to be successful.” Microsoft issued an advisory in coordination with this disclosure at Black Hat.

Source: Leviev's SafeBreach Blog

CVE-2024-21302 and CVE-2024-38142 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability

CVE-2024-21302 and CVE-2024-38142 are both elevation of privilege vulnerabilities in Windows Secure Kernel with an exploitability assessment by Microsoft as “Exploitation Less Likely”. CVE-2024-21302 carries a CVSSv3 score of 6.7 and CVE-2024-38142 a score of 7.8 with successful exploitation of either of these vulnerabilities resulting in an attacker gaining SYSTEM privileges.

CVE-2024-21302 was disclosed at Black Hat USA 2024 by the previously mentioned security researcher, Alon Leviev. Leviev demonstrated that CVE-2024-21302 could be chained with CVE-2024-38202 to downgrade or roll back software versions without the need for interaction from a victim with elevated privileges. The result of this chained attack is the target device could be made susceptible to previously patched vulnerabilities, increasing the attack surface of the device. CVE-2024-21302 was also included in the previously mentioned Microsoft advisory released in coordination with the disclosure at Black Hat.

CVE-2024-38199 | Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability

CVE-2024-38199 is a RCE vulnerability in Windows Line Printer Daemon (LPD) Service. The flaw was assigned a CVSSv3 score of 9.8 and rated “Exploitation Less Likely” by Microsoft. A remote attacker could exploit this across a network by dispatching a specially crafted print task to Windows LPD Service, if successful it would result in RCE on the server. Microsoft has also noted that it was publicly disclosed prior to a patch being available.

CVE-2024-38200 | Microsoft Office Spoofing Vulnerability

CVE-2024-38200 is a spoofing vulnerability affecting Microsoft Office with a CVSSv3 score of 6.5 and rated by Microsoft as “Exploitation Less Likely”. An attacker could leverage this vulnerability with a specially crafted file that a victim would need to interact with. This could be achieved by hosting it on a file server or website and convincing the victim to click on the file or similarly it could be included in a phishing email. Successful exploitation of the vulnerability could result in the victim exposing NTLM (New Technology Lan Manager) hashes to a remote attacker.

CVE-2024-38200 was publicly disclosed on August 8 at DEF CON 32 by Jim Rush and Tomais Williamson, both Senior Security Consultants at PrivSec Consulting. Patches for this vulnerability were released today as part of the August 2024 Patch Tuesday released, however on August 10, Microsoft provided mitigations in coordination with this disclosure prior to the patch being released.

CVE-2024-38063 | Windows TCP/IP Remote Code Execution Vulnerability

CVE-2024-38063 is a critical RCE vulnerability affecting Windows TCP/IP. It received a CVSSv3 score of 9.8 and is rated as “Exploitation More Likely.” An attacker could remotely exploit this vulnerability by sending specially crafted IPv6 packets to a host. Microsoft’s mitigation suggestions suggest disabling IPv6 as only IPv6 packets can be abused to exploit this vulnerability. Microsoft has released patches for all supported versions of Windows and Windows Server, including Server Core installations.