Patch Tuesday Microsoft kicked off our summer season with a relatively light June Patch Tuesday, releasing updates for 49 CVE-tagged security flaws in its products – including one bug deemed critical, a fairly terrifying one in wireless networking, and one listed as publicly disclosed.
The one that’s listed as publicly known, and not yet publicly exploited, is CVE-2023-50868 in Windows Server as well as non-Microsoft software. It’s a vulnerability in DNSSEC implementations that we’ve known about since February; El Reg readers may remember this bug, dubbed NSEC3-encloser, which can be exploited by a remote attacker to potentially exhaust CPU resources on a vulnerable system, causing it to stop working as intended.
“CVE-2023-50868 is regarding a vulnerability in DNSSEC validation where an attacker could exploit standard DNSSEC protocols intended for DNS integrity by using excessive resources on a resolver, causing a denial of service for legitimate users,” Redmond declared on Tuesday.
Meanwhile, the one critical flaw announced – CVE-2024-30080 – is a remote code execution (RCE) issue in Microsoft Message Queuing (MSMQ) and is serious enough that it received a 9.8 out of 10 CVSS severity rating. Redmond describes this one as “exploitation more likely.”
It could allow a remote, unauthenticated attacker to execute arbitrary code by sending a specially crafted malicious MSMQ packet to a vulnerable Windows system, such as a Windows Server box.
“That makes this wormable between those servers, but not to systems where MSMQ is disabled,” according to Zero Day Initiative’s Dustin Childs, who added “it’s not clear how many affected systems are exposed to the internet. While it is likely a low number, now would be a good time to audit your networks to ensure TCP port 1801 is not reachable.”
Indeed, Microsoft says: “You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.”
There’s also the scary-looking CVE-2024-30078, a Wi-Fi driver remote code execution hole rated 8.8 in severity. It’s not publicly disclosed, not yet under attack, and exploitation is “less likely,” according to Redmond.
“An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution,” and thus remotely, silently, and wirelessly run malware or spyware on that nearby victim’s computer, Microsoft admitted.
Childs said: “Considering it hits every supported version of Windows, it will likely draw a lot of attention from attackers and red teams alike.” Patch as soon as you can: This flaw can be abused to run malicious software on and hijack a nearby Windows PC via their Wi-Fi with no authentication needed. Pretty bad.
On top of this, there are the usual load of elevation of privilege and other code execution holes in Microsoft’s code to close with this month’s patches.
Adobe addresses 166 CVEs
Adobe released ten patches covering a whopping 166 CVEs, with 144 of those affecting Experience Manager. Only one of the 144 – a security bypass flaw – is deemed critical, with the rest rated important and moderate. And luckily none appear to have been exploited in the wild.
Meanwhile, the Photoshop update resolved one critical vulnerability that could allow arbitrary code execution, and FrameMaker Publishing Server has two critical CVEs that could lead to privilege escalation.
Adobe Substance 3D Stager also has a patch for one critical out-of-bounds-write security issue. And the update for Creative Cloud Desktop fixes a critical uncontrolled search path element that could allow arbitrary code execution.
The Adobe Commerce update addresses seven critical and three important vulnerabilities that could be exploited for arbitrary code execution, a security feature bypass and privilege escalation.
The patch for Audition fixes two important memory leak and application denial-of-service vulnerabilities, while the ColdFusion update fixes two important bugs that could lead to arbitrary file system read and allow an attacker to bypass security features.
There’s one important out-of-bounds read vuln in Media Encoder that now has a fix. And finally, an important CVE in Adobe Acrobat Android could lead to security feature bypass.
SAP security notes a dime a dozen
SAP released a dozen new and updated security notes (behind a customer paywall) this month, including two high-priority alerts for bugs affecting NetWeaver AS Java and Financial Consolidation on S/4HANA. Of the two, note #3457592, which patches two cross-site scripting vulnerabilities in SAP Financial Consolidation, received the highest CVSS severity score of 8.1.
“The more critical one allows data to enter a web application through an untrusted source and manipulating web site content,” explained Thomas Fritsch, SAP security researcher at Onapsis. “This causes a high impact on the confidentiality and integrity of the application.”
The second high-priority note, #3460407, addresses a 7.5-rated denial-of-service vulnerability in NetWeaver AS Java.
Ransomware crims exploiting PHP
Open source scripting language PHP this month released 8.2.20, which includes a fix for an RCE tracked as CVE-2024-4577. This critical bug in PHP for Windows is now under active exploit, and at least one group of criminals is abusing the flaw to distribute TellYouThePass ransomware – so definitely prioritize updating this code.
Arm under active exploit
Arm has fixed a flaw in its Bitfrost and Valhall GPU kernel drivers that has already been found and exploited by miscreants.
It’s tracked as CVE-2024-4610 and affects all versions from from r34p0 to r40p0.
“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Arm warned, noting that it “is aware of reports of this vulnerability being exploited in the wild.” When we find out more about this issue, we’ll let you know: It could be used by rogue apps and the like to compromise Arm-powered devices, we imagine.
Apple Vision Pro plugs 21 holes, although Android has more
Apple addressed 21 bugs in its visionOS 1.2 release. None of the flaws are reported as being under exploit at the time of the release.
The worst of the bunch could allow an app to execute arbitrary code with kernel privileges – so if you use Apple’s 3D camera, install the updated software stat.
Google’s June security update for Android patched 37 holes across its Android services.
“The most severe of these issues is a high security vulnerability in the System component that could lead to local escalation of privilege with no additional execution privileges needed,” Google noted.
In fact, there are seven such high-severity EoPs in the System component, plus another ten in Framework.
Uh, oh, it’s a SolarWinds CVE
SolarWinds has fixed an 8.6-CVSS-rated directory transversal flaw – tracked as CVE-2024-28995 – in its managed file transfer tool Serv-U that could grant snoops read-access to sensitive files on the host machine. Upgrade to SolarWinds Serv-U 15.4.2 HF 2 to plug the security hole.
While there are currently no reports of this bug being exploited, “Rapid7 researchers have confirmed the vulnerability is trivially exploitable and allows adversaries to read any file on disk (including binary files) so long as the path is known and the file is not locked.”
This could turn into something quite bad.
Fortinet and Cisco join the fun
Fortinet fixed multiple stack-based buffer overflow vulnerabilities, tracked as CVE-2024-23110, in the command line interpreter of FortiOS that could allow an authenticated attacker to execute unauthorized code.
Meanwhile, Cisco released security updates for Webex and Cisco Finesse this month. The Webex Meetings flaw, spotted in late May, was reportedly used by snoops to spy on government and military meetings. ®