The month of September 2024 is exceptional for the many high-severity flaws that may hurt organizations and individual users. Several key Common Vulnerabilities and Exposures (CVEs) were published during this month, which could potentially grant attackers easy access to target systems. As we delve into these flaws, it is evident to notice that more and more bugs are affecting the new software while hackers are exploiting them to compromise vulnerable systems.
There were a confirmed total of almost 2,800 vulnerabilities disclosed during September 2024, a steady number reported every month so far this year. And the reported vulnerabilities were remote code execution and elevation of privilege attacks that shine a light to the savvy of attacks.
In September 2024, Microsoft addressed 112 CVEs in its Patch Tuesday release. These included:
8 rated as critical
98 classified as important
6 rated as moderate
Those three were covered by this month’s updates, too, but of course, there were many more, including several zero-days that were actively exploited in the wild, all codenamed CVE-2023-40440-41345-41473-41474. The most serious of those was CVE-2024-43491, a Windows Update remote code execution vulnerability.
Vulnerability Types
Elevation of Privilege (EoP): This was the most prevalent vulnerability type, accounting for 38% of the vulnerabilities patched3. EoP flaws allow attackers to gain higher-level permissions on a system.
Remote Code Execution (RCE): RCE vulnerabilities made up 29.1% of the patched flaws3. These permit attackers to execute arbitrary code remotely on target systems.
Security Feature Bypass: Comprising 18% of the vulnerabilities, these flaws enable attackers to circumvent security mechanisms2.
Information Disclosure: Around 7% of the vulnerabilities involved the exposure of sensitive information to unauthorized parties.
Others: The remaining vulnerabilities included less common types like Denial of Service (DoS) and Cross-site Scripting (XSS).
Key Trends
Zero-day Vulnerabilities: Microsoft patched four zero-day vulnerabilities in September 2024, with three being actively exploited23. These included: CVE-2024-43491 (CVSS 9.8), CVE-2024-38014 (CVSS 7.8), CVE-2024-38217, CVE-2024-38226
Critical Vulnerabilities in Enterprise Software: Several critical vulnerabilities affected widely used enterprise software: Azure Web Apps (CVE-2024-38194, CVSS 8.4), Microsoft SharePoint Server (CVE-2024-38220, CVSS 8.8), Windows Update (CVE-2024-43491, CVSS 9.8)23
Infostealer Malware Dominance
Infostealer malware, particularly LummaC2, became the most prevalent malware category, replacing other well-known infostealers like RedLine.
Ransomware Evolution: Ransomware groups adopted new tactics, such as using passwords to validate execution and prevent analysis. Groups like Fog, RansomHub, and 3AM were notable in this trend.
Surge in Magecart Attacks: There was a significant 103% increase in Magecart attacks targeting e-commerce platforms1.
IoT Vulnerabilities: Vulnerabilities like CVE-2024-43491 had profound implications for IoT devices, especially those running on older versions of Windows 10 Enterprise2.
Focus on Remote Access and Security Solutions: Zero-day vulnerabilities affecting remote access and security solutions became prime targets for cybercriminals and state-sponsored groups.
The top 10 vulnerabilities that organizations need to address and prioritize this month are as follows:
CVE-2024-43491: Microsoft Windows Update Remote Code Execution Vulnerability
Overview: CVE-2024-43491 is a critical vulnerability affecting the Servicing Stack of Windows 10 Version 1507. It allows attackers to reverse previously applied security patches, exposing the system to older vulnerabilities.
Impact: Exploiting this vulnerability can result in remote code execution, which can lead to full system compromise, data theft, or service disruption.
Mitigation:
Apply Security Patches: Ensure that both the Servicing Stack Update (KB5043936) and the Windows Security Update (KB5043083) are installed.
Upgrade Systems: Transition to a newer version of Windows to reduce exposure.
CVE-2024-38194: Azure Web Apps Elevation of Privilege Vulnerability
Overview: This vulnerability impacts Azure Web Apps and allows authenticated attackers to exploit an authorization flaw, gaining elevated permissions.
Impact: Exploitation can lead to unauthorized access to critical resources and data, compromising cloud infrastructure.
Mitigation:
Apply Patches: Microsoft has issued updates to resolve this vulnerability in Azure infrastructure.
Review Access Controls: Strengthen permission management and monitor privilege escalation.
CVE-2024-37341: Microsoft SQL Server Elevation of Privilege Vulnerability
Overview: This high-severity vulnerability affects Microsoft SQL Server 2017 and 2019, enabling unauthorized access to resources through weak access control.
Impact: Exploitation can lead to unauthorized users gaining elevated access, potentially resulting in data breaches or manipulation.
Mitigation:
Apply Security Updates: Ensure all SQL Servers are updated to the latest version.
Enhance Authentication Mechanisms: Implement stricter authentication and authorization controls.
CVE-2024-21416: Windows TCP/IP Remote Code Execution Vulnerability
Overview: A critical vulnerability affecting multiple Windows versions, including Windows 10, 11, and Server editions, allowing remote code execution.
Impact: Successful exploitation could lead to complete system compromise, allowing attackers to run malicious code remotely.
Mitigation:
Install Patches: Apply all necessary updates released in September 2024 to secure the TCP/IP stack.
Limit Network Exposure: Restrict access to vulnerable systems to trusted networks.
CVE-2024-38018: Microsoft SharePoint Server Remote Code Execution Vulnerability
Overview: This vulnerability affects Microsoft SharePoint Server 2016 and 2019, allowing remote code execution through improper deserialization of untrusted data.
Impact: Exploiting this flaw can lead to full system compromise, allowing attackers to manipulate sensitive business data.
Mitigation:
Apply Patches: Ensure all SharePoint Servers are up to date with the latest security fixes.
Review Input Validation: Strengthen input validation mechanisms to mitigate deserialization attacks.
CVE-2024-8963: Ivanti Cloud Services Appliance Authentication Bypass
Overview: A critical vulnerability in Ivanti Cloud Services Appliance (CSA) versions 4.6 and earlier allows attackers to bypass authentication and gain administrative access.
Impact: Exploitation can lead to unauthorized configuration changes and exposure to further attacks.
Mitigation:
Upgrade to the Latest Version: Ensure CSA is updated to version 4.7 or later to close this security gap.
Enhance Security Policies: Strengthen authentication and monitoring to detect unauthorized changes.
CVE-2024-8190: Ivanti Cloud Services Appliance Command Injection
Overview: This vulnerability affects Ivanti CSA versions before 4.7 and enables command injection due to improper input validation.
Impact: Attackers can gain root-level access, which can lead to full system compromise.
Mitigation:
Apply Security Updates: Ensure CSA is updated to the latest version.
Improve Input Validation: Strengthen validation mechanisms to prevent command injection.
CVE-2024-6795: Baxter Connex Health Portal SQL Injection
Overview: This critical SQL injection vulnerability affects Baxter’s Connex health portal, allowing unauthorized access to the portal’s database.
Impact: Successful exploitation can lead to data modification, disclosure, or even a database shutdown.
Mitigation:
Apply Security Patches: Ensure the Connex health portal is updated to the latest version.
Implement Strong Access Controls: Enforce stronger input validation to mitigate SQL injection risks.
CVE-2024-37288: Elastic Kibana Deserialization Vulnerability
Overview: A critical vulnerability in Elastic Kibana, affecting users who utilize built-in AI tools with Amazon Bedrock connectors. It enables remote code execution through crafted YAML payloads.
Impact: Exploiting this flaw could allow attackers to execute arbitrary code and take over affected systems.
Mitigation:
Apply Security Updates: Update Kibana to the latest version with security patches.
Monitor System Activity: Continuously monitor systems for unusual activity related to YAML file parsing.
CVE-2024-29847: Ivanti Endpoint Manager Remote Code Execution
Overview: This vulnerability affects Ivanti Endpoint Manager (EPM) before the 2022 SU6 or September 2024 update, allowing remote unauthenticated attackers to execute code through untrusted data deserialization.
Impact: Attackers can achieve remote code execution, leading to full system compromise.
Mitigation:
Apply Security Updates: Ensure that Ivanti EPM is updated to the latest version.
Harden Input Validation: Strengthen input validation to prevent deserialization of untrusted data.
