Peek into Monthly Vulnerabilities: August 2024

August 2024 again saw an uptick in the number of vulnerability disclosures, with several commonly exploited Common Vulnerabilities and Exposures (CVEs) across several platforms. Risk levels may be high, particularly on an enterprise scale, but the number of exploits seen this month demonstrates that there are active attempts to prevent them. This was another month that saw a spike in the total number of vulnerability disclosures, but there were still less than 400 vulnerabilities that had a critical classification. A small handful of vulnerabilities have the potential to harm businesses and consumers alike.

Total CVEs Reported:

Thus, going by our data, an average of around 3,000 vulnerabilities was detected every month in August 2024 to continue the rising trend worldwide. A majority of these vulnerabilities comprised RCE exploits and credential bypass, which might be deadly if allowed to remain.

Patch Tuesday:

In August, Microsoft released 114 CVEs in its Patch Tuesday update. This included:

• 6 rated as critical
• 105 classified as important
• 3 rated as moderate

Notably, this release included multiple zero-day vulnerabilities, highlighting the ongoing risk from attackers exploiting unpatched systems in real-world environments.

• Microsoft Project (CVE-2024-38189) and Microsoft Exchange Server (CVE-2024-38178) were among the most serious threats, allowing attackers to execute arbitrary code with minimal interaction from the target.

Oracle and Cisco:

Microsoft, joined by many other major vendors, issued patches. Oracle, meanwhile, released 324 security patches, covering numerous vulnerabilities across their product family. Cisco publicly disclosed and patched two zero-days in end-of-life Small Business IP phones.

Vulnerability Types and Trends:

• Remote Code Execution (RCE): August continued to see many vulnerabilities categorized as RCE, with notable flaws in the Windows TCP/IP stack (CVE-2024-38063), Progress WhatsUp Gold (CVE-2024-4885), and the Windows Line Printer Daemon Service (CVE-2024-38199). These vulnerabilities allow attackers to execute code on a victim’s machine remotely, often leading to further compromise of sensitive systems.
• Authentication Bypass: CVE-2024-41730, a flaw in SAP systems, lets an attacker bypass authentication and gain unauthorized access.
• Exploitation Trends: Of the 15 new in-the-wild zero-days detected between February and August 2024 – including issues such as the Android RCE CVE-2024-36971 and the Windows LPD Service CVE-2024-38199 – all are still being exploited today.

Top 10 Vulnerabilities in August 2024

The top 10 vulnerabilities that organizations need to address and prioritize this month are as follows:

CVE-2024-38063: Remote Code Execution in Windows TCP/IP Stack

• Overview: CVE-2024-38063 is a critical vulnerability affecting the Windows TCP/IP stack and, specifically the handling of IPv6 packets. Detected with a CVSS v3 score of 9.8, this flaw is a remote code execution (RCE) vulnerability that would allow a threat actor to trigger a buffer overflow by sending crafted IPv6 packets over the network to execute malicious code with elevated privileges.
• Impact: Exploiting this vulnerability would allow an attacker to run arbitrary code in kernel mode. This would give them the highest level of access to the system and would allow them to take control of the system completely. The impact of exploiting this vulnerability could be serious. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could potentially use this vulnerability to take control of an affected system. The vulnerability could allow an attacker to run arbitrary code in the context of the LocalSystem account on the system. An attacker would then be able to install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability arose due to an error when the kernel pipe code was handling a combination of pipe contents and list structures; this drastically enabled the opportunity for overwriting a buffer. This issue affected all implementations of the vulnerable code. This vulnerability affects a wide range of Windows systems, including:
  • Windows 10
  • Windows 11
  • Windows Server 2016, 2019, and 2022 (including Server Core installations)

• Mitigation: To reduce the risks associated with CVE-2024-38063, apply the security patches released by Microsoft in August 2024. Key steps include:
  • Apply Security Updates: Ensure all systems are updated with the latest patches via Windows Update or WSUS. 
  • Disable IPv6: If not in use, consider disabling IPv6 to reduce the attack surface.
  • How to Apply the Patch:

• Via Windows Update: Go to Settings > Update & Security > Windows Update and install any available updates.
• Via WSUS: Deploy the patch across your network using Windows Server Update Services (WSUS).
• Manual Installation: Download and apply the patch from the Microsoft Update Catalog.

CVE-2024-38189: Remote Code Execution in Microsoft Project

• Overview: CVE-2024-38189 – This is a critical Remote Code Execution vulnerability in Microsoft Project that could allow an attacker to execute arbitrary code on the victim’s system. This vulnerability is extremely easy to exploit as it can be retrieved by opening a malicious Microsoft Project file. We give the highest risk score to this vulnerability due to its high impact on users and the ease of abuse by both automated scripts and organizations relying on Microsoft Project.
• Impact: If successful, the attacker gains complete control over the system, allowing for unauthorized access, data exfiltration, or control of other systems connected to the compromised network. Due to the vulnerability requiring no form of authentication, an attacker with no skills could gain access to systems simply by uploading a malicious project file.
• Mitigation: To mitigate the risk of this vulnerability:
  • Apply Security Updates: Ensure all users are running the latest version of Microsoft Project, as patches have been released in August 2024.
  • User Awareness: Train users to be cautious when opening unsolicited project files, particularly from untrusted sources.

CVE-2024-38178: Remote Code Execution in Microsoft Exchange Server

• Overview: By sending a specially crafted request to a vulnerable Microsoft Exchange Server, a remote attacker could exploit the CVE-2024-38178 vulnerability to remotely execute arbitrary code without authenticating or engaging with the user. 
• Impact: Successful exploitation of this vulnerability would allow an attacker to have complete control and gold-plated access to the Exchange Server, allowing the attacker to access all data therein, manipulate the system, and launch further attacks on the internal network. Exchange Servers form one of the most fundamental components in most enterprises. The threat to sensitive business communications makes this vulnerability catastrophic.
• Mitigation: Organizations using Microsoft Exchange should take the following steps:
  • Apply Security Updates: Immediately install the August 2024 Patch Tuesday updates for the Exchange Server to close this vulnerability.
  • Restrict Access: Limit network access to the Exchange Server to reduce exposure.

CVE-2024-36971: Remote Code Execution in Android

• Overview: CVE-2024-36971 is a high-severity remote code execution vulnerability in Android that was actively exploited in the wild before it was patched in August 2024. It affects Android users who visit a malicious website or install a malicious app.
• Impact: Exploitation of this channel allows attackers to control compromised Android devices without the owner’s consent, obtain personal information from them, alter their state, and again gain access to other parts of the network. Such vulnerabilities underpin the need to upgrade to the latest operating system; there is significant risk in using older OSs on mobile devices.
• Mitigation: To protect against this vulnerability:
  • Apply Security Updates: Ensure that Android devices are updated to the latest version, including the August 2024 security patch.
  • Avoid Malicious Content: Advise users to avoid installing apps from untrusted sources and to be cautious when interacting with unfamiliar websites.

CVE-2024-4885: Remote Code Execution in Progress WhatsUp Gold

• Overview: CVE-2024-4885 is a critical RCE vulnerability in Progress WhatsUp Gold, a widely used network monitoring tool. Exploitation of this flaw allows attackers to gain initial access to corporate networks, potentially compromising sensitive systems further.
• Impact: Attackers leveraging this vulnerability can take control of the WhatsUp Gold system, exfiltrate sensitive network data, and use the compromised system as a foothold for lateral movement within the network. This could result in large-scale breaches of corporate environments.
• Mitigation: To mitigate the risk posed by this vulnerability:
  • Apply Security Updates: Ensure that Progress WhatsUp Gold is updated to the latest version containing security patches.
  • Monitor Network Activity: Increase vigilance in network monitoring for any signs of unauthorized access or malicious activity.

CVE-2024-20450 to CVE-2024-20454: Remote Code Execution in Cisco Small Business IP Phones

• Overview: These vulnerabilities affect the end-of-life Cisco Small Business SPA 300 and SPA 500 series IP phones. Exploiting these flaws allows attackers to execute remote code on affected devices, leading to unauthorized access and potential takeover of the phone system.
• Impact: Although these devices are no longer supported by Cisco, they remain in use in many organizations, leaving them vulnerable to attacks. Exploitation of these vulnerabilities can result in full system compromise, data breaches, and loss of control over the phone network.
• Mitigation: To address these vulnerabilities:
  • Replace Unsupported Hardware: Transition away from end-of-life devices to avoid exposure.
  • Apply Available Patches: Apply any remaining security updates if the hardware is still in use.

CVE-2024-38200: Zero-Day in Microsoft Office

• Overview: CVE-2024-38200 is a zero-day vulnerability affecting Microsoft Office 2016 and later versions. At the time of disclosure, no patch was available, making it a critical concern for businesses using Microsoft Office products.
• Impact: This vulnerability allows attackers to execute arbitrary code by convincing users to open malicious Office files, leading to data breaches, system compromise, and further network intrusion.
• Mitigation: To mitigate the risks:
  • Apply Patches When Available: Microsoft is expected to release a patch soon. In the meantime, caution is advised when opening Office files from untrusted sources.

CVE-2024-41730: Authentication Bypass in SAP Systems

• Overview: CVE-2024-41730 is a critical authentication bypass vulnerability in SAP systems. Exploiting this flaw allows attackers to bypass security mechanisms and gain full access to SAP systems without proper authentication.
• Impact: Successful exploitation of this vulnerability can lead to total system compromise, allowing attackers to manipulate business-critical data, access sensitive information, and perform unauthorized actions on the affected system.
• Mitigation: To mitigate this risk:
  • Apply SAP Patches: Install the latest SAP security updates released in August 2024.
  • Enhance Security Policies: Review and strengthen authentication mechanisms within SAP environments.

CVE-2024-28986: Unauthorized Data Access in SolarWinds Web Help Desk

• Overview: CVE-2024-28986 is a critical vulnerability in SolarWinds’ Web Help Desk software. It allows attackers to gain unauthorized access to sensitive data stored within the system.
• Impact: Exploiting this vulnerability can lead to data breaches, exposing confidential customer information, system configurations, and other critical data.
• Mitigation: To mitigate the risks:
  • Apply Security Patches: Ensure that the Web Help Desk is updated to the latest version.
  • Review Access Controls: Strengthen access controls to sensitive data within the application.

CVE-2024-38199: Remote Code Execution in Windows Line Printer Daemon (LPD) Service

• Overview: CVE-2024-38199 is an RCE vulnerability in the Windows Line Printer Daemon (LPD) service. This vulnerability allows attackers to execute arbitrary code on affected systems by sending specially crafted print tasks.
• Impact: Successful exploitation of this vulnerability can result in full system compromise, allowing attackers to manipulate system files, exfiltrate data, and move laterally within the network.
• Mitigation: To reduce the risk:
  • Apply Security Updates: Install the August 2024 Patch Tuesday update for the LPD service.
  • Restrict Access to LPD Services: Limit network access to LPD services to authorized users only.

Mitigating the Risks

To effectively manage these risks, organizations should:

• Patch First: Apply all the latest patches, starting with the most critical vulnerabilities.
• Implement Strong Security Practices: To prevent exploitation, strict access controls and robust input validation measures should be in place.
• Monitor Exploited Vulnerabilities: Continuously track which vulnerabilities are being actively exploited in the wild and take action.
• Use a Vulnerability Management Tool: Solutions like ThreatMon can help prioritize vulnerabilities based on their potential impact on your business.

If they do it right and in a timely fashion, they can fix these vulnerabilities, substantially reducing the risk of system compromise.