Top dangerous vulnerabilities of August: Microsoft Windows and WordPress sites are at risk

Today I will talk about the most dangerous vulnerabilities of August. There were six such vulnerabilities this month:

1. Vulnerabilities in Microsoft products:

• remote code execution vulnerability in the Windows Remote Desktop Licensing Service component, named MadLicense (CVE-2024-38077);

• Mark of the Web security feature bypass vulnerability in the Windows operating system, leading to the possibility of running malicious files (CVE-2024-38213);

• privilege escalation vulnerabilities — in the Windows kernel itself (CVE-2024-38106), Ancillary Function driver (CVE-2024-38193), and Power Dependency Coordinator component (CVE-2024-38107);

2. privilege escalation vulnerability without authentication in the LiteSpeed Cache plugin for WordPress CMS (CVE-2024-28000).

Microsoft Vulnerabilities

Remote code execution vulnerability in the Windows Remote Desktop Licensing Service component, named MadLicense (CVE-2024-38077)

❗ Critical danger level, CVSS score — 9.8

The vulnerability was fixed in the July Patch Tuesday. By exploiting the vulnerability, an unauthenticated attacker can cause remote code execution by sending RDL messages. Updates are available for Windows Server versions 2008–2022.

What is the RDL service? By default, Remote Desktop Services only allow two simultaneous connections via the Remote Desktop Protocol (RDP) to a Windows server. If more are needed, licenses must be purchased. These licenses are managed by the RDL service. Often, admins enable RDL on servers where it is not needed.

On August 9, a description and PoC for Windows Server 2025 appeared on GitHub. So far, only pseudocode in Python without critical parts, purely for developing detection rules.

Researchers have found that about 170,000 hosts on the internet may be affected by this vulnerability. In intranets, there should be countless more.

Apparently, this is a long-term trend. Researchers promise to publish information about two more critical vulnerabilities, BadLicense and DeadLicense. We keep our finger on the pulse and continue to monitor.

Number of potential victims: all users of Windows Server versions 2000–2025 who have not downloaded security updates. According to researchers, about 170,000 potentially vulnerable hosts are available on the internet, and there may be an order of magnitude more such servers in company internal networks.

Signs of exploitation: according to Microsoft, there is currently no information on the exploitation of this vulnerability.

Publicly available exploits: there is a PoC available in the public domain.

Read also:

• Testing BMC: let's talk about load testing

Mitigation methods: security updates can be downloaded from the Microsoft page dedicated to the CVE-2024-38077 vulnerability.

Mark of the Web (MotW) security feature bypass vulnerability in Windows OS, leading to the possibility of running malicious files (CVE-2024-38213)

❗ Medium level of danger, CVSS score — 6.5

MotW security feature bypass vulnerability in Windows. The vulnerability was named Copy2Pwn and was fixed as part of the August Microsoft Patch Tuesday (although ZDI writes that Microsoft fixed it earlier, in June).

The vulnerability allows attackers to bypass the SmartScreen security feature that protects users from running potentially malicious files downloaded from the internet.

Let's figure out what it's all about. There is such a set of extensions over HTTP for working with files — WebDAV.

You can access the WebDAV share through a web browser:

http://10.37.129.2/example_webdav_folder/somefile

Or you can access it through Windows Explorer (like SMB):

\10.37.129.2@80\example_webdav_folder

And when copying from the share through Windows Explorer, the MotW tag was somehow not set. Hence the name Copy2Pwn.

ZDI researchers found signs of exploitation of the vulnerability in March 2024 in samples related to the DarkGate malware operator.

Number of potential victims: all Windows users (including Windows Server) who have not downloaded security updates.

Signs of exploitation: Microsoft notes instances of exploitation of the vulnerability. In addition, ZDI researchers found signs of exploitation of the vulnerability in March 2024 in samples related to the DarkGate malware operator.

Publicly available exploits: available in the public domain.

Read also:

• Testing BMC: let's talk about load testing

Remediation methods: security updates can be downloaded from the Microsoft page dedicated to the CVE-2024-38213 vulnerability.

Privilege escalation vulnerabilities — in the Windows kernel (CVE-2024-38106), Ancillary Function driver (CVE-2024-38193), and Power Dependency Coordinator component (CVE-2024-38107)

❗ High severity for CVE-2024-38106, CVSS score — 7.0

❗ High severity for CVE-2024-38193 and CVE-2024-38107, CVSS score — 7.8

In the August Microsoft Patch Tuesday, there were three vulnerabilities related to privilege escalation, with signs of exploitation in real environments.

These vulnerabilities have identical descriptions: an attacker can elevate privileges on the host to the SYSTEM level, i.e., to the maximum. The vulnerability in the Windows kernel is more difficult to exploit because it requires winning a race condition.

Race condition (race condition) — a design flaw in a multithreaded system or application, where the operation of the system or application depends on the order in which parts of the code are executed. The error got its name from a similar design flaw in electronic circuits.

Only in the case of privilege escalation in the Windows Ancillary Function driver (AFD.sys) is it known who exactly exploits this vulnerability, namely the well-known Lazarus group. This is reported in a press release by Gen Digital, the manufacturer of Avira and Avast antivirus software. To neutralize security products during the attack, Lazarus uses the Fudmodule rootkit. This is a reminder to those who believe that if there is an EDR on the host, it is fully protected and does not need to be updated.

If you have not yet installed the August security updates from Microsoft, be sure to install them to protect against these critical vulnerabilities.

Number of potential victims: all Windows users (including Windows Server) who have not downloaded security updates.

Signs of exploitation: Microsoft notes instances of vulnerability exploitation. The Gen Digital press release states that the CVE-2024-38193 vulnerability is actively exploited by the well-known Lazarus group.

Publicly available exploits: not available in the public domain.

Remediation methods: security updates can be downloaded from the Microsoft pages dedicated to CVE-2024-38106, CVE-2024-38193, and CVE-2024-38107 vulnerabilities.

And we will finish with the only non-Microsoft vulnerability.

WordPress CMS Plugin Vulnerability

Privilege escalation vulnerability without authentication in the LiteSpeed Cache plugin for WordPress CMS (CVE-2024-28000)

❗ Critical danger level, CVSS score — 9.8

WordPress is a popular CMS (835 million sites) with open source and third-party plugin support.

LiteSpeed Cache is one of these plugins. It increases the loading speed of website pages by caching them. The free version is installed on five million sites.

On August 13, a critical vulnerability was discovered in this plugin, allowing an unauthenticated attacker to remotely gain administrator rights.

The vulnerability was found by researcher John Blackbourn and submitted through the bug bounty program, earning him 14,400 $. That's about 1.3 million rubles. The amount for one vulnerability, you must agree, is quite decent.

According to the description, the exploitation of the vulnerability comes down to selecting the hash used for authentication. This hash is generated insecurely, so there are only a million possible values. If you make three requests to the site per second, the brute force and obtaining admin rights take from several hours to a week.

The vulnerability is not exploited on Windows installations, as one of the functions involved in generating the hash is missing there. This is stated in the write-up, without specifying how this plugin works in the Windows environment and whether it works at all. But if it works and the vulnerability is not exploited, then hosting sites on Windows instead of Linux is not such a strange idea 🙂

A PoC has been posted on GitHub, and attackers are already actively exploiting the vulnerability.

Update to version 6.4.1 and above to protect yourself.

Number of potential victims: all users of the vulnerable version of the LiteSpeed Cache plugin for WordPress, more than 5 million sites.

Signs of exploitation: there are known cases of active exploitation of the vulnerability by attackers.

Publicly available exploits: there is a PoC available in the public domain.

Remediation methods, compensating measures: the vulnerability allows privilege escalation without authentication in all versions of the LiteSpeed Cache plugin, starting from version 1.9 and up to version 6.3.0.1. A security update has been released for version 6.4 of the plugin, and it can be obtained from the official WordPress page. Additionally, we recommend using web application firewalls, such as Positive Technologies Application Firewall, to secure resources with unrestricted user access via the internet.

⚔️ How to protect yourself ⚔️

The use of popular products containing trending vulnerabilities can put any company at risk. Such vulnerabilities are the most dangerous and require immediate remediation. Information about such threats is received in the MaxPatrol VM vulnerability management system within 12 hours of their appearance, allowing timely measures to be taken to eliminate the most dangerous of them and protect the company's infrastructure.

The article provides examples of vulnerabilities that have been actively exploited recently. Information about them and publicly available exploits is presented as of August 31, 2024.

Alexander Leonov

Lead Expert at PT Expert Security Center