The most dangerous vulnerabilities of September: Microsoft, VMware, Veeam and others are under threat

tekkix, hello! I am Alexander Leonov, the leading expert of the PT Expert Security Center laboratory. Every month, my team of analysts at Positive Technologies researches information about vulnerabilities from vendor databases and security bulletins, social networks, blogs, telegram channels, exploit databases, public code repositories, and identifies trending vulnerabilities in all this diversity. These are the vulnerabilities that are either already being exploited live or may start being exploited in the near future.

In September, we highlighted seven trending vulnerabilities:

• Vulnerabilities in Microsoft products:

  • Privilege escalation vulnerability in Windows Installer (CVE-2024-38014)

  • Mark of the Web (MotW) security feature bypass vulnerability in Windows (CVE-2024-38217)

  • Vulnerability in the Windows MSHTML Platform for processing and displaying HTML pages (CVE-2024-43461)

• Remote code execution vulnerability in VMware vCenter and VMware Cloud Foundation (CVE-2024-38812)

• Remote code execution vulnerability in Veeam Backup & Replication (CVE-2024-40711)

• Vulnerability in the Roundcube Webmail client for working with email (CVE-2024-37383)

• SQL injection vulnerability in The Events Calendar plugin for WordPress (CVE-2024-8275)

Vulnerabilities in Microsoft products

Privilege escalation vulnerability in Windows Installer

💥 CVE-2024-38014 (CVSS score — 7.8, high severity)

The vulnerability was fixed on September 10 as part of the September Microsoft Patch Tuesday. The vulnerability was discovered by researchers from SEC Consult.

An attacker can run the MSI file of an already installed application and select the repair mode. After that, it becomes possible to interact with the console window that pops up, running on behalf of SYSTEM. After a few steps, they can get an interactive console with SYSTEM rights, i.e., the highest privileges.

Microsoft's fix activates a User Account Control (UAC) prompt when the MSI installer performs an action with elevated privileges, i.e., before the console window appears. This blocks the attack.

A few clarifications to avoid the impression that this vulnerability can be exploited universally.

The attacker needs access to the Windows graphical interface. Naturally, the window needs to be seen and "caught" (literally with the mouse). The task is simplified by the SetOpLock utility, which prevents the window from closing.

The attacker needs a web browser installed on the host. Moreover, the current Edge or IE will not work; Firefox or Chrome is needed. And they should not be running before the attack begins. Also, Edge and IE should not be set as the default browser.

This will not work for every MSI file. SEC Consult has released the msiscan utility to detect MSI files that can be used to exploit this and similar vulnerabilities.

Number of potential victims: all Windows users (including Windows Server users) who have not installed security updates.

Signs of exploitation: Microsoft notes instances of vulnerability exploitation. Additionally, CISA experts have added the vulnerability to their catalog of known exploited vulnerabilities.

Publicly available exploits: available in the public domain.

Mark of the Web (MotW) Security Feature Bypass Vulnerability in Windows

💥 CVE-2024-38217 (CVSS score — 5.4, medium severity)

The vulnerability was fixed as part of the September Microsoft Patch Tuesday on September 10. The vulnerability was reported by researcher Joe Desimone from Elastic Security. In early August, his article "Dismantling Smart App Control" was published, which reported on a method to bypass the Mark of the Web security feature called LNK Stomping.

Several sources link the CVE-2024-38217 vulnerability to this method.

The essence. An attacker can create a shortcut file (LNK file) with non-standard target paths or internal structures. For example, add a dot or space to the path to the target executable file. When clicking on such an LNK file, explorer.exe automatically formats it to canonical form, which results in the removal of the MotW mark before security checks are performed. The article includes a link to a PoC exploit.

There are reports of samples on VirusTotal (the oldest from 2018) exploiting this vulnerability.

Number of potential victims: all Windows users (including Windows Server users) who have not installed security updates.

Signs of exploitation: Microsoft notes instances of vulnerability exploitation. Additionally, CISA experts have added the vulnerability to their catalog of known exploited vulnerabilities. Elastic Security Labs specialists have discovered that the vulnerability has been exploited by attackers since at least 2018.

Publicly available exploits: a PoC was published in the public domain.

Vulnerability in the Windows MSHTML Platform engine for processing and displaying HTML pages

💥 CVE-2024-43461 (CVSS score — 8.8, high danger level)

The vulnerability was fixed as part of the September Microsoft Patch Tuesday. At the time of publication, Microsoft did not mark this vulnerability as being exploited in the wild. They did so only three days later, on September 13.

The vulnerability was discovered by ZDI Threat Hunting Team researchers during the investigation of attacks by the APT group Void Banshee. The vulnerability was exploited in the same attack chain as the trending Windows MSHTML Platform Spoofing vulnerability (CVE-2024-38112), fixed in July.

The essence of the vulnerability is that attackers could hide the extension of the malicious HTA file being opened by adding 26 whitespace characters from the Braille font to its name. Thus, the victim might think they are opening a harmless PDF document, but in reality, this action led to the download and execution of a malicious application that steals passwords, cookies, tokens, credit card data, and other sensitive information.

After installing the security update, spaces in the file name are not removed, but Windows now displays its actual extension.

Number of potential victims: all Windows users (including Windows Server users) who have not installed security updates.

Read also:

• Restoring a non-working keyboard using QMK and RP2040

Signs of exploitation: Microsoft notes instances of vulnerability exploitation. Additionally, CISA experts have added the vulnerability to their catalog of known exploited vulnerabilities. ZDI researchers reported the exploitation of the vulnerability in 0-day attacks by the Void Banshee group, which used it to deploy an infostealer.

Publicly available exploits: a PoC was published in the public domain.

Mitigation methods: security updates can be downloaded from the official Microsoft pages dedicated to the respective vulnerabilities: CVE-2024-38014, CVE-2024-38217, CVE-2024-43461.

Now let's move on to vulnerabilities in other vendors' software.

Vulnerability in VMware products

Remote code execution vulnerability in VMware vCenter and VMware Cloud Foundation

💥 CVE-2024-38812 (CVSS score — 9.8, critical vulnerability)

The vulnerability was published on September 17. An attacker with network access to the vCenter Server can send a specially crafted network packet, gain RCE, and compromise the organization's virtual infrastructure. All due to a heap overflow in the DCERPC protocol implementation.

There is little data on the vulnerability itself. The vulnerability was discovered during The Matrix Cup competition by a team from Tsinghua University. There is no write-up yet. On GitHub, there is one repository where some no-name offers to buy the exploit for 105 $. In the end, this announcement turned out to be a scam. On AttackerKB, another no-name claims to have seen the vulnerability exploited live. The credibility is questionable.

On the other hand, we remember a similar RCE vulnerability vCenter DCERPC CVE-2023-34048, which was covertly exploited in targeted attacks since 2021. Censys reported at the time that 293 vCenter nodes with DCERPC were accessible from the internet.

There is a high chance that this vulnerability will also have a loud story.

Number of potential victims: all users of vulnerable product versions:

• vCenter Server up to versions 8.0 U3b and 7.0 U3s

• VMware Cloud Foundation 4.x, 5.x

According to Shadowserver, more than 1900 vCenter nodes are operating on the network.

Signs of exploitation: Broadcom does not note any facts of vulnerability exploitation.

Publicly available exploits: none available publicly.

Mitigation methods: you need to update the software according to the recommendations.

Vulnerability in Veeam product

Remote code execution vulnerability in Veeam Backup & Replication

💥 CVE-2024-40711 (CVSS score — 9.8, critical vulnerability)

The vendor's bulletin was released on September 4. The vulnerability description cites the cause as deserialization of untrusted data with a malicious payload.

Exploiting the vulnerability allows destroying backups and significantly complicates the recovery of the organization's infrastructure after an attack.

The vulnerability was discovered by a researcher from CODE WHITE.

Five days later, on September 9, researchers from watchTowr Labs posted a detailed write-up, exploit code, and a video demonstrating its operation on their blog.

There are no signs of this vulnerability being exploited in the wild yet, just like the June vulnerability in Veeam B&R (CVE-2024-29849). This does not mean that attackers are not exploiting these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not been reliably detected yet. For example, the CISA KEV includes Veeam B&R vulnerabilities from 2022, which were only added in 2023.

Update in advance!

In their write-up, watchTowr Labs draws attention to the oddities associated with fixing this vulnerability.

• The description of the vulnerability in NVD states that authentication is not required to exploit the vulnerability, but the CVSS vector in the vendor's bulletin indicates that authentication is required (PR:L).

• The large number of changes in the patch suggests that the vendor was fixing some vulnerabilities without informing customers (silent patching). It is possible that installing this patch fixes other product vulnerabilities that we are not aware of.

• Researchers concluded that the CVE-2024-40711 fix occurred in several stages. Initially, exploitation of the vulnerability did not require authentication, then a patch was released and authentication became necessary, and finally, the second patch completely fixed this vulnerability. As usual, it is best to update to the latest version.

Number of potential victims: all users of Veeam Backup Enterprise Manager using version 12.1.2.172 and below.

Signs of exploitation: Vulnera researchers report the use of the vulnerability in attacks by the Cuba ransomware gang and FIN7 groups.

Publicly available exploits: available in the public domain.

Remediation methods: security updates can be downloaded from the official Veeam page dedicated to CVE-2024-40711.

Vulnerability in Roundcube product

Vulnerability in the Roundcube Webmail email client

💥 CVE-2024-37383 (CVSS score — 6.1, medium severity)

Roundcube is an email client for working with email through a web interface. In terms of functionality, it is comparable to desktop email clients such as Outlook Express and Mozilla Thunderbird.

The vulnerability is caused by an error in processing SVG elements in the email body. The user opens an email from an attacker, resulting in malicious JavaScript code being executed in the user's page context. In September 2024, Positive Technologies specialists discovered signs of exploitation of this vulnerability.

Attacks on Roundcube are not uncommon. At the end of last year, there were news about the exploitation of a similar vulnerability CVE-2023-5631 in targeted attacks.

Number of potential victims: according to Shadowserver, more than 882 thousand Roundcube Webmail nodes are operating on the network.

Signs of exploitation: In September 2024, Positive Technologies specialists discovered signs of exploitation of this vulnerability.

Publicly available exploits: a PoC was published in the public domain.

Ways to eliminate: it is necessary to update Roundcube Webmail versions 1.5.x and below to version 1.5.7 or higher, versions 1.6.x — to version 1.6.7 or higher.

And finally, the last vulnerability.

Vulnerability in the WordPress plugin

SQL injection vulnerability in The Events Calendar plugin for WordPress

💥 CVE-2024-8275 (CVSS score — 9.8, critical vulnerability)

This WordPress plugin allows you to create event pages with search and filtering capabilities. The plugin is used on more than 700,000 websites.

The plugin can be customized, including using individual plugin functions in your code. In one of these functions — tribe_has_next_event() — an SQL injection was discovered, which allows an unauthenticated user to extract confidential information from the website's database. An exploit is available on GitHub.

Developers note that this function is not used by the plugin itself (unused code). Only sites that have manually added the call to tribe_has_next_event() will be vulnerable.

If you are using WordPress with The Events Calendar plugin, check if there is any tricky customization using this vulnerable function, and update to version 6.6.4.1 or higher.

Number of potential victims: more than 700,000 websites use the plugin.

Signs of exploitation: no cases of vulnerability exploitation have been identified in practice.

Publicly available exploits: available in the public domain.

Ways to eliminate:

• if the vulnerable function is used on the website, it should be removed or disabled until updated to the fixed version

• the plugin The Events Calendar should be updated to version 6.6.4.1 or higher.

⚔️ How to protect against trending vulnerabilities ⚔️

Using popular products containing trending vulnerabilities can put any company at risk. Such vulnerabilities are the most dangerous and require immediate remediation. Information about trending vulnerabilities is received in the MaxPatrol VM vulnerability management system within 12 hours. This allows timely measures to be taken to eliminate the most dangerous of them and protect the company's infrastructure.

The article provides examples of vulnerabilities that have been actively exploited recently. Information about them and publicly available exploits is presented as of September 30, 2024.

Alexander Leonov

Leading expert of the PT Expert Security Center laboratory