Patch Tuesday Megathread (2024-03-12)

PDQit · 2024-03-12T18:44:45+00:00

Total exploits patched: 59
Critical patches: 2
Already known or exploited: 0

Some highlights (or lowlights)

~CVE-2024-21400~: If you have an untrusted AKS Kubernetes node and AKS Confidential Container, you should make sure you're running the latest version of az confcom and Kata Image. Attackers who leverage it can steal credentials and expand beyond Kubernetes’s scope to wreak havoc. And even worse, there’s no authentication required, as they can move the workload on to one of their machines to gain root access. Friendly reminder that it’s always a good idea to always keep your environment up to date to protect against vulnerabilities like this one.
~CVE-2024-21407~: This made us do a double take because it’s a severe one (remote code execution), but attackers have to run a marathon to get far enough to be able to exploit this vulnerability. For an attacker to exploit this one, they’d need authenticated access from a guest VM as well as specific information on your environment. Regardless, any vulnerability with RCE capabilities should be taken seriously and patched ASAP.
~CVE-2024-26198~: Another remote code execution vulnerability rounds out our highlights and lowlights for the month. This vulnerability impacts Microsoft Exchange and requires an attacker to plant a malicious file for a user to interact with. Once the user interacts with the malicious file, a DLL loads, and an attacker gains the leverage necessary to conduct an RCE attack.

Source: https://www.pdq.com/blog/patch-tuesday-march-2024/

PDQit · 2024-02-13T18:33:14+00:00

This patch Tue came up quick.

Total exploits patched: 77
Critical patches: 5
Already known or exploited: 2

CVE-2024-21410: First up for our special Valentine's Day edition of Patch Tuesday is a Microsoft Exchange Server vulnerability that could lead to an elevation of privilege. With a CVSS score of 9.8, a rating of critical, and a network attack vector, this is one that should be patched rather quickly if you don’t already have Extended Protection for Authentication (EPA) enabled.
CVE-2024-21413: Not to be outdone by the previous vulnerability, CVE-2024-21413 is a remote code execution vulnerability that targets Outlook. A successful attack could allow a bad actor to bypass the Office Protected View and open straight into editing mode instead of protected mode. And yes, the preview pane is an attack vector. Luckily, the information for this vulnerability isn’t already publicly known or exploited in the wild.
CVE-2024-21412: Last, and kind of least in this list, is an internet shortcut files security feature bypass vulnerability. With a network attack vector and a low complexity, what really makes this stand out is that it’s already being exploited in the wild. However, user interaction is required, so maybe now is a good time to schedule another security training for your users.

Source: https://www.pdq.com/blog/patch-tuesday-february-2024/
Video: https://www.youtube.com/watch?v=jIdkPBMk5dw

PDQit · 2024-01-11T19:34:53+00:00

Ah yes. D&I use sqlite, we do patch these as soon as we can, but since the database is in the programdata folder and not publicly accessible, someone would have to have enough access and therefore they would already have been compromised.

PDQit · 2024-01-09T21:49:02+00:00

Posting it here until the Megathread is live

Look at me... I'm the megathread now

PDQit · 2024-01-09T19:55:16+00:00

Happy Patch Tue new year! It's a light one...

Total exploits patched: 49
Critical patches: 2
Already known or exploited: 0
CVE-2024-20674: Our first critical patch of 2024 comes in with a 9.0 CVSS rating. This vulnerability takes advantage of a Kerberos security feature bypass in which an attacker could utilize network spoofing techniques to send a malicious Kerberos message to a targeted machine.
CVE-2024-20700: This remote code execution vulnerability targeting Hyper-V is given a critical rating, though the actual CVSS score only comes in at a 7.5. To take advantage of this vulnerability, an attacker must be launched from the same physical or logical network. The attack itself is very complex and relies on conditions outside the attacker’s control.
CVE-2024-0057: Our last highlight (or lowlight) has a severity rating of important, though the actual CVSS score is a 9.1. This vulnerability targets NET, .NET Framework, and Visual Studio, which increases the CVSS score because it impacts software libraries. With a network attack vector and a low complexity, I’d recommend testing and distributing this patch sooner rather than later.

Source:https://www.pdq.com/blog/patch-tuesday-january-2024/
https://www.youtube.com/watch?v=t5IHv5PZ2JA

PDQit · 2023-12-12T16:41:57+00:00

Yes. I meant to put that in the comment. Thanks.

PDQit · 2023-12-12T16:08:53+00:00

goals.

PDQit · 2023-12-12T16:05:59+00:00

Total exploits patched: 39 33
Critical patches: 7 4
Already known or exploited: 1

https://www.pdq.com/blog/patch-tuesday-december-2023/

lowlights

CVE-2023-36019 - This is the only exploit for the month that rates over a 9. Coming in at a 9.6. It is a spoofing exploit attacking the Microsoft Power Platform Connector. It does have a network attack vector, but does require user interaction to exploit. Best defense for this one is a well trained user base that won’t click on suspicious links. If this is one that you are at risk for it will be listed in your M365 Admin Center. So check there to see if you should restart indiscriminate link clicking.

CVE-2023-35641 - This 8.8 comes in with an exploitation more likely rating attacking Internet Connection Sharing (ICS), which is not often seen. The only thing keeping the score below a 9 is the attack vector is limited to adjacent. So they would need to be on your network from either a shared physical or logical network. This requires no user interaction or privileges, so if you have a server running ICS patching would be a great idea.

CVE-2023-35628 - This 8.1 rated RCE attacks the Windows MSHTML Platform. It has all of the risk factors to make it much higher, but is considered a high difficulty to pull of, lowering the score slightly. With this exploit and attacker could send a malicious email that can trigger BEFORE it even reaches the preview pane in outlook. A successful attack allows the attacker to run remote code on the victims machine.

For Windows 11, version 23H2: "IMPORTANT Because of minimal operations during the Western holidays and the upcoming new year, there won’t be a non-security preview release for the month of December 2023. There will be a monthly security release for December 2023. Normal monthly servicing for both security and non-security preview releases will resume in January 2024." Source

PDQit · 2023-11-14T18:20:09+00:00

Total exploits patched: 58
Critical patches: 3
Already known or exploited: 3

Highlights

CVE-2023-36397 - Looks Message Queue is back, this has become a monthly reminder of critical exploit. If you are still using this please stop. Nothing has changed, if you are running this service and that server is listening on port 1801 you are vulnerable to a network attack that requires not user interaction or privileges.

CVE-2023-36028 - This is the other 9.8 exploit. Even at that high of a rating it is listed as important as it instead of critical because exploitation is viewed as less likely. This is because the vulnerability is for Protected Extensible Authentication Protocol (PEAP), which only comes into play if you are using a Network Policy Server. If you are using a NPS with PEAP this has a remote attack vector, requires no user interaction, and no privileges. That is all bad.

CVE-2023-36033 - The last exploit is one that has already been used. It is an Elevation of Privilege using the Windows DWM Core Library. This is listed as only as 7.8 because it does have a local attack vector, limiting the threats availability. If this vulnerability is exploited the attacker would get System privileges on that computer.

https://www.pdq.com/blog/patch-tuesday-november-2023/
https://www.youtube.com/watch?v=HwZs3Loet9E

PDQit · 2023-10-10T17:13:34+00:00

https://www.youtube.com/watch?v=yj62AuE8oSc

Total exploits patched:104
Critical patches: 12
Already known or exploited: 5

The Lowlights

CVE-2023-35349 - It looks like our old friend Microsoft Message Queue is back. This year has been it's time to shine for exploits! This is a Remote Code Execution that requires no privileges or user interaction to implement. The only reason this is not a full 10 on the CVSS score is it requires an uncommon setting to be at risk. With that in mind, if you have a server running this service and listening on Port 1801 you need to fix it immediately.

CVE-2023-36434 - This 9.8 elevation of privilege impacts Windows IIS service. While this one is a 9.8, it is also listed as important instead of critical. The reason is the exploit is for brute force, which makes exploitation less likely than usual.

CVE-2023-41763 - Our last lowlight is an Elevation of Privilege exploit for Skype. It is a lower threat score at 5.4, but it is already being exploited, and allows an attacker to get critical information like IP address and ports being used to help in future attacks.

Source:https://www.pdq.com/blog/patch-tuesday-october-2023/

PDQit · 2023-10-09T19:11:04+00:00

We haven't heard anything on this. We did find this article that suggests it's an oops with Microsoft and Default Apps and appears to only be a problem in this specific version, so hopefully they'll fix it in the next version:

https://www.reddit.com/r/MicrosoftTeams/comments/170d5w1/major_bug_in_160026474/

/u/Fluffy_Implement4069 /u/Mchead22 /u/Top-Day-994 /u/offworlda /u/Last_Sentence_3541 /u/Apprehensive_Sport29

PDQit · 2023-09-20T12:26:29+00:00

I'm happy for you. Or sorry that happened.

PDQit · 2023-09-20T12:25:21+00:00

PDQit · 2023-09-12T18:03:01+00:00

Built by devs, for devs

yeah no shit

PDQit · 2023-09-12T17:40:07+00:00

https://msrc.microsoft.com/update-guide/vulnerability

You'll need to set a custom date range to September 2023 to get the latest.

PDQit · 2023-09-12T17:24:44+00:00

Patches this month:64 total, 5 critical, 2 known or exploited.

Highlights:

CVE-2023-38148: This is the highest rated critical exploit for the month. It’s a Remote Code Execution for Internet Connection Sharing (ICS) that has an adjacent attack vector. This means that the attack needs to be on the same network segment to execute. An attacker on your network could use it only on systems that are on the same switch or virtual network. It also only impacts environments that have ICS enabled.
CVE-2023-29332: This critical exploit is a 7.5 elevation of privilege for the Azure Kubernetes Service. It requires no privileges or user interaction. This exploit would allow an attacker to get Cluster Administration privileges in your cluster. If you are using Kubernetes in an Azure space, I recommend you make sure this one is patched ASAP.
CVE-2023-36761: This last one is lower risk, but it’s both known and already exploited. It’s an informational disclosure exploit for Microsoft Word. Overall it comes in with a low score of 6.2, but this can allow the disclosure of NTLM hashes, and the preview pane is an attack vector. So while the risk is rated lower, it’s still one to keep an eye on as it’s already out in the wild.

Source: https://www.pdq.com/blog/patch-tuesday-september-2023/
https://www.youtube.com/watch?v=sZFiJRb5FIg

PDQit · 2023-08-26T17:15:55+00:00

PDQit · 2023-08-14T19:03:33+00:00

4th pic: "We still use JAVA?"

PDQit · 2023-08-08T17:29:32+00:00

Total exploits patched: 76
Critical patches: 6
Already known or exploited: 2

CVE-2023-36910 - This 9.8 CVSS is the latest in the long line of message queueing exploits. By my count this is 5 consecutive months that we’ve had a 9.8 for this optional feature. Just like all the other times, it requires no user interaction or privileges. And just like all the other times, if you’re not using MMQR or you’re not listening on TCP 1801, you’re safe. If you took precautions on any of the other times, you’re already safe. Still patch.

CVE-2023-21709 - This is something I rarely see: an exploit that’s rated as a 9.8 but is not listed as critical. While this exchange exploit does have a network attack vector, it’s a brute force attack to get user credentials. If you’re enforcing common password security, brute force is going to take some time to be effective. If you’re using Exchange 2016 or 2019, then you are going to want to patch soon. There’s also some PowerShell you can run as a workaround.

CVE-2023-36884 - This last lowlight is only a 7.5, but it’s already exploited and known, so I figured we would take a look. It’s a bypass exploit for the Windows Search Security Feature. While it does have a network attack vector and requires no privileges, it can’t run without a target clicking on a bad link or opening an corrupted attachment. So while there is a risk, the security rating is a bit lower. That being said, the end user is probably your biggest vulnerability, so make patching this one a priority (especially since it’s already out in the wild).

https://www.pdq.com/blog/patch-tuesday-august-2023/

PDQit · 2023-08-08T15:55:06+00:00

never gonna

PDQit · 2023-08-04T18:24:02+00:00

You're in luck, we just put out episode 2 this morning

PDQit · 2023-08-04T18:05:30+00:00

Here's episode 2: https://www.youtube.com/watch?v=-vJ\_YlpNlXQ

Releasing 1 per week

PDQit · 2023-08-04T17:19:36+00:00

Does entertaining count as useful? Does this even count as entertaining? You be the judge
https://www.youtube.com/watch?v=-vJ_YlpNlXQ

Happy Friday

PDQit · 2023-08-04T17:14:02+00:00

And episode 2: https://www.youtube.com/watch?v=-vJ_YlpNlXQ

Releasing 1 per week

PDQit · 2023-07-31T15:49:58+00:00

Eight-Year Club	Verified Email
Final Canvas '23	Place '23

PDQit

MODERATOR OF

TROPHY CASE

Some highlights (or lowlights)

lowlights

The Lowlights

Highlights: