Virtual Administrator’s July Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 142 vulnerabilities with 4 rated “Critical” in severity.

All new patches will be approved in our patch policy.

July brings a sizable number of vulnerabilities.

  • Two zero-day patching this month. CVE-2024-38080 is a Windows Hyper-V vulnerability affecting Windows 11 and Windows Server 2022. Local authenticated access is needed to exploit CVE-2024-38080.
  • CVE-2024-38112 is a weakness in MSHTML and requires an attacker to take additional actions prior to exploitation.
  • Also three Windows Remote Desktop Licensing Service vulnerabilities (CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077) have a CVSS score of 9.8. Microsoft recommends disabling the service if you do not use it.
  • CVE-2024-3596 is a vulnerability in the Remote Authentication Dial-In User Service (RADIUS) protocol. Additional steps may be required to protect your systems but leveraging it does require physical access to the RADIUS network – see “FYI” below.
  • Some new stand-alone SSUs for Windows Server 2008/2008R2, 2012/2012R2 and Windows 10 1607/Server 2016.

Disclosed: CVE-2024-35264, CVE-2024-37985

Exploited: CVE-2024-38080, CVE-2024-38112

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:7/9/2024)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

FYI – RADIUS Protocol Spoofing Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-3596

A vulnerability exists in the RADIUS protocol that potentially affects many products and implementations of the RFC 2865 in the UDP version of the RADIUS protocol. In brief, RADIUS protocol (RFC 2865) is susceptible to forgery attacks that can modify Access-Accept or Access-Reject RADIUS response. CERT/CC assigned a CVE ID for this vulnerability which all vendors are using for their affected products.

Please see KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-3596 for information on additional steps that should be done to protect your environment from this vulnerability (https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66).

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.

Heads Up! 07/09/24—END OF SERVICE NOTICE—

IMPORTANT Home and Pro editions of Windows 11, version 22H2 will reach end of service on October 8, 2024. Until then, these editions will only receive security updates. They will not receive non-security, preview updates. To continue receiving security and non-security updates after October 8, 2024, we recommend that you update to the latest version of Windows.

Note We will continue to support Enterprise and Education editions after October 8, 2024.

https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3341

“New” Known Issues

Microsoft acknowledged a problem with OS upgrades introduced by the April CU KB5036980.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

Windows Pro OS upgrade operations may fail

https://support.microsoft.com/en-us/topic/july-9-2024-kb5040442-os-builds-22621-3880-and-22631-3880-0864308e-61cc-413b-8194-0294331aba52

Affects: Windows 11, versions 22H2/23H2

Symptom: After installing this update or later updates, you might face issues while upgrading from Windows Pro to a valid Windows Enterprise subscription.

Resulting from this operation, you might observe the following symptoms: – OS upgrade operations may fail, and this might be shown in the LicenseAcquisition scheduled task in Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> Subscription as ‘Access denied error (error code 0x80070005)’ under ‘Last Run Result’.

Workaround: We are working on a resolution that will be released on a Windows update in the coming weeks.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB5040456 – Windows Server 2012 R2 (ESU)
  • KB5040485 – Windows Server 2012 (ESU)

Cumulative Updates

Windows 10

  • KB5040448 – Original release version 1507 (OS Build 10240)
  • KB5040434 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5040430 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5040427 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5040427 – Version 22H2 “November 2022 Update” (OS Build 19045)
  • (Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

Windows 11

  • KB5040431 – 21H2 (OS Build 22000) Original release
  • KB5040442 – 22H2 (OS Build 22621)
  • KB5040442 – 23H2 (OS Build 22631)

Windows Server

  • KB5040434 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5040430 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5040437 – Server 2022 (OS Build 20348)
  • KB5040438 – Server 23H2 (OS Build 25398)

July 2024 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/93b1cd15-3ed4-451b-a161-aca83e25c5c5

Notable CVEs

CERT/CC: CVE-2024-3596 | RADIUS Protocol Spoofing Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-3596

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.

CVE-2024-38021 |  Microsoft Outlook Remote Code Execution Vulnerability (KB5002620,Click to Run)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38021

An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality. This attack requires a user to allow blocked content sent from an external attacker to initiate remote code execution. The Preview Pane is not an attack vector. An attacker could craft a malicious link that bypasses the Protected View Protocol, which could lead remote code execution (RCE).

CVE-2024-38023 | Microsoft SharePoint Server Remote Code Execution Vulnerability (KB5002606,KB5002615,KB5002618)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38023

An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted SharePoint Server and craft specialized API requests to trigger deserialization of file’s parameters. This would enable the attacker to perform remote code execution in the context of the SharePoint Server. An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.

CVE-2024-38053 | Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38053

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network. An unauthenticated attacker could send a malicious networking packet over the ethernet to an adjacent system that is employing a networking adapter, which could enable remote code execution.

CVE-2024-38060 | Windows Imaging Component Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38060

An authenticated attacker could exploit the vulnerability by uploading a malicious TIFF file to a server. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

CVE-2024-38074/CVE-2024-38076/CVE-2024-38077 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38074

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38076

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38077

An unauthenticated attacker could connect to the Remote Desktop Licensing Service and send a malicious message which could allow remote code execution.

CVE-2024-38080 | Windows Hyper-V Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38080

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-38112 | Windows MSHTML Platform Spoofing Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38112

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. An attacker would have to send the victim a malicious file that the victim would have to execute.