www.helpnetsecurity.com
Open in
urlscan Pro
54.71.215.219
Public Scan
URL:
https://www.helpnetsecurity.com/2024/11/12/cve-2024-43451-cve-2024-49039/
Submission: On December 09 via api from IN — Scanned from DK
Submission: On December 09 via api from IN — Scanned from DK
Form analysis
2 forms found in the DOMPOST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-298002 mc4wp-ajax" method="post" data-id="298002" data-name="Breaking news">
<div class="mc4wp-form-fields"><img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
<img decoding="async" src="https://img2.helpnetsecurity.com/posts2024/newsletter_ad-550x98px_5.webp" class="aligncenter" alt="OPIS" title="OPIS">
<br>
<label>
<input type="email" name="EMAIL" size="35" placeholder="Please enter your e-mail address" required="">
</label> <input type="submit" value="Subscribe">
<p></p>
<p>
<label>
<input type="checkbox" name="AGREE_TO_TERMS" value="1" required=""> I have read and agree to the <a href="https://www.helpnetsecurity.com/privacy-policy/#personalized" target="_blank" rel="noopener">terms & conditions</a>
</label>
<img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
</p>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1733745110"><input type="hidden" name="_mc4wp_form_id" value="298002"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>
POST
<form id="mc4wp-form-2" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1733745110"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-2">
<div class="mc4wp-response"></div>
</form>
Text Content
Help Net Security newsletters: Daily and weekly news, cybersecurity jobs, open source – subscribe here! * News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Zeljka Zorz, Editor-in-Chief, Help Net Security November 12, 2024 Share MICROSOFT FIXES ACTIVELY EXPLOITED ZERO-DAYS (CVE-2024-43451, CVE-2024-49039) November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers. THE EXPLOITED VULNERABILITIES (CVE-2024-43451, CVE-2024-49039) CVE-2024-43451 is yet another vulnerability that allows attackers to elevate their privileges on targeted Windows and Windows Server machines by disclosing the user’s NTLMv2 hash, which contains their authentication credentials. The hash can then be used by attackers to authenticate to a system as the user by using a hacking technique called pass the hash. “To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024,” Satnam Narang, Senior Staff Research Engineer at Tenable, told Help Net Security. “While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451 at this time, one thing is certain: attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems.” User interaction – e.g., selecting or inspecting the malicious file that holds the exploit – is required for the vulnerability to be triggered, but that’s obviously not a real barrier for attackers. CVE-2024-49039 is a vulnerability in Windows Task Scheduler that’s also getting exploited to elevate privileges on breached systems. “The bug allows an AppContainer escape – allowing a low-privileged user to execute code at Medium integrity. You still need to be able to execute code on the system for this to occur, but container escapes are still quite interesting as they are rarely seen in the wild,” says Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “Once exploited, an attacker can elevate their privileges and gain access to resources that would otherwise be unavailable to them as well as execute code, such as remote procedure call (RPC) functions,” Narang added. “Once again, we don’t have much insight into the in-the-wild exploitation of this flaw, though we know that this flaw is attributed to multiple individuals, including members of Google’s Threat Analysis Group (TAG). Based on this attribution, we can infer that there is some advanced persistent threat (APT) or nation-state aligned activity associated with the zero-day exploitation of this flaw.” OTHER PATCHED VULNERABILITIES OF NOTE CVE-2024-43639 is an interesting one: “An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target,” says Microsoft. The CVSS vector string associated with the vulnerability says no user action is required to exploit it. “Since Kerberos runs with elevated privileges, that makes this a wormable bug between affected systems,” Childs pointed out, and advised admins of Windows Servers to test and deploy the fix quickly. CVE 2024-5535 – a bug in OpenSSL disclosed in June 2024 – has been patched in Microsoft Defender for Endpoint. “Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message. In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim’s machine,” Microsoft said, but assessed that exploitation is less likely. CVE-2024-49019, a publicly disclosed elevation of privilege flaw in Active Directory Certificate Services (AD CS), is considered by Microsoft as more likely to be exploited. “The vulnerability exists in the management of certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates,” Ben McCarthy, Lead Cyber Security Engineer at Immersive Labs, told Help Net Security. “An attacker who successfully exploited this vulnerability could gain domain administrator privileges,” Microsoft warned, and provided fixes for various Windows Server versions and laid out mitigations. CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server, has been publicly disclosed and there’s a proof-of-concept exploit for it, according to Microsoft. “The vulnerability is caused by the current implementation of the P2 FROM header verification, which happens in transport. The current implementation allows some non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email client (for example, Microsoft Outlook) displaying a forged sender as if it were legitimate,” the company noted. “Starting with the Exchange Server November 2024 Security Update (SU), Exchange Server can detect and flag email messages that contain potentially malicious patterns in the P2 FROM header.” A disclaimer to the body of such an email message will be added, saying: “Microsoft Exchange Server is often targeted by threat actors who specialize in Exchange exploits. From a risk-based prioritization perspective, the public disclosure and availably of PoC level exploit code warrants treating this vulnerability as Critical,” commented Chris Goettl, Vice President of Security Product Management at Ivanti. Childs has also singled out CVE-2024-43498, a RCE flaw in .NET and Visual Studio that, according to Microsoft, could be triggered by sending a “specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app.” “This is one of the bugs I say is public even though Microsoft doesn’t, as it sure looks like this issue,” he noted. Finally, there is CVE-2024 43602, a remote code execution flaw in Microsoft’s Azure CycleCloud – orchestration and management tool for High Performance Computing (HPC) environments in Azure. “To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials,” says Natalie Silva, Lead Cyber Security Engineer at Immersive Labs. “At the time of writing, Microsoft’s exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low.” UPDATE (November 14, 2024, 05:05 a.m. ET): ClearSky Cyber Security has provided more details on how CVE-2024-43451 was exploited by attackers. UPDATE (November 26, 2024, 08:25 a.m. ET): ESET researchers have explained how Russia-aligned APT group RomCom leveraged CVE-2024-49039 in an exploit chain to target users in Europe and North America. I have read and agree to the terms & conditions Leave this field empty if you're human: More about * 0-day * Active Directory * CVE * ESET * Immersive Labs * Ivanti * Microsoft * Microsoft Defender * OpenSSL * Patch Tuesday * security update * Tenable * Trend Micro * vulnerability * Windows * Windows Server Share FEATURED NEWS * Windows, macOS users targeted with crypto-and-info-stealing malware * December 2024 Patch Tuesday forecast: The secure future initiative impact * Building a robust security posture with limited resources How to leverage the 2024 MITRE ATT&CK Evaluation results RESOURCES * Download: The Ultimate Guide to the CCSP * Whitepaper: 9 traits of effective cybersecurity leaders of tomorrow * Download: The Ultimate Guide to the CISSP * Whitepaper: Securing GenAI * Report: Voice of Practitioners 2024 – The True State of Secrets Security DON'T MISS * Who handles what? Common misconceptions about SaaS security responsibilities * What makes for a fulfilled cybersecurity career * Resecurity introduces AI-powered GSOC at NATO Edge 2024 * Windows, macOS users targeted with crypto-and-info-stealing malware * How to choose secure, verifiable technologies? Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - editor's choice selection of topics (twice per month) Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2024 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×