www.helpnetsecurity.com Open in urlscan Pro
54.71.215.219  Public Scan

URL: https://www.helpnetsecurity.com/2024/11/12/cve-2024-43451-cve-2024-49039/
Submission: On December 09 via api from IN — Scanned from DK

Form analysis 2 forms found in the DOM

POST

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-298002 mc4wp-ajax" method="post" data-id="298002" data-name="Breaking news">
  <div class="mc4wp-form-fields"><img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
    <img decoding="async" src="https://img2.helpnetsecurity.com/posts2024/newsletter_ad-550x98px_5.webp" class="aligncenter" alt="OPIS" title="OPIS">
    <br>
    <label>
      <input type="email" name="EMAIL" size="35" placeholder="Please enter your e-mail address" required="">
    </label> <input type="submit" value="Subscribe">
    <p></p>
    <p>
      <label>
        <input type="checkbox" name="AGREE_TO_TERMS" value="1" required=""> I have read and agree to the <a href="https://www.helpnetsecurity.com/privacy-policy/#personalized" target="_blank" rel="noopener">terms &amp; conditions</a>
      </label>
      <img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
    </p>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1733745110"><input type="hidden" name="_mc4wp_form_id" value="298002"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

POST

<form id="mc4wp-form-2" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1733745110"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-2">
  <div class="mc4wp-response"></div>
</form>

Text Content


Help Net Security newsletters: Daily and weekly news, cybersecurity jobs, open
source – subscribe here!



 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Please turn on your JavaScript for this page to function normally.
Zeljka Zorz, Editor-in-Chief, Help Net Security
November 12, 2024
Share


MICROSOFT FIXES ACTIVELY EXPLOITED ZERO-DAYS (CVE-2024-43451, CVE-2024-49039)



November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new
security issues in its various products, two of which – CVE-2024-43451 and
CVE-2024-49039 – are actively exploited by attackers.




THE EXPLOITED VULNERABILITIES (CVE-2024-43451, CVE-2024-49039)

CVE-2024-43451 is yet another vulnerability that allows attackers to elevate
their privileges on targeted Windows and Windows Server machines by disclosing
the user’s NTLMv2 hash, which contains their authentication credentials.

The hash can then be used by attackers to authenticate to a system as the user
by using a hacking technique called pass the hash.

“To my knowledge, it’s the third such vulnerability that can disclose a user’s
NTLMv2 hash that was exploited in the wild in 2024,” Satnam Narang, Senior Staff
Research Engineer at Tenable, told Help Net Security.

“While we don’t have insight into the in-the-wild exploitation of CVE-2024-43451
at this time, one thing is certain: attackers continue to be adamant about
discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2
hashes, as they can be used to authenticate to systems and potentially move
laterally within a network to access other systems.”

User interaction – e.g., selecting or inspecting the malicious file that holds
the exploit – is required for the vulnerability to be triggered, but that’s
obviously not a real barrier for attackers.

CVE-2024-49039 is a vulnerability in Windows Task Scheduler that’s also getting
exploited to elevate privileges on breached systems.

“The bug allows an AppContainer escape – allowing a low-privileged user to
execute code at Medium integrity. You still need to be able to execute code on
the system for this to occur, but container escapes are still quite interesting
as they are rarely seen in the wild,” says Dustin Childs, head of threat
awareness at Trend Micro’s Zero Day Initiative.

“Once exploited, an attacker can elevate their privileges and gain access to
resources that would otherwise be unavailable to them as well as execute code,
such as remote procedure call (RPC) functions,” Narang added.

“Once again, we don’t have much insight into the in-the-wild exploitation of
this flaw, though we know that this flaw is attributed to multiple individuals,
including members of Google’s Threat Analysis Group (TAG). Based on this
attribution, we can infer that there is some advanced persistent threat (APT) or
nation-state aligned activity associated with the zero-day exploitation of this
flaw.”


OTHER PATCHED VULNERABILITIES OF NOTE

CVE-2024-43639 is an interesting one: “An unauthenticated attacker could use a
specially crafted application to leverage a cryptographic protocol vulnerability
in Windows Kerberos to perform remote code execution against the target,” says
Microsoft.

The CVSS vector string associated with the vulnerability says no user action is
required to exploit it. “Since Kerberos runs with elevated privileges, that
makes this a wormable bug between affected systems,” Childs pointed out, and
advised admins of Windows Servers to test and deploy the fix quickly.

CVE 2024-5535 – a bug in OpenSSL disclosed in June 2024 – has been patched in
Microsoft Defender for Endpoint.

“Exploitation of this vulnerability requires that an attacker send a malicious
link to the victim via email, or that they convince the user to click the link,
typically by way of an enticement in an email or Instant Messenger message. In
the worst-case email attack scenario, an attacker could send a specially crafted
email to the user without a requirement that the victim open, read, or click on
the link. This could result in the attacker executing remote code on the
victim’s machine,” Microsoft said, but assessed that exploitation is less
likely.

CVE-2024-49019, a publicly disclosed elevation of privilege flaw in Active
Directory Certificate Services (AD CS), is considered by Microsoft as more
likely to be exploited.

“The vulnerability exists in the management of certificates issued by a PKI
(Public Key Infrastructure) environment using certain misconfigured certificate
templates,” Ben McCarthy, Lead Cyber Security Engineer at Immersive Labs, told
Help Net Security.

“An attacker who successfully exploited this vulnerability could gain domain
administrator privileges,” Microsoft warned, and provided fixes for various
Windows Server versions and laid out mitigations.

CVE-2024-49040, a spoofing vulnerability in Microsoft Exchange Server, has been
publicly disclosed and there’s a proof-of-concept exploit for it, according to
Microsoft.

“The vulnerability is caused by the current implementation of the P2 FROM header
verification, which happens in transport. The current implementation allows some
non-RFC 5322 compliant P2 FROM headers to pass which can lead to the email
client (for example, Microsoft Outlook) displaying a forged sender as if it were
legitimate,” the company noted.

“Starting with the Exchange Server November 2024 Security Update (SU), Exchange
Server can detect and flag email messages that contain potentially malicious
patterns in the P2 FROM header.” A disclaimer to the body of such an email
message will be added, saying:



“Microsoft Exchange Server is often targeted by threat actors who specialize in
Exchange exploits. From a risk-based prioritization perspective, the public
disclosure and availably of PoC level exploit code warrants treating this
vulnerability as Critical,” commented Chris Goettl, Vice President of Security
Product Management at Ivanti.

Childs has also singled out CVE-2024-43498, a RCE flaw in .NET and Visual Studio
that, according to Microsoft, could be triggered by sending a “specially crafted
requests to a vulnerable .NET webapp or by loading a specially crafted file into
a vulnerable desktop app.”

“This is one of the bugs I say is public even though Microsoft doesn’t, as it
sure looks like this issue,” he noted.

Finally, there is CVE-2024 43602, a remote code execution flaw in Microsoft’s
Azure CycleCloud – orchestration and management tool for High Performance
Computing (HPC) environments in Azure.

“To exploit this vulnerability, an attacker with basic user permissions could
send specially crafted requests to alter the configuration of an Azure
CycleCloud cluster, thereby gaining root-level permissions. Consequently, the
attacker could execute commands on any Azure CycleCloud cluster within the
instance and, in specific scenarios, compromise administrative credentials,”
says Natalie Silva, Lead Cyber Security Engineer at Immersive Labs.

“At the time of writing, Microsoft’s exploitability assessment on this one is
‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low.”

UPDATE (November 14, 2024, 05:05 a.m. ET):

ClearSky Cyber Security has provided more details on how CVE-2024-43451 was
exploited by attackers.

UPDATE (November 26, 2024, 08:25 a.m. ET):

ESET researchers have explained how Russia-aligned APT group RomCom leveraged
CVE-2024-49039 in an exploit chain to target users in Europe and North America.






I have read and agree to the terms & conditions

Leave this field empty if you're human:





More about
 * 0-day
 * Active Directory
 * CVE
 * ESET
 * Immersive Labs
 * Ivanti
 * Microsoft
 * Microsoft Defender
 * OpenSSL
 * Patch Tuesday
 * security update
 * Tenable
 * Trend Micro
 * vulnerability
 * Windows
 * Windows Server

Share


FEATURED NEWS

 * Windows, macOS users targeted with crypto-and-info-stealing malware
 * December 2024 Patch Tuesday forecast: The secure future initiative impact
 * Building a robust security posture with limited resources

How to leverage the 2024 MITRE ATT&CK Evaluation results



RESOURCES

 * Download: The Ultimate Guide to the CCSP
 * Whitepaper: 9 traits of effective cybersecurity leaders of tomorrow
 * Download: The Ultimate Guide to the CISSP
 * Whitepaper: Securing GenAI
 * Report: Voice of Practitioners 2024 – The True State of Secrets Security




DON'T MISS

 * Who handles what? Common misconceptions about SaaS security responsibilities
 * What makes for a fulfilled cybersecurity career
 * Resecurity introduces AI-powered GSOC at NATO Edge 2024
 * Windows, macOS users targeted with crypto-and-info-stealing malware
 * How to choose secure, verifiable technologies?




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - editor's choice selection of topics (twice per month)
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2024 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×