patch Tuesday header

Update now! June’s Patch Tuesday—one zero-day, but it’s a doozy

Microsoft’s Patch Tuesday for May 2024 looks relaxed, but there are some fixes that need your attention.

Microsoft’s June 2024 Patch Tuesday fixes 49 vulnerabilities in Microsoft software, and 9 non-Microsoft vulnerabilities.

One of the vulnerabilities was publicly disclosed, which makes it a zero-day by Microsoft’s definition. We’ll look at that vulnerability and a few others in detail.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs we’re focussed on are:

CVE-2024-30080 (CVSS score 9.8 out of 10) is a Microsoft Message Queuing (MSMQ) Remote Code Execution (RCE) use-after-free vulnerability. The MSMQ service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added or removed via the Control Panel.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side. While the number of targets is limited to Windows and Windows Server installations with the Windows message queuing service enable, exploitation is considered easy, hence the high CVSS score.

CVE-2023-50868 (CVSS score 7.5 out of 10). The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the “NSEC3” issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

Which means that a remote attacker may be able to trigger high CPU consumption using Domain Name System Security Extensions (DNSSEC) responses, causing a denial of service for legitimate users.

CVE-2024-30078 (CVSS score 8.8 out of 10) is a Windows Wi-Fi Driver RCE vulnerability caused by improper input validation.

An unauthenticated attacker could send a malicious networking packet to an adjacent system that is employing a Wi-Fi networking adapter, which could enable remote code execution, but the attacker needs to be within proximity of the target system to send and receive radio transmissions. Here, the number of targets is a deciding factor in the gravity of the flaw. Almost every supported Windows system is a possible target.

CVE-2024-30103 (CVSS score 8.8 out of 10) is a Microsoft Outlook RCE vulnerability caused by an incomplete list of disallowed inputs in which the Reading Pane is a possible attack vector. Which is serious since many people don’t open emails in a separate window but use the Reading Pane for most of their email work.

An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files, which results in a full system compromise, but the attacker must first be authenticated using valid Microsoft Exchange user credentials.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are a few major ones that you may find in your environment.

Adobe has released security updates for several products.

Atlassian released a security bulletin including fixes for 2 critical vulnerabilities.

Fortinet released a security update for FortiOS.

PHP fixed a critical RCE flaw that is now actively exploited in ransomware attacks.

SAP released the June security notes.

Veeam fixed a Recovery Orchestrator vulnerability.

VMware fixed three zero-day bugs.

Zoom fixed 3 vulnerabilities in Zoom Workplace Apps and SDKs