Microsoft reveals a security vulnerability within Airlift.microsoft.com
In an effort to provide additional transparency to Microsoft-hosted services, Microsoft has disclosed a critical privilege escalation vulnerability within airlift.microsoft.com (CVE-2024-49056). Microsoft has fully mitigated this vulnerability and does not require any customer interaction. Microsoft said it is committed to transparency and created a new vulnerability classification that requires no customer interaction. More information about this commitment can be found here.
Zero days in Microsoft Windows
CVE-2024-49039 is a critical privilege escalation vulnerability within the Windows Task Manager application. To exploit this vulnerability, an authenticated attacker must run a specially crafted application on the host in order to upgrade its permissions to a moderate integrity level. More about Microsoft's mandatory integration levels can be found here.
CVE-2024-43451 is a critical vulnerability in the NTLM processing system in Windows. This vulnerability exposes the victim's NTLM hash to adversaries, allowing them to impersonate the victim. This vulnerability can be exploited by user selecting (single-click), scanning (right-click), or performing some other non-opening action on the malicious file.
Table 1. Microsoft Windows Zero DaySeverityCVSS ScoreCVEDescriptionImportant8.8CVE-2024-49039Windows Task Scheduler Elevation of Privilege VulnerabilityImportant6.5CVE-2024-43451 NTLM Hash Detection Spoofing Vulnerability
One of the most publicly disclosed vulnerability in the Microsoft Windows operating system
CVE-2024-49019 is a critical privilege escalation vulnerability within the Active Directory Certificate Services platform. This platform is responsible for issuing and managing public key infrastructure (PKI). More information about this service can be found here. This vulnerability could allow an attacker to gain domain administrator privileges. This is one of the highest privilege levels available in Active Directory. Only certificates created using the Version 1 template with the Issuer Name field set to “Provided in Request” are usable for this attack. In addition, the victim site must have very broad logging permissions. Microsoft recommends removing automatic enrollment and site review permissions to ensure least privilege.
Table 2. Publicly Disclosed Vulnerabilities in Microsoft WindowsSeverityCVSS ScoreCVEDescriptionImportant7.8CVE-2024-49019Active Directory Services Certificate Elevation of Privilege Vulnerabilities
One of the most publicly disclosed vulnerability is in Microsoft Exchange Server
CVE-2024-49040 is a critical spoofing vulnerability where an attacker can bypass existing spoofing protections within Exchange by using an incompatible P2 FROM header. This header is responsible for ensuring the integrity of the email sender. Once updated, the Exchange Server will flag any incompatible P2 FROM headers as suspicious. Additional information about this vulnerability can be found here.
Table 3. Publicly Disclosed Vulnerability in Microsoft Exchange ServerSeverityCVSS ScoreCVEDescriptionImportant7.5CVE-2024-49040 Microsoft Exchange Server Impersonating Vulnerability
Two critical vulnerabilities in Microsoft Windows
CVE-2024-43639 is a critical remote code execution (RCE) vulnerability affecting Microsoft Windows Kerberos and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted packet that leverages the cryptographic protocol within Windows Kerberos to allow RCE. Due to the severe nature of this vulnerability, patching should be a high priority.
CVE-2024-43625 is a critical privilege escalation vulnerability within the VMSwitch functionality of Hyper-V with a CVSS score of 8.1. This vulnerability could allow an unprivileged attacker within a low-privileged Hyper-V host to bypass security boundaries to execute code within the Hyper-V execution environment. Notably, Microsoft states that this vulnerability is not within System Center Virtual Machine Manager. This vulnerability requires a high degree of sophistication, requiring a large amount of information about the operating environment of the victim Hyper-V host.
Table 4. Critical Vulnerabilities in WindowsSeverityCVSS ScoreCVEDescriptionCritical9.8CVE-2024-43639Windows Kerberos Remote Code Execution ExecutionCritical8.1CVE-2024-43625Microsoft Windows VMSwitch Elevation of Privilege Vulnerability
Critical vulnerability in .Net and Visual Studio Code
CVE-2024-43498 is a critical remote code execution (RCE) vulnerability affecting Microsoft .Net and Visual Studio Code and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a crafted request to a vulnerable .Net web application or by uploading a crafted file in a vulnerable desktop application (Visual Studio Code).
Table 5. Critical Vulnerability in .Net and Visual Studio CodeSeverityCVSS ScoreCVEDescriptionCritical9.8CVE-2024-43498.NET and Visual Studio Remote Code Execution
Not all relevant vulnerabilities have patches: consider mitigation strategies
As we've learned with other high-profile vulnerabilities, such as Log4j, not all exploitable vulnerabilities can be easily patched. As with the ProxyNotShell vulnerabilities, it is extremely important to develop a response plan for how to defend your environments in the absence of a patching protocol.
Regularly reviewing your patching strategy should remain part of your program, but you should also look more holistically at your organization's approaches to cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events daily from millions of sensors deployed in 176 countries. Watch this demo to see the Falcon platform in action.
He learns more
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposure here.
About CVSS results
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard used by CrowdStrike and many other cybersecurity organizations to assess and report the severity and characteristics of software vulnerabilities. The base CVSS score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating to the CVSS scores. Learn more about logging vulnerabilities in this article.
Additional resources
