Microsoft has pushed out 157 fixes for “Patch Tuesday”, including seven Chromium bugs in the Edge browser, but critical vulnerabilities are few and far between.
While it only carries a CVSS score of 6.7, CVE-2024-26234 is notable because Microsoft said it has seen exploits in the wild.
Discovered by Sophos’ Christopher Budd, CVE-2024-26234 is described by Microsoft as a “proxy driver spoofing vulnerability” leading to improper access control that is only locally exploitable.
Writing about his discovery, Budd said that "the file’s metadata indicates that it is a ‘Catalog Authentication Client Service’ by “Catalog Thales” – possibly an attempt to impersonate the legitimate company Thales Group.”
Sophos said it has previously seen the malicious file as a setup file for “a product called LaiXi Screen Mirroring.
“We are confident that the file we investigated is a malicious backdoor," Budd wrote.
CVE-2024-29988 is also of interest, in spite of its CVE score of 8.8, because while Microsoft doesn’t say so, Trend’s Zero Day Initiative (ZDI) said it has also been exploited in the wild.
The bug is a SmartScreen security bypass.
“Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW [Mark-of-the-Web]," ZDI said.
CVE-2024-29990 is an Azure Kubernetes service vulnerability with a CVSS score of 9.0.
It’s an elevation of privilege vulnerability in Azure Kubernetes’ confidential containers.
An unauthenticated attacker could steal credentials and “affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC)," Microsoft explained.
“An attacker can access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.”
Microsoft describes three Defender for IoT vulnerabilities as “critical”, even though none of them score above 9 on the CVSS.
CVE-2024-21322 is a remote code execution (RCE) vulnerability that can only be exploited by an administrator.
CVE-2024-21323 is an RCE that’s exploited by sending a malicious update package to a Defender for IoT sensor. The attacker would first need to authenticate themselves to get the permissions needed.
CVE-2024-21323 would be exploited using a malicious tar file, which would let the attacker send unsigned update packages and “overwrite any file they choose”.
Finally, CVE-2024-29053 is a path traversal vulnerability exploitable by any authenticated user.
