Microsoft fixes RCE vulnerabilities in MSMQ, Outlook (CVE-2024-30080, CVE-2024-30103)
June 2024 Patch Tuesday is here and Microsoft has delivered fixes for a critical MSMQ flaw (CVE-2024-30080) and a RCE vulnerability in Microsoft Outlook (CVE-2024-30103).
49 CVE-numbered vulnerabilities have been fixed in total, none of which have been exploited in the wild as zero-days.
About CVE-2024-30080 and CVE-2024-30103
CVE-2024-30080 is a use after free flaw affecting Microsoft Message Queuing (MSMQ) and can be exploited by unauthenticated attackers by sending a specially crafted malicious MSMQ packet to a MSMQ server. Successful exploitation will allow remote code execution (RCE).
While the vulnerability can be exploited only on Windows and Windows Server installations with the Windows message queuing service enabled, the lack of other exploitation requirements (e.g., previous authentication, user interaction) is partly what makes Microsoft say that exploitation of this flaw by attackers is “more likely”. So patch this one quickly, or disable the vulnerable service (if not needed).
CVE-2024-30103, a Microsoft Outlook vulnerability that can also lead to RCE, should also be fixed sooner rather than later.
“An attacker who successfully exploited this vulnerability could bypass Outlook registry block lists and enable the creation of malicious DLL files,” Microsoft says.
“While not explicitly stated, attackers would likely then use the malicious DLL files to perform some form of DLL hijacking for further compromise,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted.
“The good news here is that the attacker would need valid Exchange credentials to perform this attack. The bad news is that the exploit can occur in the Preview Pane. Considering how often credentials end up being sold in underground forums, I would not ignore this fix.”
The vulnerability was discovered by Morphisec researchers Michael Gorelik and Shmuel Uzan, who pointed out that the vulnerability is particularly dangerous for accounts using Microsoft Outlook’s auto-open email feature, as execution initiates when an affected email is opened.
They plan to release the technical details and a PoC exploit in early August, at the DEFCON 32 conference.
Other vulnerabilities of note
CVE-2024-30078 is a RCE bug affecting the Windows Wi-Fi driver.
“This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending the target a specially crafted network packet. Obviously, the target would need to be in Wi-Fi range of the attacker and using a Wi-Fi adapter, but that’s the only restriction,” Childs explained, and said that the bug “will likely draw a lot of attention from attackers and red teams alike.”
Jason Kikta, CISO and SVP of Product at Automox, told Help Net Security that this vulnerability is particularly concerning because it enables attackers to gain control over targets’ system without physical access.
“Given its nature, this vulnerability poses a significant risk in endpoint-dense environments including hotels, trade shows, or anywhere else numerous devices connect to WiFi networks,” he opined.
CVE-2024-30072 is another interesting RCE vulnerability that can be triggered by opening a malicious Microsoft Event Trace Log file.
“With the commonality of IT teams using Event Trace Log files to debug user systems and given the high privileges often associated with IT support roles, exploiting this vulnerability could provide attackers with substantial access to sensitive systems,” noted Henry Smith, senior AppSec engineer at Automox.
Satnam Narang, senior staff research engineer at Tenable, singled out CVE-2024-30089, an elevation of privilege flaw in the Microsoft Streaming Service, as worthy of a quick fix.
Microsoft labeled this vulnerability as ‘Exploitation More Likely’, he pointed out, and it was disclosed to Microsoft by the same security researcher that disclosed CVE-2023-36802, another Microsoft Streaming Service elevation of privilege flaw that was patched in the September 2023 Patch Tuesday (and had been exploited by attackers in the wild).
UPDATE (August 13, 2024, 06:20 a.m. ET):
Morphisec has released more details about CVE-2024-30103, which is a bypass for the previously patched CVE-2024-2137.