CISA Alert Highlights for May 14, 2024 - Microsoft Windows Products
How are Vulnerabilities Rated?
This latest vulnerabilities report focuses on Microsoft’s scaled-down update for CVEs for May that have been recently released by CISA in conjunction with the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). These Microsoft vulnerabilities include 2 zero-day vulnerabilities and one rated critical.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
These security updates from Microsoft include two zero-day vulnerabilities and one critical vulnerability.
Vendor/Product: Microsoft Windows:
- Windows MSHTML Platform Security Feature Bypass Vulnerability (CVE-2024-30040)
- Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2024-30044)
- Windows DWM Core Library Elevation of Privilege Vulnerability (CVE-2024-30051)
Description:
In the realm of digital fortifications, May brings forth a compact yet significant array of security updates from Microsoft. Let us delve into 3 of the most urgent, which include two zero-day and one critical vulnerabilities.
Windows MSHTML Platform Security Feature Bypass Vulnerability
The vulnerable component is tied to the network stack, and potential attackers range from local network users to anyone on the Internet. This type of vulnerability is often called 'remotely exploitable' and refers to an attack that can be executed at the protocol level, potentially from several network hops away.
The attacker does not need authorization or access to any settings or files before the attack, meaning they can execute the attack without prior access.
Confidentiality is completely compromised, leading to the exposure of all resources within the affected component to the attacker. In some cases, only certain restricted information may be accessed, but even this limited disclosure can have a direct and severe impact.
Integrity is wholly lost, or protection is entirely breached. For instance, the attacker might change any or all files safeguarded by the affected component. Even if only some files are alterable, their malicious modification could have dire consequences for the component.
Availability is totally lost, allowing the attacker to entirely block access to the component's resources; this loss can be continuous (as long as the attack is ongoing) or permanent (persisting after the attack ends). Alternatively, the attacker might partially deny availability, but even this partial loss can have a direct and severe impact on the component—for example, they might not interrupt existing connections but could block new ones, or they might exploit a vulnerability repeatedly, causing a service to fail after successive attacks.
Source: CVE-2024-30040
Max Severity: Important
CVSS Score: 8.8
Mitigation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30040
Microsoft SharePoint Server Remote Code Execution Vulnerability
The component in question is integrated with the network stack, and the potential attackers range widely, potentially including anyone on the Internet. This type of vulnerability is commonly referred to as 'remotely exploitable,' meaning it can be exploited through the network at the protocol level, possibly across multiple network segments.
No specialized access conditions or unusual circumstances are required for exploitation. An attacker can reliably exploit the vulnerability in the component without necessitating user interaction.
Confidentiality is completely compromised, leading to the exposure of all resources within the affected component to the attacker. In some cases, only certain restricted information may be accessed, but even this limited disclosure can have a severe, immediate impact.
Integrity is wholly lost, or protection is entirely undermined. Attackers can alter any or all files safeguarded by the affected component. In some scenarios, only specific files may be altered, but such unauthorized changes could have grave, immediate repercussions on the affected component.
Availability is utterly lost, allowing the attacker to completely block access to the component's resources; this loss can be continuous (as long as the attack persists) or permanent (remaining after the attack ends). Alternatively, the attacker might only partially hinder availability, but even this partial disruption can have severe, immediate effects on the affected component—for instance, existing connections might remain undisturbed, but new ones could be prevented; or the attacker might exploit a vulnerability repeatedly, each time causing a minor memory leak, but cumulatively resulting in a total service outage.
Source: CVE-2024-30044
Max Severity: Critical
CVSS Score: 7.2
Mitigation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30044
Windows DWM Core Library Elevation of Privilege Vulnerability
The vulnerable component is not tied to the network stack, and the attacker's route involves read/write/execute privileges. The attacker could exploit the vulnerability by local access to the target system (e.g., via keyboard, console) or remotely (e.g., through SSH), or they might depend on another person's user interaction to perform necessary actions to exploit the vulnerability (e.g., deceiving a legitimate user into opening a malicious document).
No specialized access conditions or extraordinary circumstances are present. An attacker can consistently succeed against the vulnerable component.
The system can be compromised without any user interaction.
A compromised vulnerability affects only resources under the same security authority. In this scenario, the vulnerable and impacted components are the same or both are governed by the same security authority.
Confidentiality is completely lost, leading to the exposure of all resources within the impacted component to the attacker. Alternatively, only certain restricted information may be accessed, but the revealed information has a direct, severe impact.
Integrity is entirely lost, or protection is completely undermined. For instance, the attacker can alter any or all files safeguarded by the impacted component. Or, only certain files might be altered, but such malicious modifications would have a direct, severe effect on the impacted component.
A total loss of availability occurs, allowing the attacker to completely block access to resources within the affected component. This loss can be either sustained, continuing for as long as the attack is active, or persistent, remaining even after the attack ends. Alternatively, the attacker may only partially deny availability, yet this still results in a direct, severe impact on the component—for instance, existing connections might remain undisturbed, but new ones are blocked, or a vulnerability may be exploited repeatedly, each time leaking a small amount of memory, but cumulatively leading to a total service outage.
Source: CVE-2024-30051
Max Severity: Important
CVSS Score: 7.2
Mitigation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30051
Impact: Multiple vulnerabilities in Cisco IP Phone firmware could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, gain unauthorized access, or view sensitive information on an affected system.
Published Date: 05/01/2024
Mitigation: For more information about these vulnerabilities, see the Details section of this advisory.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link: