NTLM and Task Scheduler Bugs

Microsoft on Tuesday revealed that two security flaws impacting Windows NT LAN Manager (NTLM) and Task Scheduler have come under active exploitation in the wild.

The security vulnerabilities are among the 90 security bugs the tech giant addressed as part of its Patch Tuesday update for November 2024. Of the 90 flaws, four are rated Critical, 85 are rated Important, and one is rated Moderate in severity. Fifty-two of the patched vulnerabilities are remote code execution flaws.

The fixes are in addition to 31 vulnerabilities Microsoft resolved in its Chromium-based Edge browser since the release of the October 2024 Patch Tuesday update. The two vulnerabilities that have been listed as actively exploited are below -

  • CVE-2024-43451 (CVSS score: 6.5) - Windows NTLM Hash Disclosure Spoofing Vulnerability
  • CVE-2024-49039 (CVSS score: 8.8) - Windows Task Scheduler Elevation of Privilege Vulnerability

"This vulnerability discloses a user's NTLMv2 hash to the attacker who could use this to authenticate as the user," Microsoft said in an advisory for CVE-2024-43451, crediting ClearSky researcher Israel Yeshurun with discovering and reporting the flaw.

It's worth noting that CVE-2024-43451 is the third flaw after CVE-2024-21410 (patched in February) and CVE-2024-38021 (patched in July) that can be used to reveal a user's NTLMv2 hash and has been exploited in the wild this year alone.

Cybersecurity

"Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems," Satnam Narang, senior staff research engineer at Tenable, said in a statement.

CVE-2024-49039, on the other hand, could allow an attacker to execute RPC functions that are otherwise restricted to privileged accounts. However, Microsoft notes that successful exploitation requires an authenticated attacker to run a specially crafted application on the target system to first elevate their privileges to a Medium Integrity Level.

Vlad Stolyarov and Bahare Sabouri of Google's Threat Analysis Group (TAG) and an anonymous researcher have been acknowledged for reporting the vulnerability. This raises the possibility that the zero-day exploitation of the flaw is associated with some nation-state-aligned group or an advanced persistent threat (APT) actor.

There are currently no insights into how the shortcomings are exploited in the wild or how widespread these attacks are, but the development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add them to the Known Exploited Vulnerabilities (KEV) catalog.

One of the publicly disclosed, but not yet exploited, zero-day flaws is CVE-2024-49019 (CVSS score: 7.8), a privilege escalation vulnerability in Active Directory Certificate Services that could be leveraged to obtain domain admin privileges. Details of the vulnerability, dubbed EKUwu, were documented by TrustedSec last month.

Another vulnerability of note is CVE-2024-43498 (CVSS score: 9.8), a critical remote code execution bug in .NET and Visual Studio that a remote unauthenticated attacker could exploit by sending specially crafted requests to a vulnerable .NET web app or by loading a specially crafted file into a vulnerable desktop app.

The update also fixes a critical cryptographic protocol flaw impacting Windows Kerberos (CVE-2024-43639, CVSS score: 9.8) that could be abused by an unauthenticated attacker to perform remote code execution.

The highest-rated vulnerability in this month's release is a remote code execution flaw in Azure CycleCloud (CVE-2024-43602, CVSS score: 9.9), which allows an attacker with basic user permissions to gain root-level privileges.

"Ease of exploitation was as simple as sending a request to a vulnerable AzureCloud CycleCloud cluster that would modify its configuration," Narang said. "As organizations continue to shift into utilizing cloud resources, the attack surface widens as a result."

Lastly, a non-Microsoft-issued CVE addressed by Redmond is a remote code execution flaw in OpenSSL (CVE-2024-5535, CVSS score: 9.1). It was originally patched by OpenSSL maintainers back in June 2024.

"Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message," Microsoft said.

"In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. This could result in the attacker executing remote code on the victim's machine."

Coinciding with the November security update, Microsoft also announced its adoption of Common Security Advisory Framework (CSAF), an OASIS standard for disclosing vulnerabilities in machine-readable form, for all CVEs in order to accelerate response and remediation efforts.

Cybersecurity

"CSAF files are meant to be consumed by computers more so than by humans, so we are adding CSAF files as an addition to our existing CVE data channels rather than a replacement," the company said. "This is the beginning of a journey to continue to increase transparency around our supply chain and the vulnerabilities that we address and resolve in our entire supply chain, including Open Source Software embedded in our products."

Software Patches from Other Vendors

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.