September 2024 Patch Tuesday: Four Zero-Days and Seven Critical Vulnerabilities Amid 79 CVEs
Microsoft has released security updates for 79 vulnerabilities in its September 2024 Patch Tuesday rollout. These include four actively exploited zero-days (CVE-2024-38014, CVE-2024-38217, CVE-2024-38226, CVE-2024-43491). Seven of the vulnerabilities are rated Critical in severity, while the remaining 72 are rated Important or Moderate.
September 2024 Risk Analysis
This month’s leading risk type is elevation of privilege (38%) followed by remote code execution (29%) and information disclosure (14%).
Figure 1. Breakdown of September 2024 Patch Tuesday vulnerabilities by attack techniques
Windows products received the most patches this month with 46, followed by Extended Security Update (ESU) with 23 and Microsoft SQL Server with 13.
Figure 2. Breakdown of product families affected by September 2024 Patch Tuesday
Actively Exploited Zero-Day Vulnerability in Microsoft Windows Update
Microsoft Windows Update received a patch for CVE-2024-43491, which has a severity of Critical and a CVSS score of 9.8. Microsoft has identified a remote code execution (RCE) vulnerability in the Servicing Stack that reverses previously implemented fixes and mitigations, effectively undoing earlier security patches. This vulnerability allows attackers to exploit these previously mitigated vulnerabilities on Windows 10 version 1507 systems that have installed the Windows security update KB5035858 or other updates released through August 2024. Later versions of Windows 10 are not impacted by this vulnerability. The issue only affects Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2024-43491 | Microsoft Windows Update Remote Code Execution Vulnerability |
Table 1. Zero-day in Microsoft Windows Update
Actively Exploited Zero-Day Vulnerabilities in Windows Installer
Windows Installer received a patch for CVE-2024-38014, with a severity of Important and a CVSS score of 7.8. An attacker exploiting this vulnerability could gain SYSTEM-level privileges, allowing complete control over the affected system. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability is not yet publicly available.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2024-38193 | Windows Installer Elevation of Privilege Vulnerability |
Table 2. Zero-day in Windows Installer
Actively Exploited Zero-Day Vulnerabilities in Windows Publisher
Windows Publisher received a patch for CVE-2024-38226, with a severity of Important and a CVSS score of 7.3. An authenticated attacker could exploit this vulnerability by tricking a web visitor into downloading and opening a specially crafted file from a website. If successful, the attacker could then bypass Office macro policies designed to block untrusted or malicious files. This local attack requires social engineering to convince the victim to interact with the malicious file on their own computer, potentially compromising the system’s security.
| Severity | CVSS Score | CVE | Description |
| Important | 7.3 | CVE-2024-38226 | Microsoft Publisher Security Feature Bypass Vulnerability |
Table 3. Zero-day in Microsoft Publisher Security
Actively Exploited Zero-Day Vulnerability in Windows Mark of the Web
Windows Mark of the Web (MOTW), a tool that evaluates the safety of files downloaded from the web, received a patch for CVE-2024-38217, which has a severity of Important and a CVSS score of 5.4. An attacker could create a file that evades MOTW defenses on the end user system, potentially disabling SmartScreen and Windows Attachment Services security features. This could compromise system integrity and reduce the effectiveness of these protective measures. This security feature has been bypassed multiple times over the years (March 2023, July 2023, November 2023, February 2024, August 2024), making it a prime target for threat actors utilizing it in phishing attacks. According to Microsoft, a proof-of-concept kit for exploiting the vulnerability is not yet publicly available.
| Severity | CVSS Score | CVE | Description |
| Important | 5.4 | CVE-2024-38217 | Windows Mark of the Web Security Feature Bypass Vulnerability |
Table 4. Zero-day in Windows Mark of the Web
Critical Vulnerabilities in Windows, SharePoint and Azure
CVE-2024-43491 is a Critical remote code execution (RCE) vulnerability affecting Windows Update and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows an attacker to execute code remotely. Details were covered in the “Actively Exploited Zero-Day Vulnerability in Microsoft Windows Update” section above.
CVE-2024-38220 is a Critical RCE vulnerability affecting Azure Stack Hub and has a CVSS score of 9.0. This vulnerability could allow an attacker to gain unauthorized access to other Azure cloud tenants’ applications and content. A successful exploit could grant the attacker access to system resources with the same privileges as the compromised process, potentially enabling deeper system penetration and unauthorized actions across the network. To exploit this vulnerability, an authenticated attacker would need to wait for a victim user to initiate a connection to that Azure cloud tenant.
CVE-2024-38018 is a Critical RCE vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 8.8. An authenticated attacker with at least Site Member level permissions could remotely execute code on the SharePoint Server through a network-based attack. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability is not yet publicly available.
CVE-2024-38194 is a Critical RCE vulnerability affecting Azure Web Apps and has a CVSS score of 8.4. A malicious actor with valid credentials can take advantage of an authorization flaw in Azure Web Apps to gain elevated permissions across a network. Microsoft has already fully addressed this vulnerability within the Azure infrastructure, and users of the affected service do not need to take any action. This CVE is being published solely to maintain transparency about the issue and its resolution.
CVE-2024-38216 is a Critical RCE vulnerability affecting Azure Stack Hub and has a CVSS score of 8.2. To exploit this vulnerability, an authenticated attacker must wait for a victim user to establish a connection. Once successful, the attacker could gain unauthorized access to system resources, potentially executing actions with privileges matching the compromised process. This breach could lead to further system infiltration, unauthorized network activities and even the ability to interact with other tenants’ applications and content.
CVE-2024-38119 is a Critical elevation of privilege vulnerability affecting Windows Network Address Translation (NAT) and has a CVSS score of 7.5. Exploiting this vulnerability requires the attacker to initially breach the protected network perimeter. Additionally, the attacker needs to successfully win a race condition against the normal execution flow of the program or system to complete the exploitation process. These requirements add layers of complexity to the attack, potentially limiting its feasibility. As of now, Microsoft states that proof-of-concept is not yet available.
CVE-2024-43464 is a Critical elevation of privilege vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 7.2. An attacker with Site Owner or higher privileges can exploit this vulnerability by uploading a maliciously crafted file to the target SharePoint Server and sending specially crafted API requests to the targeted SharePoint Server. This process triggers the deserialization of the file’s parameters, allowing the attacker to inject and execute arbitrary code on the SharePoint Server, effectively achieving remote code execution. As of now, Microsoft states that proof-of-concept is not yet available.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2024-43491 | Microsoft Windows Update Remote Code Execution Vulnerability |
| Critical | 9.0 | CVE-2024-38220 | Azure Stack Hub Elevation of Privilege Vulnerability |
| Critical | 8.8 | CVE-2024-38018 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Critical | 8.4 | CVE-2024-38194 | Azure Web Apps Elevation of Privilege Vulnerability |
| Critical | 8.2 | CVE-2024-38216 | Azure Stack Hub Elevation of Privilege Vulnerability |
| Critical | 7.5 | CVE-2024-38119 | Windows Network Address Translation (NAT) Remote Code Execution Vulnerability |
| Critical | 7.2 | CVE-2024-43464 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
Table 5. Critical vulnerabilities in Windows, SharePoint and Azure
Patch Tuesday Dashboard in the Falcon Platform
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our newly available Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
- Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
- Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.