November 2024 Patch Tuesday: Four Critical and Three Zero-Days Among 158 Vulnerabilities Patched

Microsoft has released security updates for 158 vulnerabilities in its November 2024 Patch Tuesday rollout. Among these are four Critical vulnerabilities (CVE-2024-43625, CVE-2024-49056, CVE-2024-43498, and CVE-2024-43639). Of these vulnerabilities, CVE-2024-49056 has been fully mitigated by Microsoft and requires no customer actions at this point. In addition, three zero-days have been identified (CVE-2024-43451, CVE-2024-49040, CVE-2024-49019). 

November 2024 Risk Analysis

This month’s leading risk type is remote code execution (59%), followed by elevation of privilege (29%).

Figure 1. Breakdown of November 2024 Patch Tuesday attack types Figure 1. Breakdown of November 2024 Patch Tuesday attack types
Microsoft CBL-Mariner (Microsoft’s Linux distribution for Azure environments) received the most patches this month with 70, followed by Windows (37) and Microsoft SQL Server (31). Information for administering Microsoft CBL-Mariner can be found here.
Figure 2. Breakdown of product families affected by November 2024 Patch Tuesday Figure 2. Breakdown of product families affected by November 2024 Patch Tuesday

Microsoft Discloses Vulnerability within Airlift.microsoft.com

In an effort to provide additional transparency for Microsoft-hosted services, Microsoft has disclosed a Critical privilege escalation vulnerability within airlift.microsoft.com (CVE-2024-49056). This vulnerability has been fully mitigated by Microsoft and requires no customer interaction. Microsoft has stated that it is committed to transparency and has created a new classification of vulnerability that requires no customer interaction. More information about this commitment can be found here.

Two Zero-Days in Microsoft Windows

CVE-2024-49039 is an Important privilege escalation vulnerability within the Windows Task Manager application. To exploit this vulnerability, an authenticated attacker must run a specially crafted application on the host in order to upgrade their permissions to a medium integrity level. More about Microsoft mandatory Integrity levels can be found here.

CVE-2024-43451 is an Important spoofing vulnerability within the NTLM handling system in Windows. This vulnerability exposes the victim’s NTLM hash to adversaries, allowing them to impersonate the victim. This vulnerability can be exploited by the user selecting (single-clicking), inspecting (right-clicking) or performing some other non-opening action on the malicious file. 

Table 1.Zero-days in Microsoft Windows
SeverityCVSS ScoreCVEDescription
Important8.8CVE-2024-49039Windows Task Scheduler Elevation of Privilege Vulnerability
Important6.5CVE-2024-43451NTLM Hash Disclosure Spoofing Vulnerability

One Publicly Disclosed Vulnerability in Microsoft Windows

CVE-2024-49019 is an Important privilege escalation vulnerability within the Active Directory certificate services platform. This platform is responsible for issuing and managing Public Key Infrastructure (PKI). More information about this service can be found here. This vulnerability can allow an attacker to gain domain administrator privileges. This is one of the highest levels of privilege available in Active Directory. Only certificates generated using a version 1 template with a source of subject name field set to “Supplied in the request” are usable for this attack. In addition, the victim site must have overly broad Enroll permissions. Microsoft recommends removing Autoenroll permissions and auditing sites to ensure least privilege.

Table 2. Publicly Disclosed Vulnerability in Microsoft Windows
SeverityCVSS ScoreCVEDescription
Important7.8CVE-2024-49019Active Directory Certificate Services Elevation of Privilege Vulnerability

One Publicly Disclosed Vulnerability in Microsoft Exchange Server

CVE-2024-49040 is an Important spoofing vulnerability in which an attacker can bypass current spoofing protections within Exchange through use of a non-compliant P2 FROM header. This header is responsible for ensuring the integrity of the sender of an email. Once updated, the Exchange server will flag any non-compliant P2 FROM headers as suspicious. Additional information on this vulnerability can be found here.

Table 3. Publicly Disclosed Vulnerability in Microsoft Exchange Server
SeverityCVSS ScoreCVEDescription
Important7.5CVE-2024-49040Microsoft Exchange Server Spoofing Vulnerability

Two Critical Vulnerabilities in Microsoft Windows

CVE-2024-43639 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Windows Kerberos and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted packet to leverage a cryptographic protocol within Windows Kerberos to allow for RCE. Due to the severe nature of this vulnerability, patching should be a high priority.

CVE-2024-43625 is a Critical privilege escalation vulnerability within the VMSwitch functionality of Hyper-V with a CVSS score of 8.1. This vulnerability could allow an unprivileged attacker within a low-privileged Hyper-V host to traverse the security boundary to execute code within the Hyper-V execution environment. Notably, Microsoft states that this vulnerability is not within the System Center Virtual Machine Manager. This vulnerability has a high complexity requirement, requiring a significant amount of information about the operating environment of the victim Hyper-V host.

Table 4. Critical vulnerabilities in Windows
SeverityCVSS ScoreCVEDescription
Critical9.8CVE-2024-43639Windows Kerberos Remote Code Execution Vulnerability
Critical8.1CVE-2024-43625Microsoft Windows VMSwitch Elevation of Privilege Vulnerability

One Critical Vulnerability in .Net and Visual Studio Code

CVE-2024-43498 is a Critical remote code execution (RCE) vulnerability affecting Microsoft .Net and Visual Studio Code and has a CVSS score of 9.8. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted request to a vulnerable .Net web app or by loading a specially crafted file into a vulnerable desktop application (Visual Studio Code).

Table 5. Critical vulnerability in .Net and Visual Studio Code
SeverityCVSS ScoreCVEDescription
Critical9.8CVE-2024-43498.NET and Visual Studio Remote Code Execution Vulnerability

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Breaches Stop Here