ION Advisory: May 2024 Update 

The Microsoft May 2024 Patch Tuesday update consists of 67 patches for Microsoft products. However, only 1 of these vulnerabilities is considered critical, 2 of them are being actively exploited.

Critical Vulnerabilities

• CVE-2024-30044 – Microsoft SharePoint Server Remote Code Execution Vulnerability

This Remote Code Execution (RCE) is affecting the Microsoft Sharepoint Server . An authenticated attacker with Site Owner permissions or higher could upload a specially crafted file to the targeted Sharepoint Server and craft specialised API requests to trigger deserialisation of file’s parameters. This would enable the attacker to perform remote code execution in the context of the Sharepoint Server.

Affected versions

• Microsoft SharePoint Enterprise Server 2016 – affected from 16.0.0 before 16.0.5448.1000
• Microsoft SharePoint Server 2019 – affected from 16.0.0 before 16.0.10409.20047
• Microsoft SharePoint Server Subscription Edition – affected from 16.0.0 before 16.0.17328.20292

Publicly disclosed and Actively Exploited

• CVE-2024-30051 – Windows DWM Core Library Elevation of Privilege Vulnerability

Microsoft stated “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,”. Local access is required to leverage this vulnerability, however, when chained with a code-execution bug for initial access, it can lead to complete takeover of a target and lateral movement — a common path used by ransomware actors. Recently, Kaspersky researchers released a blog detailing how threat groups had been utilising the exploit since April via Qakbot malware phishing attacks. The phishing emails contained a malicious document that would execute a script to exploit the flaw.

• CVE-2024-30040 – Windows MSHTML Platform Security Feature Bypass Vulnerability

This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls. This vulnerability requires some user/Victim interaction to be successful. This will likely be in the form of a phishing email or instant message (i.e. Teams), where the user will have to be convinced to open a malicious document at which point the attacker could execute arbitrary code in the context of the user.

Noteworthy

• CVE-2024-32002 – Recursive clones on case-insensitive filesystems that support symlinks are susceptible to Remote Code Execution

MinGit software, used by Microsoft Visual Studio, has a flaw caused by an improper limitation of a pathname to a restricted directory (‘Path Traversal’) making it susceptible to Remote Code Execution. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing

References

Sans Report: https://isc.sans.edu/diary/Microsoft+May+2024+Patch+Tuesday/30920/