mdbildes - stock.adobe.com

RCE flaw and DNS zero-day top list of Patch Tuesday bugs

An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday

A critical remote code execution (RCE) vulnerability in Microsoft Message Queuing (MSMQ) stands out as the most serious issue patched by Microsoft in its June Patch Tuesday update, amid another lighter-than-usual drop comprising just over 50 issues.

Tracked as CVE-2024-30080, and attributed to China-based researcher k0shl, the flaw enables a remote, unauthenticated party to execute arbitrary code with elevated privileges by sending a specially-crafted malicious packet to an MSMQ server.

According to Microsoft, the vulnerability is only exploitable if the MSMQ service – which is a Windows component – is enabled, which can be toggled via the Control Panel. Users are also advised to check and see if there is a service running named Message Queuing, and if TCP port 1801 is listening on the machine.

Tyler Reguly, Fortra associate director of security research and development, said CVE-2024-30080 would be the most talked about vulnerability disclosed this month.

“Microsoft has given the vulnerability a CVSS score of 9.8 and said that exploitation is more likely. Microsoft has also recommended disabling the service until a time at which you can install the update,” he said.

“A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for ‘msmq’. Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future.”

Microsoft has also listed this month a third-party zero-day vulnerability tracked as CVE-2023-50868, which is also drawing the attention of the cyber community. Credited to Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner of the German National Research Centre for Applied Cybersecurity (ATHENE), this vulnerability was assigned by the MITRE Corporation back in February 2024.

CVE-2023-50868 exists in the Domain Name System Security Extensions (DNSSEC) feature of the Domain Name System (DNS), which authenticates responses to domain name lookups. If exploited, a malicious actor can exploit standard DNSSEC protocols by using excessive resources on a resolver, causing legitimate users to experience a denial of service (DoS).

This is a serious issue, and affects many more suppliers than just Microsoft. Tom Marsland, technology vice president at Cloud Range, said: “According to [the] researchers that found the vulnerability, which had been present in DNSSEC for the better part of two decades, an attacker ‘could completely disable large parts of the worldwide internet’.”

All in all, the June Patch Tuesday update includes five DoS vulnerabilities, 25 elevation of privilege (EoP) vulnerabilities, three information disclosure vulnerabilities, and 18 RCE vulnerabilities – all rated as important save for the critical flaw highlighted above.

The good news, said Chris Goettl, vice president of security products at Ivanti, is that dealing with the most pressing issues should not cause a significant headache for security administrators this time round.

“[The] Windows OS update is the most urgent,” said Goettl. “Between the critical CVE and the publicly disclosed CVE, the most significant risks can be resolved with the OS update.”

Read more about Patch Tuesday

  • May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention.
  • April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flaw that impacts all Windows users.
  • March 2024: Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday.
  • February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket, among more than 70 issues.
  • January 2024: Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulns to be alert to, including a number of man-in-the-middle attack vectors.

Read more on Endpoint security

CIO
Security
Networking
Data Center
Data Management
Close