RCE flaw and DNS zero-day top list of Patch Tuesday bugs

A critical remote code execution (RCE) vulnerability in Microsoft Message Queuing (MSMQ) stands out as the most serious issue patched by Microsoft in its June Patch Tuesday update, amid another lighter-than-usual drop comprising just over 50 issues.

Tracked as CVE-2024-30080, and attributed to China-based researcher k0shl, the flaw enables a remote, unauthenticated party to execute arbitrary code with elevated privileges by sending a specially-crafted malicious packet to an MSMQ server.

According to Microsoft, the vulnerability is only exploitable if the MSMQ service – which is a Windows component – is enabled, which can be toggled via the Control Panel. Users are also advised to check and see if there is a service running named Message Queuing, and if TCP port 1801 is listening on the machine.

Tyler Reguly, Fortra associate director of security research and development, said CVE-2024-30080 would be the most talked about vulnerability disclosed this month.

“Microsoft has given the vulnerability a CVSS score of 9.8 and said that exploitation is more likely. Microsoft has also recommended disabling the service until a time at which you can install the update,” he said.

“A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for ‘msmq’. Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future.”

Microsoft has also listed this month a third-party zero-day vulnerability tracked as CVE-2023-50868, which is also drawing the attention of the cyber community. Credited to Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner of the German National Research Centre for Applied Cybersecurity (ATHENE), this vulnerability was assigned by the MITRE Corporation back in February 2024.

CVE-2023-50868 exists in the Domain Name System Security Extensions (DNSSEC) feature of the Domain Name System (DNS), which authenticates responses to domain name lookups. If exploited, a malicious actor can exploit standard DNSSEC protocols by using excessive resources on a resolver, causing legitimate users to experience a denial of service (DoS).

This is a serious issue, and affects many more suppliers than just Microsoft. Tom Marsland, technology vice president at Cloud Range, said: “According to [the] researchers that found the vulnerability, which had been present in DNSSEC for the better part of two decades, an attacker ‘could completely disable large parts of the worldwide internet’.”

All in all, the June Patch Tuesday update includes five DoS vulnerabilities, 25 elevation of privilege (EoP) vulnerabilities, three information disclosure vulnerabilities, and 18 RCE vulnerabilities – all rated as important save for the critical flaw highlighted above.

The good news, said Chris Goettl, vice president of security products at Ivanti, is that dealing with the most pressing issues should not cause a significant headache for security administrators this time round.

“[The] Windows OS update is the most urgent,” said Goettl. “Between the critical CVE and the publicly disclosed CVE, the most significant risks can be resolved with the OS update.”