Welcome to the final MSP Incident Insight of the year, where we’ll dive into recently patched identity-centric threats you should be aware of as an MSP.
Join us in December, where we’ll look back at the trends and threats we saw over the past year and recap the most significant threats we saw in 2024.
On November 12th, 2024, Microsoft completed their monthly Patch Tuesday release to address several critical vulnerabilities in their software solutions. According to Microsoft, these security updates address several privilege elevation flaws in Windows Task Scheduler, Microsoft PC Manager, Visual Studio Code, Kerberos, and more.
What Happened?
The three major vulnerabilities involving elevated privileges addressed in this release are CVE-2024-43639, CVE-2024-49019, and CVE-2024-49039.
CVE-2024-49039 is a zero-day vulnerability in Windows Task Scheduler. According to Microsoft, an attacker logged into a victim’s environment (such as a low privilege AppContainer execution environment) could run a malicious application in a victim’s environment to elevate their privileges to a Medium Integrity level and remotely execute code or access privileged information.
According to researchers, attackers are exploiting this vulnerability in the wild. However, Microsoft’s report does not disclose how attackers are using this flaw in their activities.
CVE-2024-43639 is a Critical remote code execution vulnerability in Kerberos with a CVSS score of 9.8. According to Microsoft and threat researchers, an unauthenticated threat actor could use malicious software to leverage a “cryptographic protocol vulnerability” in Kerberos to launch RCE attacks against a victim. According to Microsoft’s analysis, it is not likely that cyber criminals exploited these opportunities in the wild.
CVE-2024-49019 is a privilege elevation vulnerability in Active Directory Certificate Services with a CVSS score of 7.8 (High). With this vulnerability, a threat actor can gain domain administrator privileges from any certificate using a version 1 certificate template where a field labelled “Source of subject name” is set to “Supplied in the request” and the certificate’s Enroll permissions apply to a broad security group, such as domain users or domain computers.
Next Steps
The CyberQP team advises that MSPs ensure they install all the patches to address the four zero-day vulnerabilities and 89 total security risks fixed with November 2024’s Patch Tuesday.
Additionally, Microsoft offered the following mitigation steps to address the vulnerability in Active Directory Certificate Services.
- Remove overly broad “Enroll” or “Auto-enroll” permissions for certificates. Practice the Principle of Least Privilege and consider which accounts may need additional permissions, and deny or remove enrollment rights for unnecessary users.
- Remove unused certificate templates.
- Microsoft also recommended implementing additional signatures on requests, certificate manager approval, or certificate monitoring for templates that allow you to specify subjects in a request.
