[CDP-development] GREEN (Vulnerability Alert Notification) - Multiple CVEs (CVE-2024-30040, CVE-2024-30050, and CVE-2024-30051) - Critical Patches Issued for Microsoft Products, May 14, 2024

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed May 15 07:31:47 PDT 2024 

Good morning,

The SOC Services team is reporting on multiple vulnerabilities released by Microsoft:


  *   CVE-2024-30040: Windows MSHTML Platform Security Feature Bypass Vulnerability. The CVE was released on May 14, 2024, with a CVSSv3 base score of 8.8 (High).
  *   CVE-2024-30050: Windows Mark of the Web Security Feature Bypass Vulnerability. The CVE was released on May 14, 2024, with a CVSSv3 base score of 5.4 (Medium).
  *   CVE-2024-30051:  Windows DWM Core Library Elevation of Privilege Vulnerability. The CVE was released on May 14, 2024, with a CVSSv3 base score of 7.8 (High).

Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On May 14, 2023, Microsoft released a security advisory for CVE-2024-30040, CVE-2024-30050, and CVE-2024-30051.

The following products are affected by CVE-2024-30051:
*              Windows 10 (multiple versions)
*              Windows 11 (multiple versions)
*              Microsoft Windows Server (2016, 2019, and 2022 - multiple versions)

The following products are affected by CVE-2024-30050:
*              Windows 10 (multiple versions)
*              Windows 11 (multiple versions)
*              Microsoft Windows Server (2016, 2019, and 2022 - multiple versions)

The following products are affected by CVE-2024-30051:
*              Windows 10 (multiple versions)
*              Windows 11 (multiple versions)
*              Microsoft Windows Server (2016, 2019, and 2022 - multiple versions)

Microsoft has released the following security advisory related to CVE-2023-30040: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30040
Microsoft has released the following security advisory related to CVE-2023-30050: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30050
Microsoft has released the following security advisory related to CVE-2023-30050: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30051

Intelligence: As of May 14, 2024, both CVE-2024-30040 and CVE-2024-30051 have been seen exploited in the wild and have recently been published to CISA's Known Exploited Vulnerabilities catalog on 05/14/2024. While CVE-2024-30050 has not been seen as exploited in the wild, it has seen to have functional exploit code available.

Workarounds: There are no workarounds for this vulnerability.

How it works:


  *   CVE-2024-30040: To exploit it, attackers need to "convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an email or instant messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,".


  *   CVE-2024-30050: To exploit this vulnerability, an attacker could host a file on an attacker-controlled server, then convince a targeted user to download and open the file. This could allow the attacker to interfere with the Mark of the Web functionality.


  *   CVE-2024-30051: Is a heap-based buffer overflow vulnerability affecting the Windows DWM Core Library that can be exploited to elevate attackers' privileges on a target system. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft says. Additionally, CVE-2024-30051 is being leveraged in conjunction with Qakbot and other malware. "[We] believe that multiple threat actors have access to it," they said, and promised to publish technical details once users have had time to update their Windows systems.

Post-Exploit:


  *   CVE-2024-30040: An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user," Microsoft said.


  *   CVE-2024-30050: An attacker may alter the functionality of the Mark of the Web on successful exploitation.


  *   CVE-2024-30051: On successful exploitation, an attacker could gain SYSTEM privileges.

Tenable Plugins:
As of May 15, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
NOTE: Due to the extensive number and variation of plugins between CVEs, we will be providing the links to the plugins for each CVE instead of providing a table.

CVE-2024-30040: https://www.tenable.com/cve/CVE-2024-30040/plugins
CVE-2024-30050: https://www.tenable.com/cve/CVE-2024-30050/plugins
CVE-2024-30051: https://www.tenable.com/cve/CVE-2024-30051/plugins

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DAA699.1C6F8A50]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240515/20b7e9c4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240515/20b7e9c4/attachment-0001.png>

More information about the CDP-development mailing list