High Threat Security Alert (A24-08-07): Multiple Vulnerabilities in Microsoft Products (August 2024)


 

Published on: 14 August 2024

  
  

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:
https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug

Reports indicated that the vulnerabilities (CVE-2024-38106, CVE-2024-38107, CVE-2024-38178, CVE-2024-38189, CVE-2024-38193 and CVE-2024-38213) in Microsoft Windows and Server, as well as Microsoft Office, 365 Apps and Microsoft Project are being exploited in the wild. In addition, the technical details of vulnerabilities (CVE-2024-21302, CVE-2024-38199 and CVE-2024-38200) in Microsoft Windows and Server, as well as Microsoft Office were publicly disclosed. System administrators and users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

Multiple reports indicate that the remote code execution vulnerability (CVE-2024-38063) affecting Microsoft Windows and Server is at a high risk of exploitation. Exploitation of the vulnerability may allow unauthenticated remote attackers to execute arbitrary code on the affected systems via IPv6. System administrators and users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Microsoft Windows 10, 11
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2022, 23H2 Edition
  • Microsoft Office 2019, LTSC 2021, LTSC for Mac 2021
  • Microsoft OfficePLUS
  • Microsoft Outlook 2016
  • Microsoft PowerPoint 2016
  • Microsoft Project 2016
  • Microsoft 365 Apps for Enterprise
  • Microsoft Dynamics 365 (on-premises) version 9.1
  • Microsoft Visual Studio 2022
  • .NET 8.0
  • App Installer
  • CBL Mariner 1.0, 2.0
  • Microsoft Teams for iOS
  • Remote Desktop client for Windows Desktop
  • Azure Connected Machine Agent
  • Azure CycleCloud 8.0.0, 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2, 8.3.0, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.6.0, 8.6.1, 8.6.2
  • Azure Health Bot
  • Azure IoT Hub Device Client SDK
  • Azure Linux 3.0
  • Azure Stack Hub
  • C SDK for Azure IoT

Please note that systems with IPv6 disabled are not susceptible to the vulnerability CVE-2024-38063. For detailed information, please refer to the corresponding security update guide at vendor's website.

 

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security feature bypass, spoofing or tampering on an affected system.

 

Recommendation:

Patches for affected systems are available from the Windows Update / Microsoft Update Catalog. System administrators and users of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-august-2024
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2601
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3775
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40547
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21302
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29187
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29995
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37968
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38058
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38063
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38081
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38084
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38098
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38106 (to CVE-2024-38109)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38114 (to CVE-2024-38118)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38120 (to CVE-2024-38123)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38125 (to CVE-2024-38128)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38130 (to CVE-2024-38138)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38140 (to CVE-2024-38148)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38150 (to CVE-2024-38155)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38157 (to CVE-2024-38163)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38165
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38167 (to CVE-2024-38173)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38177 (to CVE-2024-38178)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38180
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38184 (to CVE-2024-38187)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38189
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38191
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38193
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38195 (to CVE-2024-38201)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38211
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38213 (to CVE-2024-38215)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38223
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063


Tag: Microsoft , Windows , Windows Server , Microsoft Office , Microsoft Project , Microsoft 365 Apps , Microsoft Teams , Outlook , Remote Desktop , Visual Studio , Dynamics 365 , .NET , CBL Mariner , Microsoft Azure , Microsoft OfficePLUS , PowerPoint
Tags