The November 2024 release of Patch Tuesday came with two zero-day vulnerabilities that were already being exploited in the wild. While neither CVE-2024-43451 nor CVE-2024-49039 are of critical severity, these vulnerabilities still pose notable risks; they are actively being exploited in targeted attacks and affect Microsoft Windows and Windows Server products, which are present in nearly every organization worldwide. The flaws were added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog and the NIST’s National Vulnerability Database (NVD) on the day of publication.
The Vulnerabilities
Among the flaws addressed in the monthly Patch Tuesday release are a Windows Task Scheduler vulnerability and a Windows vulnerability in MSHTML, both of which have been exploited. However, Microsoft claims that neither of these issues is “critical” in terms of severity.
- CVE-2024-43451 is a spoofing flaw targeting Windows and Windows Server machines. It uses a hacking technique called “pass the hash” to disclose the user’s NTLMv2 hash, containing their authentication credentials. This allows potential attackers to elevate their privileges and authenticate as the user. This vulnerability was classified as medium severity, receiving a CVSS v3 score of 6.5.
- CVE-2024-49039 is another elevation of privileges vulnerability impacting Windows Task Scheduler. Its exploitation can lead to the attacker executing RPC functions that are restricted to privileged accounts only. This vulnerability was classified as high severity, receiving a CVSS v3 score of 8.8.
Both vulnerabilities affect various Windows and Windows Server versions and builds, including the latest release of Windows Server 2025.
The Attacks
Microsoft published both vulnerabilities on November 12th, 2024. However, because they were exploited before their publication, they are both zero days. CVE-2024-49039 is an interesting case of active exploitation, as it is rare to see container escapes in the wild. This case requires an additional code execution on the system for the attack to be successful, but it can even be a low-privileged user. This flaw is associated with including members of Google’s Threat Analysis Group (TAG). Given this connection, the zero-day exploitation of this vulnerability may be nation-state-aligned or linked to advanced persistent threat (APT) activities. Unfortunately, no further details are available on this exploitation.
ClearSky, an Israeli cybersecurity company that Microsoft acknowledged for discovering CVE-2024-43451, claims to have found it and its active exploitation back in June 2024—nearly half a year before its official publication with an assigned CVE. It is suspected that it was initially exploited as part of cyber-attacks targeting Ukraine by a Russia-linked threat actor in an attack chain delivering the open-source Spark RAT malware.
By forcing connections to a remote server controlled by the attacker, CVE-2024-43451 can be exploited to steal the logged-in user’s NTLMv2 hash. Although it is not a real barrier for attackers, all it takes to initialize the exploitation is the user interaction with the URL file, either by right-clicking, deleting, or moving it. As a result, a link to a remote server is established to download malware payloads, such as the open-source, multi-platform remote access tool SparkRAT, which gives attackers remote control over infiltrated systems. Additional investigation of the exploits uncovered another pursuit of NTLM hash, this time via the Server Message Block (SMB) protocol. These hashes can then be cracked to get a user’s plaintext password.
While there is not much more insight into this exploitation, it is already the third such vulnerability disclosing the NTLMv2 hash that was exploited in the wild only in 2024. It is clear that attackers have become very insistent about these disclosures, as they can be further utilized to authenticate various systems and move within a network, accessing more of them. Seeing a post-COVID-19 trend of giving users higher access to ease the workload of the IT staff, this vulnerability has the potential to become disastrous.
Current Solutions
Along with the publication of these vulnerabilities, Microsoft has released urgent security patches as part of the Patch Tuesday cycle to prevent potential breaches. Users are recommended to apply these as soon as possible to eliminate the threat.
Additionally, for CVE-2024-43451, customers are advised to install Security Updates and include IE Cumulative Updates in their installations to stay fully protected.
For CVE-2024-49039, Microsoft provided detailed guidance, involving manual admin work, which helps to mitigate this vulnerability from further attacks. These mitigations include securing certificate templates, removing excessive permissions, and deleting unused templates. However, it has been noticed that admins with the skills required to manage this area of the Windows infrastructure are increasingly rare to find. Few companies have employees whose area of expertise would be certificate authority.
On top of that, as a regular precaution, companies are encouraged to strengthen their defenses against phishing and credential-harvesting attempts and monitor for indicators of compromise.
How can Skybox help?
A day after the discovery was made public, the Skybox Research Lab integrated the vulnerabilities into our threat intelligence feed. Their status in the feed was adjusted in accordance with the discovery that they were being exploited in the wild.
The complete Skybox risk score is updated and weighted according to the vulnerabilities’ current statuses and subsequent modifications. This technique, taking into account a variety of risk criteria, helps users quickly and easily identify the assets and vulnerabilities that pose the most danger to their organization and decide on the most appropriate course of action for remediation.
In this instance, Skybox customers determine the significance of the impacted Microsoft Windows and Windows Server products within the company network. The organization’s security team receives a customized risk score based on its importance and additional criteria, such as the standard CVSS score for CVE-2024-43451 and CVE-2024-49039. Using this score, they can decide how best to secure the organization.
Skybox Vulnerability and Threat Management solution provides insightful analysis of the possible risks and practical mitigation strategies. It suggests counteracting security measures to reduce exposure risk on the client’s network, including altering firewall rules or implementing an IPS signature.
