Microsoft decided to be kind this Patch Tuesday, releasing 49 Microsoft assigned CVEs and 9 CVEs from other CNAs, for a total of 58 CVEs. Since 7 of those CVEs are Chrome CVEs that were published on June 3rd, we’re looking at 51 new CVEs today. A relatively small number that includes most of the regulars – Office, SharePoint, Windows Kernel, and Dynamics – and includes a few unusual faces – Azure Science Virtual Machines (DSVMs) and the Microsoft Authentication Library and Azure Identity Library for several programming languages.
One of the vulnerabilities that we should expect everyone to be looking at and talking about is CVE-2023-50868, a DNSSEC protocol level denial-of-service. Specifically, a CPU Exhaustion related to the Closest Encloser Proof in NSEC3. NSEC3 is an improved version of NSEC (Next Secure) that provides authenticated denial of existence. By proving that a record doesn’t exist (with evidence of the surrounding records), you can help to prevent against DNS Cache poisoning against non-existent domains. NSEC would allow for domain name enumeration, which is prevented in NSEC3. This is prevented by introducing hashing and this hashing, which can be caused at a large scale by this vulnerability, is what leads to the denial-of-service vulnerability. Since this is a protocol level vulnerability, products other than Microsoft are affected with well-known DNS servers like bind, powerdns, dnsmasq, and others also releasing updates to resolve this issue.
When it comes to CVEs issued by Microsoft, I expect that everyone will be talking about CVE-2024-30080, a vulnerability in Microsoft Message Queuing (MSMQ) that could allow for remote code execution. Microsoft has given the vulnerability a CVSS score of 9.8 and said that exploitation is more likely. Microsoft has also recommended disabling the service until a time at which you can install the update. A couple of quick Shodan searches reveal over a million hosts running with port 1801 open and over 3500 results for ‘msmq’. Given this is a remote code execution, I would expect to see this vulnerability included in exploit frameworks in the near future.
Click here for more Patch Tuesday analysis.
Request a Fortra® Demo
From reconnaissance through achieving objectives, Fortra® interrupts attackers at every step of the attack chain.
