Microsoft security alert.
August 13, 2024
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 70 vulnerabilities that were fixed in 13 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 13 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Office Security Update for August 2024
- Severity
- Critical 4
- Qualys ID
- 110473
- Vendor Reference
- KB5002570, KB5002586, KB5002625, Office Click-2-Run and Office 365 Release Notes
- CVE Reference
- CVE-2024-38169, CVE-2024-38170, CVE-2024-38171, CVE-2024-38172, CVE-2024-38189, CVE-2024-38200
- CVSS Scores
- Base 7.8 / Temporal 6.4
- Description
-
Microsoft has released August 2024 security updates to fix Remote Code Execution and Spoofing vulnerabilities.
This security update contains the following:
5002586
5002625
5002570
Office Click-2-Run and Office 365 Release Notes and
Current Channel: Version 2407 (Build 17830.20166)
Monthly Enterprise Channel: Version 2406 (Build 17726.20206)
Monthly Enterprise Channel: Version 2405 (Build 17628.20206)
Semi-Annual Enterprise Channel (Preview): Version 2402 (Build 17328.20550)
Semi-Annual Enterprise Channel: Version 2402 (Build 17328.20550)
Semi-Annual Enterprise Channel: Version 2308 (Build 16731.20792)
Semi-Annual Enterprise Channel: Version 2302 (Build 16130.21094)
Office 2021 Retail: Version 2407 (Build 17830.20166)
Office 2019 Retail: Version 2407 (Build 17830.20166)
Office 2016 Retail: Version 2407 (Build 17830.20166)
Office LTSC 2021 Volume Licensed: Version 2108 (Build 14332.20763)
Office 2019 Volume Licensed: Version 1808 (Build 10413.20020)QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsoft Office.Operating System: MacOS
This QID checks for the vulnerable versions of affected Office Applications.Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Vulnerable products may be prone to Remote Code Execution and/or Spoofing Vulnerabilities.
- Solution
-
Customers are advised to refer to these the Article(s): CVE-2024-38189,
CVE-2024-38171,
CVE-2024-38170,
CVE-2024-38169,
CVE-2024-38172, and
CVE-2024-38200 for more information regarding these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38169
CVE-2024-38170
CVE-2024-38171
CVE-2024-38172
CVE-2024-38189
CVE-2024-38200
-
Microsoft Outlook Remote Code Execution (RCE) Vulnerability for August 2024
- Severity
- Serious 3
- Qualys ID
- 110474
- Vendor Reference
- CVE-2024-38173
- CVE Reference
- CVE-2024-38173
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft has released August 2024 security updates for outlook to fix a Remote Code Execution Vulnerability.
This security update contains the following:
KB5002626 and
Office Click-2-Run and Office 365 Release NotesPatched Versions for Microsoft 365 (C2R) are:
Current Channel: Version 2407 (Build 17830.20166)
Monthly Enterprise Channel: Version 2406 (Build 17726.20206)
Monthly Enterprise Channel: Version 2405 (Build 17628.20206)
Semi-Annual Enterprise Channel (Preview): Version 2402 (Build 17328.20550)
Semi-Annual Enterprise Channel: Version 2402 (Build 17328.20550)
Semi-Annual Enterprise Channel: Version 2308 (Build 16731.20792)
Semi-Annual Enterprise Channel: Version 2302 (Build 16130.21094)
Office 2021 Retail: Version 2407 (Build 17830.20166)
Office 2019 Retail: Version 2407 (Build 17830.20166)
Office 2016 Retail: Version 2407 (Build 17830.20166)
Office LTSC 2021 Volume Licensed: Version 2108 (Build 14332.20763)
Office 2019 Volume Licensed: Version 1808 (Build 10413.20020)QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "outlook.exe" to identify vulnerable versions of Microsoft Outlook.Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Vulnerable outlook may be prone to Remote Code Execution Vulnerability.
- Solution
-
Customers are advised to refer to the the Article(s): CVE-2024-38173 for more information regarding this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38173
-
Microsoft Azure CycleCloud Remote Code Execution (RCE) Vulnerability for August 2024
- Severity
- Critical 4
- Qualys ID
- 380329
- Vendor Reference
- CVE-2024-38195
- CVE Reference
- CVE-2024-38195
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High Performance Computing (HPC) environments on Azure.
An authenticated attacker with Azure CycleCloud instance command execution capabilities might send a specially crafted request to return storage account credentials and runtime data.
Affected Software:
Azure CycleCloud from 8.0.0 prior to 8.0.2
Azure CycleCloud from 8.1.0 prior to 8.1.1
Azure CycleCloud from 8.2.0 prior to 8.2.2
Azure CycleCloud 8.3.0
Azure CycleCloud from 8.4.0 prior to 8.4.2
Azure CycleCloud 8.5.0
Azure CycleCloud 8.6.0 prior to 8.6.2QID Detection Logic (Authenticated):
On Linux, this authenticated QID flags vulnerable version of Azure CycleCloud.
- Consequence
-
Successful exploitation of this vulnerability could enable remote code execution to be performed on any cluster in the CycleCloud instance.
- Solution
-
Customers are advised to refer to CVE-2024-38195 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38195
-
Microsoft .NET Security Update for August 2024
- Severity
- Critical 4
- Qualys ID
- 92156
- Vendor Reference
- CVE-2024-38167, CVE-2024-38168
- CVE Reference
- CVE-2024-38167, CVE-2024-38168
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
Microsoft has released a security update for .NET that addresses vulnerabilities related to Information Disclosure, and Denial of Service.
Affected versions:
.NET 8.0 before version 8.0.8
QID Detection Logic: Authenticated
On Windows, this QID detects vulnerable versions of Microsoft .NET by checking the file version.
On Linux, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" and "/root/shared/Microsoft.NETCore.App" folders.
On Mac, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" folder.
- Consequence
-
Vulnerable versions of Microsoft .NET are prone to Information Disclosure, and Denial of Service.
- Solution
-
Customers are advised to refer to CVE-2024-38167, CVE-2024-38168,
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38167
CVE-2024-38168
-
Microsoft Dynamics 365 (On-Premises) Cross-Site Scripting (XSS) Vulnerability for August 2024
- Severity
- Critical 4
- Qualys ID
- 92157
- Vendor Reference
- CVE-2024-38211
- CVE Reference
- CVE-2024-38211
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
Microsoft Dynamics 365 is a product line of enterprise resource planning and customer relationship management intelligent business applications.
The vulnerability exists if malicious scripts are executed in the Victim's browser. To excute the malicious scripts the user would have to click on a specially crafted URL to be compromised by the attacker.
Affected Software:
Microsoft Dynamics CRM (on-premises) version 9.1QID Detection Logic(Authenticated):
This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Crm.Setup.Server.exe - Consequence
-
The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site. The user would have to click on a specially crafted URL to be compromised by the attacker.
- Solution
-
Customers are advised to refer to refer to CVE-2024-38211 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38211
-
Microsoft Windows Domain Name System (DNS) Spoofing Vulnerability for August 2024
- Severity
- Critical 4
- Qualys ID
- 92158
- Vendor Reference
- CVE-2024-37968
- CVE Reference
- CVE-2024-37968
- CVSS Scores
- Base 3.5 / Temporal 2.6
- Description
-
Microsoft Windows Domain Name System (DNS) Server Security Update - August 2024
Affected Operating Systems: Windows Server 2012 R2 (Server Core installation), Windows Server 2012 R2, Windows Server 2012 (Server Core installation), Windows Server 2012, Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), Windows Server 2022 23H2 Edition (Server Core installation), Windows Server 2022 (Server Core installation), Windows Server 2022, Windows Server 2019 (Server Core installation), Windows Server 2019
The KB Articles associated with the update:
Patch version is 10.0.9600.22134 for KB5041828
Patch version is 10.0.9200.25031 for KB5041851
Patch version is 10.0.7601.27277 for KB5041838,KB5041823
Patch version is 10.0.6003.22825 for KB5041850 , KB5041847
Patch version is 10.0.25398.1085 and 10.0.14393.7259 for KB5041773
Patch version is 10.0.20348.2655 for KB5041160
Patch version is 10.0.17763.6189 for KB5041578QID Detection Logic:
Authenticated: This QID checks for the file version of dns.exeUnauthenticated: This QID checks for vulnerable version of Microsoft DNS by checking the DNS version exposed in the banner.
- Consequence
- Successful exploitation of this vulnerability may affect Integrity and Availability.
- Solution
-
Vendor has released patch. Please refer to the following advisories for more information.
CVE-2024-37968Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-37968
-
Microsoft Visual Studio Security Update for August 2024
- Severity
- Critical 4
- Qualys ID
- 92159
- Vendor Reference
- CVE-2024-38167, CVE-2024-38168
- CVE Reference
- CVE-2024-38167, CVE-2024-38168
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
Microsoft has released a security update for Visual Studio that addresses vulnerabilities related to Information Disclosure, and Denial of Service.
Affected Versions:
Microsoft Visual Studio 2022 version 17.10
Microsoft Visual Studio 2022 version 17.8
Microsoft Visual Studio 2022 version 17.6
QID Detection Logic (Authenticated):
Windows
This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key "HKLM\SOFTWARE\Microsoft" and file "devenv.exe" to check the version of the Visual Studio. - Consequence
-
Vulnerable versions of Microsoft Visual Studio are prone to Information Disclosure, and Denial of Service.
- Solution
-
Customers are advised to refer to CVE-2024-38167, CVE-2024-38168,
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38167
CVE-2024-38168
-
Microsoft Windows Security Update for August 2024
- Severity
- Urgent 5
- Qualys ID
- 92160
- Vendor Reference
- KB5041160, KB5041571, KB5041573, KB5041578, KB5041580, KB5041585, KB5041592, KB5041773, KB5041782, KB5041823, KB5041828, KB5041838, KB5041847, KB5041850, KB5041851
- CVE Reference
- CVE-2022-2601, CVE-2022-3775, CVE-2023-40547, CVE-2024-29995, CVE-2024-38106, CVE-2024-38107, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125, CVE-2024-38126, CVE-2024-38127, CVE-2024-38128, CVE-2024-38130, CVE-2024-38131, CVE-2024-38132, CVE-2024-38133, CVE-2024-38134, CVE-2024-38135, CVE-2024-38136, CVE-2024-38137, CVE-2024-38138, CVE-2024-38140, CVE-2024-38141, CVE-2024-38142, CVE-2024-38143, CVE-2024-38144, CVE-2024-38145, CVE-2024-38146, CVE-2024-38147, CVE-2024-38148, CVE-2024-38150, CVE-2024-38151, CVE-2024-38152, CVE-2024-38153, CVE-2024-38154, CVE-2024-38155, CVE-2024-38178, CVE-2024-38180, CVE-2024-38193, CVE-2024-38196, CVE-2024-38198, CVE-2024-38214, CVE-2024-38215, CVE-2024-38223
- CVSS Scores
- Base 7.5 / Temporal 6.2
- Description
-
Microsoft Windows Security Update - August 2024
KB5041571
KB5041585
KB5041580
KB5041592
KB5041160
KB5041773
KB5041782
KB5041573
KB5041578
KB5041851
KB5041838
KB5041823
KB5041850
KB5041847
KB5041828
QID Detection Logic (Authenticated):
This QID checks for the file version of 'ntoskrnl.exe'.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the following KB Articles associated with the update:
KB5041571
KB5041585
KB5041580
KB5041592
KB5041160
KB5041773
KB5041782
KB5041573
KB5041578
KB5041851
KB5041838
KB5041823
KB5041850
KB5041847
KB5041828
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5041160
KB5041571
KB5041573
KB5041578
KB5041580
KB5041585
KB5041592
KB5041773
KB5041782
KB5041823
KB5041828
KB5041838
KB5041847
KB5041850
KB5041851
-
Microsoft Windows Network Virtualization Remote Code Execution (RCE) Vulnerability for August 2024
- Severity
- Urgent 5
- Qualys ID
- 92161
- Vendor Reference
- CVE-2024-38159, CVE-2024-38160
- CVE Reference
- CVE-2024-38159, CVE-2024-38160
- CVSS Scores
- Base 4.1 / Temporal 3
- Description
-
Microsoft Windows Network Virtualization Security Update - August 2024
Affected Operating Systems: Windows Server 2016 (Server Core installation), Windows Server 2016, Windows 10 Version 1607 for x64-based Systems, Windows 10 Version 1607 for 32-bit Systems
The KB Articles associated with the update:
Patch version is 10.0.14393.7259 for KB5041773QID Detection Logic:
Authenticated: This QID checks for the file version of Windows Network Virtualization - Consequence
-
An attacker could exploit the vulnerability by taking advantage of the unchecked return value in the wnv.sys component of Windows Server 2016
- Solution
-
Vendor has released patch. Please refer to the following advisories for more information.
CVE-2024-38160
CVE-2024-38159
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38159
CVE-2024-38160
-
Microsoft Azure Connected Machine Agent Elevation of Privilege Vulnerability for August 2024
- Severity
- Critical 4
- Qualys ID
- 92162
- Vendor Reference
- CVE-2024-38098, CVE-2024-38162
- CVE Reference
- CVE-2024-38098, CVE-2024-38162
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers.
Affected versions:
All versions before version 1.45
QID Detection Logic: Authenticated
On Windows, this QID detects vulnerable versions by checking the file version.
On Linux, this QID detects vulnerable versions by checking the Azure Arc-enabled version present in "/usr/share/dotnet/shared/Azure Arc-enabled/" and "/root/shared/Azure Arc-enabled" folders.
- Consequence
-
An attacker who successfully exploited this vulnerability could create or delete files in the security context of the NT AUTHORITY\ SYSTEM account and gain system privileges.
- Solution
-
Customers are advised to refer to CVE-2024-38162 and CVE-2024-38098 for more information on these vulnerabilities and their patches.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38098
CVE-2024-38162
-
Microsoft Windows App Installer Spoofing Vulnerability for August 2024
- Severity
- Critical 4
- Qualys ID
- 92163
- Vendor Reference
- CVE-2024-38177
- CVE Reference
- CVE-2024-38177
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
CVE-2024-38177: Windows App Installer Spoofing Vulnerability
QID Detection Logic (authenticated):
The detection gets the version of Microsoft.DesktopAppInstaller by querying wmi class Win32_InstalledStoreProgram.
- Consequence
- An attacker could craft a malicious attachment to be used in phishing campaigns
- Solution
-
Please refer to the CVE-2024-38177.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38177
-
Microsoft Windows Line Printer Daemon (LPD) Service Remote Code Execution (RCE) Vulnerability
- Severity
- Urgent 5
- Qualys ID
- 92164
- Vendor Reference
- CVE-2024-38199
- CVE Reference
- CVE-2024-38199
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
An unauthenticated attacker could send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network. Successful exploitation could result in remote code execution on the server.
Affected Products:
All Operating Systems mentioned in CVE-2024-38199
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to this advisory page for more information and updates on this Vulnerability, CVE-2024-38199
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38199
-
Microsoft Windows Transmission Control Protocol/Internet Protocol (TCP/IP) Remote Code Execution (RCE) Vulnerability for August 2024
- Severity
- Urgent 5
- Qualys ID
- 92165
- Vendor Reference
- KB5041160, KB5041571, KB5041573, KB5041578, KB5041580, KB5041585, KB5041592, KB5041773, KB5041782, KB5041823, KB5041828, KB5041838, KB5041847, KB5041850, KB5041851
- CVE Reference
- CVE-2024-38063
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
-
A remote code execution vulnerability exists in Microsoft Windows TCP/IP.
Patch version is 10.0.26100.1455 for KB5041571
Patch version is 10.0.22621.4036 for KB5041585
Patch version is 10.0.19041.4780 for KB5041580
Patch version is 10.0.22000.3147 for KB5041592
Patch version is 10.0.20348.2652 for KB5041160
Patch version is 10.0.14393.7254 for KB5041773
Patch version is 10.0.10240.20747 for KB5041782
Patch version is 10.0.25398.1085 for KB5041573
Patch version is 10.0.17763.6189 for KB5041578
Patch version is 6.2.9200.25016 for KB5041851
Patch version is 6.1.7601.27265 for KB5041838
Patch version is 6.1.7601.27265 for KB5041823
Patch version is 6.0.6003.22814 for KB5041850
Patch version is 6.0.6003.22814 for KB5041847
Patch version is 6.3.9600.22131 for KB5041828
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe. The QID additionally checks if IPv6 is enabled on the host. - Consequence
- An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.
- Solution
-
Customers are advised to refer to CVE-2024-38063 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2024-38063
These new vulnerability checks are included in Qualys vulnerability signature 2.6.116-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110473
- 110474
- 380329
- 92156
- 92157
- 92158
- 92159
- 92160
- 92161
- 92162
- 92163
- 92164
- 92165
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.