Microsoft has released its November 2024 Patch Tuesday updates, targeting various vulnerabilities that could impact users and organizations worldwide. From zero-day threats to key product patches, here’s what’s crucial to apply this month. Here’s a breakdown of the updates and how they impact your security posture.
Microsoft Patch’s Tuesday, November 2024 edition addressed 92 vulnerabilities, including four critical and 83 important severity vulnerabilities. This month’s updates also included one Defense in Depth update for Microsoft SharePoint Server.
In this month’s updates, Microsoft addressed four zero-day vulnerabilities. Two of these vulnerabilities, CVE-2024-49039 and CVE-2024-43451, are known to be exploited in the wild.
Microsoft has addressed two vulnerabilities in Microsoft Edge (Chromium-based) in this month’s updates.
Microsoft Patch Tuesday, November edition includes updates for vulnerabilities in .NET and Visual Studio, Windows Hyper-V, SQL Server, Windows Kerberos, Windows Kernel, Windows NT OS Kernel, Windows DWM Core Library, Windows Active Directory Certificate Services, and more.
Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Security Feature Bypass, and Remote Code Execution (RCE).
The November 2024 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 3 | Important: 3 |
| Denial of Service Vulnerability | 4 | Important: 4 |
| Elevation of Privilege Vulnerability | 26 | Critical: 2 Important: 24 |
| Information Disclosure Vulnerability | 1 | Important: 1 |
| Remote Code Execution Vulnerability | 52 | Critical: 1 Important: 51 |
| Security Feature Bypass Vulnerability | 2 | Important: 2 |
Zero-day Vulnerabilities Patched in November Patch Tuesday Edition
CVE-2024-43451: NTLM Hash Disclosure Spoofing Vulnerability
An NTLM hash is a cryptographic format that stores user passwords on Windows systems. It’s a key part of the authentication process for users and computers on domains, home networks, and workgroup networks.
Upon successful exploitation, an attacker may disclose a user’s NTLMv2 hash to the attacker, who could use this to authenticate as the user.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before December 3, 2024.
CVE-2024-49040: Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server is a mail and calendaring server that runs exclusively on Windows. Exchange Server includes calendaring software, email, and a place to manage contacts.
Microsoft has not provided any information about the vulnerability.
CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability
Active Directory Certificate Services (AD CS) is a Windows server role that manages and issues public key infrastructure (PKI) certificates. These certificates authenticate users, devices, and computers on a network and encrypt and digitally sign messages and documents.
An attacker may gain domain administrator privileges on successful exploitation.
CVE-2024-49039: Windows Task Scheduler Elevation of Privilege Vulnerability
Task Scheduler is a built-in Windows utility that allows users to automate the execution of programs, scripts, and various tasks at specific intervals or specific events. It simplifies the process of running repetitive tasks, managing background processes, and scheduling maintenance activities on a computer.
An authenticated attacker may exploit the vulnerability to run a specially crafted application on the target system. Upon successful exploitation, an attacker may execute RPC functions restricted to privileged accounts only.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urges users to patch the vulnerability before December 3, 2024.
Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition
CVE-2024-43625: Microsoft Windows VMSwitch Elevation of Privilege Vulnerability
A Microsoft Windows VMSwitch, or virtual switch, is a software program that allows virtual machines (VMs) to communicate with each other and physical networks. VMSwitches are available in Hyper-V Manager when the Hyper-V server role is installed.
Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and prepare the target environment. Upon successful exploitation, an attacker may gain SYSTEM privileges.
CVE-2024-43639: Windows Kerberos Remote Code Execution Vulnerability
Windows Kerberos is a protocol that verifies user and host identities on a network. Kerberos uses a Key Distribution Center (KDC) and symmetric key cryptography to authenticate users. It assumes that transactions between clients and servers occur on an open network, where packets can be monitored and modified.
An unauthenticated attacker could use a specially crafted application to exploit a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target.
CVE-2024-49056: Airlift.microsoft.com Elevation of Privilege Vulnerability
The authentication bypass vulnerability by assumed-immutable data on airlift.microsoft.com may allow an authorized attacker to elevate privileges over a network.
CVE-2024-43498: .NET and Visual Studio Remote Code Execution Vulnerability
A remote unauthenticated attacker may exploit this vulnerability by sending specially crafted requests to a vulnerable .NET webapp or loading a specially crafted file into a vulnerable desktop app.
Other Microsoft Vulnerability Highlights
- CVE-2024-43623 is an elevation of privilege vulnerability in Windows NT OS Kernel. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
- CVE-2024-43630 is an elevation of privilege vulnerability in Windows Kernel. Upon successful exploitation, an attacker may gain SYSTEM privileges.
- CVE-2024-43629 is an elevation of privilege vulnerability in Windows DWM Core Library. An attacker may exploit the vulnerability to gain SYSTEM privileges.
- CVE-2024-43636 is an elevation of privilege vulnerability in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2024-43642 is a denial-of-service vulnerability in Windows SMB. An attacker may exploit the vulnerability to create a denial-of-service (DoS) attack.
- CVE-2024-49033 is a security feature bypass vulnerability in Microsoft Word. Successful exploitation of the vulnerability may allow an attacker to bypass specific functionality of the Office Protected View.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Package Library Manager, SQL Server, Microsoft Virtual Hard Drive, Windows SMBv3 Client/Server, Windows USB Video Driver, Microsoft Windows DNS, Windows NTLM, Windows Registry, .NET and Visual Studio, Windows Update Stack, LightGBM, Azure CycleCloud, Azure Database for PostgreSQL, Windows Telephony Service, Windows NT OS Kernel, Windows Hyper-V, Windows VMSwitch, Windows DWM Core Library, Windows Kernel, Windows Secure Kernel Mode, Windows Kerberos, Windows SMB, Windows CSC Service, Windows Defender Application Control (WDAC), Windows Active Directory Certificate Services, Microsoft Office Excel, Microsoft Graphics Component, Microsoft Office Word, Windows Task Scheduler, Microsoft Exchange Server, Visual Studio, Windows Win32 Kernel Subsystem, TorchGeo, Visual Studio Code, Microsoft PC Manager, Airlift.microsoft.com, Microsoft Edge (Chromium-based), and Microsoft Defender for Endpoint.
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid: 110480 or qid: 110481 or qid: 382336 or qid: 50139 or qid: 92186 or qid: 92187 or qid: 92188 or qid: 92189 or qid: 92190 or qid: 92191 or qid: 92192 or qid: 92193)
Rapid Response with Patch Management (PM)
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Patch Tuesday:
( qid: 110480 or qid: 110481 or qid: 382336 or qid: 50139 or qid: 92186 or qid: 92187 or qid: 92188 or qid: 92189 or qid: 92190 or qid: 92191 or qid: 92192 or qid: 92193)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now, these security controls are not recommended by any industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best practice that exists in a default state and could reduce the severity of a vulnerability’s exploitation.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:
CVE-2024-49019: Active Directory Certificate Services Elevation of Privilege Vulnerability
This vulnerability has a CVSS: 3.1 7.8 / 6.8
Policy Compliance Control IDs (CIDs):
- 10018 Status of the ‘Certificate Services Client – Auto Enrollment: Enroll user and computer certificates automatically’ setting
- 27406 Status of the ‘Certificate Templates can be edited by Everyone’ on the domain.
- 27409 Status of the ‘Authentication Certificate Templates allow users to control the subject’ on the host
- 28125 Status of the ‘Certificate templates’ configured on the host
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [10018,27406,27409,28125]
Visit the November 2024 Security Updates page to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their network with QIDs 110480, 110481, 382336, 50139, 92186, 92187, 92188, 92189, 92190, 92191, 92192, and 92193 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide
https://msrc.microsoft.com/update-guide/releaseNote/2024-Nov
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49040
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49019
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49039
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43625
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43639
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49056
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43498
