{"id":52604,"date":"2024-11-14T04:04:12","date_gmt":"2024-11-14T09:04:12","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52604"},"modified":"2024-11-14T04:04:12","modified_gmt":"2024-11-14T09:04:12","slug":"2024-november-patch-tuesday","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/2024-november-patch-tuesday\/52604\/","title":{"rendered":"CVE-2024-43451 and other reasons to update ASAP"},"content":{"rendered":"

With November\u2019s Patch Tuesday Microsoft fixed 89 vulnerabilities in its products \u2014 two of which are being actively exploited. One of them \u2014 CVE-2024-43451<\/a> \u2014 is particularly alarming. It allows attackers to gain access to the victim\u2019s NTLMv2 hash. Although it doesn\u2019t have an impressive CVSS 3.1 rating (only 6.5 \/ 6.0), its exploitation requires minimal interaction from the user, and it exists thanks to the MSHTML engine \u2014 the legacy of Internet Explorer \u2014 which is theoretically deactivated<\/a> and no longer used. Nevertheless, all current versions of Windows are affected by this vulnerability.<\/p>\n

Why is CVE-2024-43451 so dangerous?<\/h2>\n

CVE-2024-43451 allows an attacker to create a file that, once delivered to the victim\u2019s computer, will give the attacker the possibility of stealing the NTLMv2 hash. NTLMv2 is a network authentication protocol used in Microsoft Windows environments. Having access to the NTLMv2 hash, an attacker can perform a pass-the-hash attack<\/a> and attempt to authenticate on the network by posing as a legitimate user \u2014 without having their real credentials.<\/p>\n

Of course, CVE-2024-43451 alone is not enough for a full-fledged attack \u2014 cybercriminals would have to use other vulnerabilities \u2014 but someone else\u2019s NTLMv2 hash would make the attacker\u2019s life much easier. At this point in time we have no additional information about scenarios that use CVE-2024-43451 in practice, but the vulnerability description<\/a> clearly states that the vulnerability is publicly disclosed, and cases of exploitation have been detected in the wild.<\/p>\n

What does \u201cminimal interaction\u201d mean?<\/h2>\n

It is generally assumed that if a user doesn\u2019t open a malicious file \u2014 nothing bad can happen. In this case, that\u2019s not true. According to the mini-FAQ in the security update guide advisory on CVE-2024-43451<\/a>, exploitation may occur even when the user selects the file (single left-click), inspects it (with a right-click), or performs some \u201caction other than opening or executing\u201d.<\/p>\n

What other vulnerabilities did Microsoft close in the November patch?<\/h2>\n

The second vulnerability that is already being exploited in real attacks is CVE-2024-49039<\/a>. It allows attackers to escape from the AppContainer<\/a> environment and, as a result, escalate their privileges to a Medium Integrity Level. In addition, there are two more holes that the company states are disclosed, although they\u2019ve not yet been noticed in real attacks. These are CVE-2024-49019<\/a> in the Active Directory Certificate Service, which also allows the attacker to elevate privileges, and CVE-2024-49040<\/a> in Exchange, thanks to which malicious emails can be displayed with a fake sender address.<\/p>\n

In addition, the critical vulnerability CVE-2024-43639<\/a>, which allows remote code execution in Kerberos, also looks dangerous \u2014 though it only affects servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server.<\/p>\n

How to stay safe?<\/h2>\n

In order to stay safe, we recommend, firstly, promptly installing updates for critical software (which, of course, includes the operating systems). In addition, it\u2019s worth remembering that most attacks exploiting software vulnerabilities begin via email. Therefore, we recommend equipping all work devices with a reliable security solution<\/a>, and not forget about protection at the mail gateway level<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Exploitation of vulnerability CVE-2024-43451 allows an attacker to steal an NTLMv2 hash with minimal interaction from the victim.<\/p>\n","protected":false},"author":2698,"featured_media":52605,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[634,25,398,268],"class_list":{"0":"post-52604","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-ie","11":"tag-internet-explorer","12":"tag-patches","13":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/2024-november-patch-tuesday\/52604\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/2024-november-patch-tuesday\/28290\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/2024-november-patch-tuesday\/23541\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/2024-november-patch-tuesday\/28426\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/2024-november-patch-tuesday\/38537\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/2024-november-patch-tuesday\/28502\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/2024-november-patch-tuesday\/34381\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/2024-november-patch-tuesday\/34006\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2698"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52604"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52604\/revisions"}],"predecessor-version":[{"id":52607,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52604\/revisions\/52607"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52605"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52604"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}