On April 9, 2024, Microsoft published their April 2024 security updates with patches for 150 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted five vulnerabilities in this bulletin, which have either been exploited in the wild or labeled as critical severity by Microsoft.
Notably, of the 150 patched vulnerabilities, 67 were remote code execution vulnerabilities. However, due to various prerequisites for exploitation, the vulnerability severities did not rise to critical severity.
Proxy Driver Spoofing Vulnerability – In at least one intrusion, threat actors leveraged this vulnerability to abuse Microsoft Windows Hardware Compatibility Program (WHCP) and deploy a malicious executable signed with a valid Microsoft Hardware Publisher Certificate.
Secure Boot Security Feature Bypass Vulnerability – An exploited Secure Boot Security Feature Bypass vulnerability. A threat actor must have physical access or admin rights to install an affected boot policy to the target system. Successful exploitation, which requires admin credentials on the device, could bypass Secure Boot. Microsoft disclosed that this vulnerability was used by threat actors to install the Black Lotus UEFI bootkit. This update coincides with Microsoft’s update schedule and their evaluation phase, adding three additional boot manager mitigation controls. A control to deploy the “Windows UEFI CA 2023” certificate to the Secure Boot DB to add trust for Windows boot managers signed by this certificate. Note that the “Windows UEFI CA 2023” certificate might have been installed by an earlier Windows update. A control to deploy a boot manager signed by the “Windows UEFI CA 2023” certificate. A control to add the “Windows Production PCA 2011” to the Secure Boot DBX which will block all Windows boot managers signed by this certificate. Additional updates tied to CVE-2023-24932: The ability to enable mitigation deployment in stages independently to allow more control in deploying the mitigations in your environment based on your needs. The mitigations are interlocked so that they cannot be deployed in the incorrect order. Additional events to know the status of devices as they apply the mitigations. See KB5016061 for more details on the events. Based on Microsoft’s update schedule, the next update and final deployment phase will come on July 9, 2024, or later.
Microsoft Defender for IoT Remote Code Execution Vulnerability – Path traversal vulnerability that could lead to remote code execution. An authenticated threat actor with access to the file upload feature could successfully exploit this vulnerability and obtain remote code execution by uploading malicious files to sensitive locations on the vulnerable server.
Microsoft Defender for IoT Remote Code Execution Vulnerability – Path traversal vulnerability that could lead to remote code execution. An authenticated threat actor, with permissions to send update packages to the Defender IoT sensor, could successfully exploit this vulnerability and obtain remote code execution by sending a tar file to the Defender IoT sensor. After the extraction process completed, the attacker could send unsigned update packages and overwrite any file.
Microsoft Defender for IoT Remote Code Execution Vulnerability – Command injection vulnerability that could lead to remote code execution. Due to improper neutralization of special elements used in a command, a threat actor with administrator privileges to the web application, could leverage command injection to obtain remote code execution.
Arctic Wolf will follow its standard internal processes to assess the impact of the newly reported vulnerabilities within its own environment and if impacted, will address them within the established remediation timelines in our Security Patching Policy.
Recommendations for CVE-2024-26234 for Windows and CVE-2024-29053
Recommendation: Apply Security Updates to Impacted Products
CVE-2023-24932 was previously patched in a separate Patch Tuesday (May 2023). However, Microsoft added Windows 11 version 23H2 to the updated products list. Arctic Wolf has elected not to add the May 2023 reference article and update links to this table to ensure clarity around patching the most recent vulnerabilities reported by Microsoft.
Additional steps are required to mitigate CVE-2023-24932.
Microsoft added Windows 11 version 23H2 for x64-based systems and Windows 11 version 23H2 for ARM-based systems to the update table because the April 2024 security updates provide the latest mitigations. These mitigations are off by default. Customers who should take additional steps to implement security mitigations for a publicly disclosed Secure Boot bypass leveraged by the BlackLotus UEFI bootkit and who would like to take a proactive security stance or to begin preparing for the rollout, please refer to KB5025885.