On August 13, 2024, Microsoft released their August 2024 security update, which addressed 90 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted 15 in this security bulletin that include:
- Vulnerabilities labeled by Microsoft as Critical severity.
- 6 vulnerabilities reported to have been exploited in the wild.
Vulnerabilities
| Vulnerability | CVSS | Affected Product | Description | Exploited? |
| CVE-2024-38106 | 7.0 | Windows | Windows Kernel Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to obtain SYSTEM privileges by winning a race condition. | Yes |
| CVE-2024-38107 | 7.8 | Windows | Windows Power Dependency Coordinator Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to obtain SYSTEM privileges. | Yes |
| CVE-2024-38178 | 7.5 | Windows | Scripting Engine Memory Corruption Vulnerability – A remote threat actor can exploit this by getting an authenticated client to click a crafted URL, allowing an unauthenticated threat actor to initiate Remote Code Execution (RCE) if the target uses Edge in Internet Explorer Mode. | Yes |
| CVE-2024-38193 | 7.8 | Windows | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability – A local threat actor can exploit this vulnerability to obtain SYSTEM privileges. | Yes |
| CVE-2024-38213 | 6.5 | Windows | Windows Mark of the Web Security Feature Bypass Vulnerability – A remote threat actor can exploit this vulnerability by having a victim open a malicious file they have sent. Exploiting this vulnerability could bypass SmartScreen protection. | Yes |
| CVE-2024-38160, CVE-2024-38159 | 9.1 | Windows | Windows Network Virtualization RCE Vulnerability – A remote threat actor can exploit this vulnerability in the wnv.sys component of Windows Server 2016 by manipulating the Memory Descriptor List (MDL), leading to unauthorized memory writes or a critical guest-to-host escape. Exploitation requires elevated privileges and could allow control over other tenants’ applications and content. | No |
| CVE-2024-38140 | 9.8 | Windows | Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability – A remote unauthenticated threat actor can exploit this vulnerability by sending specially crafted packets to a Windows Pragmatic General Multicast (PGM) open socket on the server, requiring no user interaction. | No |
| CVE-2024-38063 | 9.8 | Windows | Windows TCP/IP RCE Vulnerability – A remote unauthenticated threat actor can repeatedly send IPv6 packets containing specially crafted data to a Windows machine, potentially enabling RCE. | No |
| CVE-2024-38199 | 9.8 | Windows | Windows Line Printer Daemon (LPD) Service RCE Vulnerability – A remote unauthenticated threat actor can send a specially crafted print task to a shared vulnerable Windows Line Printer Daemon (LPD) service across a network, potentially leading to RCE. | No |
| CVE-2024-21302 | 6.7 | Windows | Windows Secure Kernel Mode Elevation of Privilege Vulnerability – Part of the Windows Downgrade Attack presented at Black Hat 2024. This vulnerability allows a local threat actor with administrator privileges to replace current Windows system files with outdated versions. Exploiting this could reintroduce previously mitigated vulnerabilities, bypass certain Virtualization Based Security (VBS) features, and exfiltrate data protected by VBS. | No |
| CVE-2024-38202 | 7.3 | Windows | Windows Update Stack Elevation of Privilege Vulnerability – Part of the Windows Downgrade Attack presented at Black Hat 2024. This vulnerability allows a local threat actor with basic user privileges to exploit Windows Update, potentially reintroducing previously mitigated vulnerabilities or bypassing some VBS features. Successful exploitation requires additional interaction from a privileged user. | No |
| CVE-2024-38189 | 8.8 | Microsoft Office | Microsoft Project RCE Vulnerability – A remote threat actor can exploit this by getting the victim to open a malicious Microsoft Office Project file on a system with macros from the Internet not blocked and VBA Macro Notification Settings disabled, enabling RCE.
|
Yes |
| CVE-2024-38200 | 6.5 | Microsoft Office | Microsoft Office Spoofing Vulnerability – Part of the “NTLM – The Last Ride” DEF CON 2024 talk. In a web-based attack, a remote threat actor can trick a victim into opening a malicious file by sending a link and opening a file. | No |
| CVE-2024-38109 | 9.1 | Azure | Azure Health Bot Elevation of Privilege Vulnerability – A remote authenticated threat actor can exploit a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges across a network. Microsoft has stated this has been fully mitigated and no action is required by users. | No |
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | CVE | Update |
| Windows Server 2022, 23H2 Edition | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041573, 5039236 |
| Windows Server 2022 | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041160, 5039227, 5039330 |
| Windows Server 2019 | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041578, 5039217 |
| Windows Server 2016 | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38159, CVE-2024-38160, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041773, 5039214 |
| Windows Server 2012 R2 | CVE-2024-38063, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041828, 5041770, 5039294 |
| Windows Server 2012 | CVE-2024-38063, CVE-2024-38107, CVE-2024-38140, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041851, 5039260 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2024-38063, CVE-2024-38140, CVE-2024-38193, CVE-2024-38199 | 5041838, 5041823 |
| Windows Server 2008 for x64-based Systems Service Pack 2 | CVE-2024-38063, CVE-2024-38140, CVE-2024-38193, CVE-2024-38199 | 5041838, 5041823 |
| Windows Server 2008 for 32-bit Systems Service Pack 2 | CVE-2024-38063, CVE-2024-38140, CVE-2024-38193, CVE-2024-38199 | 5041850, 5041847 |
| Windows 11 Version 24H2 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199 | 5041571 |
| Windows 11 Version 24H2 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199 | 5041571 |
| Windows 11 Version 23H2 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041585 |
| Windows 11 Version 23H2 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041585, 5039212 |
| Windows 11 Version 22H2 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041585, 5039212 |
| Windows 11 Version 22H2 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041585, 5039212 |
| Windows 11 version 21H2 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5039212 |
| Windows 11 version 21H2 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041592, 5039213 |
| Windows 10 Version 22H2 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041580, 5039211 |
| Windows 10 Version 22H2 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041580, 5039211 |
| Windows 10 Version 22H2 for 32-bit Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041580, 5039211 |
| Windows 10 Version 21H2 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041580, 5039211 |
| Windows 10 Version 21H2 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041580, 5039211 |
| Windows 10 Version 21H2 for 32-bit Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041580, 5039211 |
| Windows 10 Version 1809 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041578, 5039217 |
| Windows 10 Version 1809 for ARM64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041578, 5039217 |
| Windows 10 Version 1809 for 32-bit Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041578 |
| Windows 10 Version 1607 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38159, CVE-2024-38160, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041773 |
| Windows 10 Version 1607 for 32-bit Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38159, CVE-2024-38160, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041773, 5039214 |
| Windows 10 for x64-based Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041782, 5040448 |
| Windows 10 for 32-bit Systems | CVE-2024-21302, CVE-2024-38063, CVE-2024-38106, CVE-2024-38107, CVE-2024-38140, CVE-2024-38178, CVE-2024-38193, CVE-2024-38199, CVE-2024-38213 | 5041782, 5040448, 5039225 |
| Microsoft Project 2016 (64-bit edition) | CVE-2024-38189 | 5002561 |
| Microsoft Project 2016 (32-bit edition) | CVE-2024-38189 | 5002561 |
| Microsoft Office LTSC 2021 for 64-bit editions | CVE-2024-38189, CVE-2024-38200 | Click to Run |
| Microsoft Office LTSC 2021 for 32-bit editions | CVE-2024-38189, CVE-2024-38200 | Click to Run |
| Microsoft Office 2019 for 64-bit editions | CVE-2024-38189, CVE-2024-38200 | Click to Run |
| Microsoft Office 2019 for 32-bit editions | CVE-2024-38189, CVE-2024-38200 | Click to Run |
| Microsoft Office 2016 (64-bit edition) | CVE-2024-38200 | 5002625, 5002570 |
- Note: Microsoft is developing a security update to mitigate CVE-2024-38189, but it is not yet available.
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
