The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”

CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos that could be exploited by an attacker by creating a specially crafted application to leverage a vulnerable cryptographic protocol. While considered “critical” it was determined that exploitation is “less likely” and not been detected in the wild.

CVE-2024-43625 is a privilege escalation vulnerability in a VMSwitch driver, which is a networking component of Hyper-V. An attacker could exploit this by sending a specific series of network packets to the driver to trigger a “use after free” vulnerability in the Hyper-V host, allowing the attacker to execute arbitrary code with elevated privileges.Although classified as “critical,” exploitation was deemed “less likely” and the attack complexity considered “high.” Microsoft has not detected active exploitation of this vulnerability in the wild.

CVE-2024-43602 is a remote code execution vulnerability in Azure CycleCloud. Although marked as "critical," Microsoft has determined that exploitation is "less likely." If an attacker has gained basic user privileges they may be able to exploit this by sending specially crafted packets to the Azure CycleCloud cluster to gain root privileges. Microsoft has not detected active exploitation of this vulnerability in the wild.

CVE-2024-43498 is a "critical" remote code execution vulnerability in .NET and Visual Studio. Microsoft has assessed exploitation of this vulnerability as "less likely." A remote attacker could exploit a vulnerable .NET web app by sending specially crafted packets, or loading a specially crafted file into a vulnerable application. In the wild exploitation of this vulnerability has not been detected by Microsoft.

Of the vulnerabilities included in the release, several “important” updates were listed as “exploitation more likely”. These updates are listed below:

  • CVE-2024-49033 - Microsoft Word Security Feature Bypass Vulnerability
  • CVE-2024-43623 - Windows NT OS Kernel Elevation of Privilege Vulnerability
  • CVE-2024-43629 - Windows DWM Core Library Elevation of Privilege Vulnerability
  • CVE-2024-43630 - Windows Kernel Elevation of Privilege Vulnerability
  • CVE-2024-43636 - Win32k Elevation of Privilege Vulnerability
  • CVE-2024-49019 - Active Directory Certificate Services Elevation of Privilege VulnerabilityCisco Confidential
  • CVE-2024-43642 - Windows SMB Denial of Service Vulnerability

Additionally, Talos would like to highlight the following “important” vulnerabilities as exploitation has been detected by Microsoft:

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62022, 62023, 64218-64224, 64229, 64232 and 64233. There are also Snort 3 rules 301064, 300612, 301065, 301066 and 301073.