Vulnerability

CISA Adds Four New Exploited Vulnerabilities to Known Exploited Vulnerabilities Catalog

The inclusion of these vulnerabilities follows verified reports of active exploitation by malicious actors. The vulnerabilities affect various Microsoft systems and could have severe implications for federal agencies and organizations globally.

The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 10, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert announcing the addition of four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The inclusion of these vulnerabilities follows verified reports of active exploitation by malicious actors. The vulnerabilities affect various Microsoft systems and could have severe implications for federal agencies and organizations globally.

Newly Added Vulnerabilities:

CVE-2024-38226 – Microsoft Publisher Security Feature Bypass
CVE-2024-43491 – Microsoft Windows Update Remote Code Execution
CVE-2024-38014 – Microsoft Windows Installer Privilege Escalation
CVE-2024-38217 – Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass

These vulnerabilities represent common targets for cyberattacks and pose significant risks to the broader federal enterprise, making their timely remediation a high priority.

Report Overview

CISA's Known Exploited Vulnerabilities Catalog is part of Binding Operational Directive (BOD) 22-01, an initiative aimed at reducing the risks posed by known vulnerabilities across federal systems. The catalog lists Common Vulnerabilities and Exposures (CVEs) that have been identified as actively exploited, guiding Federal Civilian Executive Branch (FCEB) agencies in their efforts to mitigate threats. While BOD 22-01 is mandatory for FCEB agencies, CISA strongly advises all organizations to prioritize patching these vulnerabilities as part of their broader cybersecurity strategy.

CVE-2024-38226 (Microsoft Publisher Security Feature Bypass): This vulnerability allows attackers to bypass security features in Microsoft Publisher, providing an avenue for malicious actors to deliver unauthorized content to users without triggering security warnings.
CVE-2024-43491 (Microsoft Windows Update Remote Code Execution): This remote code execution vulnerability in Microsoft Windows Update can be exploited to gain control over a target system, potentially allowing the execution of arbitrary commands.
CVE-2024-38014 (Microsoft Windows Installer Privilege Escalation): This flaw in Windows Installer permits an attacker to escalate privileges on a compromised system, potentially leading to full control of the affected machine.
CVE-2024-38217 (Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass): MOTW is designed to protect users from potentially harmful files downloaded from the internet. Exploiting this bypass vulnerability could allow attackers to evade this security feature and execute malicious code.

The active exploitation of these vulnerabilities puts FCEB agencies and other organizations at risk of unauthorized access, privilege escalation, and potentially full system compromise. If unaddressed, these weaknesses could lead to data theft, ransomware attacks, and other malicious activities that disrupt operations. The vulnerabilities primarily affect Microsoft systems, which are widely deployed across public and private sector networks.

Given the prevalence of these platforms, the broader implications extend beyond federal systems. Organizations that fail to address these vulnerabilities may face increased risks of being targeted by attackers leveraging these weaknesses.

Insights and Analysis

CISA continues to advocate for swift action in addressing these known vulnerabilities. While BOD 22-01 mandates remediation for federal agencies, CISA urges all organizations to take similar measures to reduce their attack surface. Recommended actions include:

Prioritize Patching: Ensure that all systems are updated with the latest security patches addressing these CVEs.
Review Security Configurations: Conduct regular audits of security configurations to verify that no unintentional exposure to these vulnerabilities exists.
Implement Strong Endpoint Defenses: Use endpoint detection and response (EDR) solutions to monitor and respond to potential exploits.

With the growing sophistication of cyber threats, timely remediation of known vulnerabilities is critical. The four newly added CVEs pose significant risks, particularly for organizations relying on Microsoft systems. By addressing these vulnerabilities promptly, organizations can protect themselves from the active threats exploiting these weaknesses.

CISA will continue to update the Known Exploited Vulnerabilities Catalog to reflect newly identified risks, reinforcing its mission to support organizations in strengthening their cybersecurity posture.