Microsoft has issued a patch for a critical zero-day flaw in its Windows configuration manager
Microsoft’s monthly Patch Tuesday security update might have been and gone, but Exploit Wednesday could linger for those users who have not been quick enough to protect their systems against a bunch of zero-day vulnerabilities. How many, do I hear you ask? How does five grab you from a haul of 117 security vulnerabilities fixed in all this month. However, it’s not a zero-day that has caught the attention of several security professionals: CVE-2024-43468 carries a critical severity rating of 9.8/10 and comes with an update now warning attached.
Here’s what we know and what you need to do.
How Dangerous Is CVE-2024-43468?
Microsoft itself rated CVE-2024-43468 as a critical vulnerability, despite it not being flagged as either publicly disclosed or exploited in the wild, which means it’s not a zero-day threat. The reason it is being taken so seriously is that it impacts Microsoft’s Configuration Manager and can remotely execute code if exploited successfully. “An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database,” Microsoft warned. One security professional described CVE-2024-43468 as being no-interaction and low complexity, the worse possible combination you want to find in a vulnerability such as this.
Mitigating CVE-2024-43468 Is Not At All Straightforward
Adam Barnett, the lead software engineer at Rapid7 who described it thus, warned that the update is far from straightforward. “The relevant update is installed within the Configuration Manager console,” Barnett said, “and requires specific administrator actions that Microsoft describes in detail in a generic series of articles.” Another, Tyler Reguly, an associate director of security research and development at Fortra, agreed that the update process for this vulnerability is not as simple as installing a patch. Because it requires an in-console update that then needs the user to confirm the exact updates to install, Reguly said, and doesn’t update secondary sites unless administrators perform another manual process, “the existence of vulnerable environments within the enterprise,” can be created
Indeed, the steps required are detailed in a Microsoft Knowledge Base article KB29166583 first published Sept. 04. This was then “subsequently unpublished and republished on Sept. 18,” Barnett explained, “without any mention of CVE-2024-43468.” Barnett advises defenders to read the available documentation very carefully “and then probably read it again for good measure.”
So, you know what to do: update as soon as feasible if you use the Microsoft Configuration Manager. “Successful exploitation of this vulnerability can allow for lateral movement throughout a network and offers the potential to deploy malicious configurations to other systems,” Cody Dietz, team lead of security engineering at Automox, said, advising immediate action as well as recommending the use of “an alternate service account in place of the computer account to mitigate risk.”
/cdn.vox-cdn.com/uploads/chorus_asset/file/24889891/8A0A9622.jpeg?w=238&resize=238,178&ssl=1 "Hackers took over robovacs to chase pets and yell slurs")
