Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs

1. 1Critical
2. 48Important
3. 0Moderate
4. 0Low

Microsoft addresses 49 CVEs in its June 2024 Patch Tuesday release with one rated as critical and no zero-day or publicly disclosed vulnerabilities. Our counts omitted two CVEs that were not issued by Microsoft, which include CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub).

Microsoft patched 49 CVEs in its June 2024 Patch Tuesday release, with one rated critical and 48 rated as important

.

This month’s update includes patches for:

• Azure Data Science Virtual Machines
• Azure File Sync
• Azure Monitor
• Azure SDK
• Azure Storage Library
• Dynamics Business Central
• Microsoft Dynamics
• Microsoft Office
• Microsoft Office Outlook
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft Streaming Service
• Microsoft WDAC OLE DB provider for SQL
• Microsoft Windows Speech
• Visual Studio
• Windows Cloud Files Mini Filter Driver
• Windows Container Manager Service
• Windows Cryptographic Services
• Windows DHCP Server
• Windows Distributed File System (DFS)
• Windows Event Logging Service
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows Link Layer Topology Discovery Protocol
• Windows NT OS Kernel
• Windows Perception Service
• Windows Remote Access Connection Manager
• Windows Routing and Remote Access Service (RRAS)
• Windows Server Service
• Windows Standards-Based Storage Management Service
• Windows Storage
• Windows Themes
• Windows Wi-Fi Driver
• Windows Win32 Kernel Subsystem
• Windows Win32K GRFX
• Winlogon

Elevation of Privilege (EoP) vulnerabilities accounted for 49% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) at 36.7%.

Windows 10 21H2 End Of Life

Microsoft announced that Windows 10 21H2 has reached its end of life for Enterprise, Education, IoT Enterprise, and Enterprise multi-session editions. This means that users of these versions of Windows 10 21H2 will no longer receive security updates and should upgrade as soon as possible. Plugin ID 192847 can be used to identify hosts that have unsupported installations of Windows 10 version 21H2.

ZDI-24-581 | Microsoft Azure SQL Managed Instance Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability

On June 6, 2024, Trend Micro's Zero Day Initiative (ZDI) published an advisory detailing a vulnerability relating to Managed MS SQL Server Instances within Azure. While not directly related to the June 2024 Patch Tuesday release, Tenable has received some inbound requests seeking clarification on ZDI's advisory.

The ZDI advisory is titled "Documentation SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability" and states that the reported flaw is specific to the permissions granted to a shared access signature (SAS) token.

As information in the advisory is vague and there has been no corresponding publication from Microsoft, we can only speculate as to the actual issue being disclosed here. In an effort to provide some clarity to our customers, Tenable Research was able to put together the following timeline:

• October 3, 2023 - ZDI reported an issue to MSRC detailing a flaw in the documentation for Microsoft Azure SQL Managed Instances.
• October 31, 2023 - MSRC publishes acknowledgement to the ZDI researcher for an issue in "Online Services."
• June, 2024 - ZDI publishes ZDI-24-581.

In September 2023, there was an overly permissive SAS token included in the documentation detailing the Backup Restoration process for Azure SQL Managed Instances: https://web.archive.org/web/20230907041433/https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/restore-sample-database-quickstart?view=azuresql.

The next available archival of this documentation is from December, 2023, which shows that this SAS token has been removed: https://web.archive.org/web/20231210164343/https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/restore-sample-database-quickstart?view=azuresql.

On June 7, CyberNews published an article summarizing this vulnerability. In an update to their article dated June 8th, CyberNews quotes a Microsoft spokesperson stating “This was addressed in November 2023, and customers are already protected.”

According to Microsoft, no CVE was issued for this vulnerability, and no customer action was needed. Based on this information and our analysis, this aligns with the above timeline. It is likely that the advisory release from ZDI is simply a delay in publication.

Tenable Solutions

A list of all the plugins released for Microsoft’s June 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's June 2024 Security Updates
• Tenable plugins for Microsoft June 2024 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.