Microsoft Windows DWM Zero-Day Poised for Mass Exploit

CVE-2024-30051, under active exploit, is the most concerning out of this month's Patch Tuesday offerings, and already being abused by several QakBot actors.

Closeup of mix many different multicolored Dutch tulips in a garden border near Amsterdam, Holland / Netherlands
Source: Wim Wiskerke via Alamy Stock Photo

A trio of zero-days headline Microsoft's May Patch Tuesday update, which offers a modest spring bouquet of 59 CVEs in total (just a third of last month's downpour of patches for admins to deal with). But at least one of the publicly known bugs is poised for mass exploitation, and is indeed already in use by QakBot operators.

This month's disclosed flaws affect the gamut of the computing kahuna's portfolio, including Windows, Office, .NET Framework and Visual Studio; Microsoft Dynamics 365; Power BI; DHCP Server; Microsoft Edge (Chromium-based); and Windows Mobile Broadband. Only one of them is considered critical by Microsoft.

It should also be noted that the Chromium-based Edge browser is affected by CVE-2024-4761, a Chrome zero-day under active exploit that Google patched today, a critical sandbox escape bug that should be patched immediately.

Zero-Days Under Active Exploit

Two of the CVEs are listed as under active attack in the wild, while the third is simply already "publicly known at the time of the release."

Perhaps the most concerning is CVE-2024-30051 (7.2 CVSS), a Windows DWM Core Library elevation of privilege (EoP) vulnerability that allows local attackers already on a network to escalate to system privileges. When chained with a code-execution bug for initial access, it can lead to complete takeover of a target and lateral movement — a common path used by ransomware actors.

And indeed, Kaspersky researchers noted in a tandem blog today that multiple threat actors appear to have access to the exploit, which started circulating in April. Since then, adversaries using the popular QakBot initial-access Trojan in particular have co-opted the bug, they said. QakBot is an oft-seen partner in ransomware attacks.

"The speed with which threat actors are integrating this exploit into their arsenal underscores the importance of timely updates and vigilance in cybersecurity," said Boris Larin, principal security researcher at Kaspersky GReAT, in Kaspersky's blog.

Dustin Childs, head of threat initiative at Trend Micro's Zero Day Initiative (ZDI), says the exploitation could soon snowball, so prioritizing this one is a must.

"Microsoft doesn't provide any indication of the volume of attacks, but the DWM Core bug appears to me to be more than a targeted attack," he noted in his Patch Tuesday breakdown today. "Microsoft credits four different groups for reporting the bug, which indicates the attacks are widespread ... Don't wait to test and deploy this update; exploits will likely increase now that a patch is available to reverse engineer."

The other vulnerability that's under active exploit is a Windows MSHTML (Trident) Platform high-severity security feature bypass (CVE-2024-30040, CVSS 8.8) — and it should also be considered high priority for patching.

The MSHTML platform is a crucial component used for rendering HTML content in various applications, including Microsoft 365 and Microsoft Office.

"This vulnerability stems from improper input validation (CWE-20), allowing attackers to circumvent Object Linking and Embedding (OLE) mitigations that protect against malicious COM/OLE controls," explained researchers at Action1, in their Patch Tuesday writeup.

They explained, "Typically, users are deceived into interacting with malicious files, which might be delivered via email or instant messaging. The incorrect input validation means that the system fails to properly validate and sanitize input, allowing attackers to create documents that bypass MSHTML's OLE mitigations and execute arbitrary code upon user interaction."

Further, combining CVE-2024-30040 with an EoP vulnerability could allow attackers to also gain system or root privileges, implement persistence mechanisms, extract sensitive information from secured environments, and exploit additional vulnerabilities to move laterally within the network.

The third zero-day, which is not under active attack, is moderate-rated CVE-2024-30046 (CVSS 5.9), which exists in the ASP.NET Core and can lead to denial of service (DoS).

Critical Bug Offers Bower of Info-Disclosure Vectors

The lone critical bug in this month's patch of vulnerabilities is CVE-2024-30043 (CVSS 8.8) in Microsoft SharePoint Server. The information-disclosure vulnerability is more specifically an XML external entity injection (XXE) bug, according to ZDI's Childs.

"An authenticated attacker could use this bug to read local files with SharePoint Farm service account user privileges," he explained. "They could also perform an HTTP-based server-side request forgery (SSRF), and — most importantly — perform NLTM relaying as the SharePoint Farm service account. Bugs like this show why info disclosure vulnerabilities shouldn't be ignored or deprioritized."

That said, exploitation is not necessarily low-hanging fruit, noted Satnam Narang, senior staff research engineer at Tenable.

"While this vulnerability is also considered one of several vulnerabilities that are more likely to be exploited, exploitation requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and to take additional steps in order to exploit this flaw," he said via email, "which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance."

Other Concerning Bugs to Prioritize

Researchers also identified a handful of other bugs that admins should potentially prioritize in Microsoft's release.

First up is CVE-2024-30033 (CVSS 7.0), an important-rated Windows Search Service EoP bug in the Windows Search Service that Automox security engineer Mat Lee said should be treated as critical.

"This flaw exists due to improper handling of permissions by the service, which could be exploited to perform unauthorized actions on the system," he explained in a blog post today. "This specific vulnerability has the potential to pose a significant risk as it can be combined with other exploits to achieve privilege escalation. When a threat actor utilizes a combination of attacks, it has the potential to magnify the threat, where an attacker can do whatever they please on the system."

There's also CVE-2024-30018 (CVSS 7.8), an important-rated Windows Kernel EoP issue.

"The kernel manages hardware-software interactions and system resources, making it a potent target for attackers seeking to manipulate system operations to their advantage," explained Jason Kikta, CISO and senior vice president of product at Automox. "By exploiting vulnerabilities within the kernel, an attacker can bypass security mechanisms, execute code with elevated privileges, and potentially take full control of the affected system."

He added, "These vulnerabilities are particularly dangerous because they operate at a low level, often requiring immediate and prioritized patching to mitigate potential threats to system integrity and security."

And finally, ZDI's Childs flagged CVE-2024-30050 (CVSS 5.4), a moderate-rated security bypass for Windows Mark of the Web.

"We don't normally detail moderate-rated bugs, but this type of security feature bypass is in vogue with ransomware gangs," he explained. "They zip their payload to bypass network and host-based defenses. They use a Mark of the Web (MotW) bypass to evade SmartScreen or Protected View in Microsoft Office. While we have no indication this bug is being actively used, we see the technique used often enough to call it out. Bugs like this show why moderate-rated bugs shouldn't be ignored or deprioritized."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights