Critical SharePoint, Qakbot-linked flaws focus of May Patch Tuesday

[Pelican Press 0]

Critical SharePoint, Qakbot-linked flaws focus of May Patch Tuesday

A critical vulnerability affecting

This is the hidden content, please

• Sign In
• or
• Sign Up

SharePoint Server, and two zero-day flaws in Windows MSHTML Platform and Windows Desktop Window Manager (DWM) Core Library should be top-of-mind for administrators, as

This is the hidden content, please

• Sign In
• or
• Sign Up

releases its monthly

This is the hidden content, please

• Sign In
• or
• Sign Up

update addressing over 60 bugs and issues.

The SharePoint Server flaw – which stands as the only critical vulnerability in the May 2024 drop – is a remote code ********** (RCE) vulnerability tracked as

This is the hidden content, please

• Sign In
• or
• Sign Up

. Details of it have not yet been made public, and nor does it appear to have been exploited in the wild.

This is the hidden content, please

• Sign In
• or
• Sign Up

said that if an authenticated attacker has obtained site owner permissions, they could exploit CVE-2024-30044 to upload a specially crafted file to the victim server and create specialised application programming interface (API) requests to trigger the deserialisation of the file’s parameters. In this way, they could then achieve RCE in the context of the compromised server.

The fact that CVE-2024-30044 stems from an untrusted data deserialisation issue makes it particularly problematic, explained Mike Walters, president and co-founder of

This is the hidden content, please

• Sign In
• or
• Sign Up

, because it allows attackers to inject and ******** arbitrary code during the deserialisation process.

“An attacker with basic Site Viewer permissions could leverage this vulnerability to ******** code remotely, enabling activities such as deploying web shells, installing malware or extracting sensitive data,” said Walters. “If an attacker gains initial access through other means, such as phishing or another vulnerability, they could use CVE-2024-30044 to establish a more persistent and powerful foothold within the network.

“Combining this vulnerability with another that allows privilege escalation could enable attackers to transition from initial access to full administrative control,” he said.

“This can facilitate persistence within the network and make detection more challenging. Upon establishing control, attackers could use further tools to exfiltrate sensitive data from the SharePoint Server, potentially leading to significant data breaches. Additionally, once remote code ********** is achieved, threat actors might deploy ransomware to encrypt critical files on the SharePoint Server, demanding a ransom for the decryption keys.”

Object linking and embedding

The two zero-day flaws this month are

This is the hidden content, please

• Sign In
• or
• Sign Up

, a security feature bypass vulnerability in Windows MSHTML Platform, and

This is the hidden content, please

• Sign In
• or
• Sign Up

, an elevation of privilege (EoP) vulnerability in Windows DWM Core Library.

On the first of these,

This is the hidden content, please

• Sign In
• or
• Sign Up

revealed how it essentially lets a malicious actor bypass object linking and embedding (OLE) protections in

This is the hidden content, please

• Sign In
• or
• Sign Up

365 and

This is the hidden content, please

• Sign In
• or
• Sign Up

Office by getting a user to load a tainted file onto a vulnerable system via a phishing email or instant message and convincing them to manipulate it, though not necessarily to click on or open it. This would give the unauthenticated attacker the ability to ******** arbitrary code presenting as the victim.

Quackers for Qakbot

On the Windows DWM Core Library vulnerability,

This is the hidden content, please

• Sign In
• or
• Sign Up

said it would enable an attacker to gain system-level privileges on the victim’s system, but provided little additional context or detail. It’s known to stem from a heap-based buffer overflow, which makes it potentially severe, and is also exploitable by a local user with relatively low privileges.

Of the two zero-days, it’s CVE-2024-30051 that has generated significant interest among cyber experts, due to an historic connection to an infamous threat.

Tyler Reguly, senior manager of security research and development at

This is the hidden content, please

• Sign In
• or
• Sign Up

, explained: “This month everyone is going to be talking about CVE-2024-30051 since it is known that it is being used in QakBot and other malware. This is an update that should be applied as soon as possible given the nature of the vulnerability and the fact that real-world exploitation has been confirmed.”

Qakbot is a venerable banking malware dating back over a decade. It latterly became popular among cyber ********** as a remote access ******* (RAT) used to great effect by ransomware gangs such as LockBit and REvil.

Its infrastructure was taken down in August 2023 in an FBI-led operation dubbed Operation Duck Hunt, but as of February 2024, researchers from the Sophos X-Ops team reported that someone with access to Qakbot’s source code appeared to be testing out new builds and making concerted efforts to harden the malware’s encryption, meaning the new variant can more effectively defy analysis.

The vulnerability was found by

This is the hidden content, please

• Sign In
• or
• Sign Up

researchers at the beginning of April, when a suspicious document found on VirusTotal drew their attention. Written in broken English and missing crucial details, the document hinted at a potential Windows OS vulnerability, but the exploit chain seemed identical to that used to activate a previous zero-day, CVE-2023-36033.

Suspecting the flaw to be either fictional or unexploitable nonsense, the Kaspersky team chose to probe it further, and quickly found and reported the fact CVE-2023-30051 was genuine. The team has since been monitoring for its use, and said today that an exploit has been circulating since mid-April.

“We found the document on VirusTotal intriguing due to its descriptive nature, and decided to investigate further, which led us to discover this critical zero-day vulnerability,” said Boris Larin, principal security researcher at Kaspersky GReAT. “The speed with which threat actors are integrating this exploit into their arsenal underscores the importance of timely updates and vigilance in cyber security.”

Kaspersky said it plans to release more technical details of CVE-2024-30051 once enough time has passed for vulnerable users to update.

Action1’s Walters added: “Given its critical nature and the low complexity of the exploit, CVE-2024-30051 poses a significant risk, particularly in environments with numerous and diverse local users, such as corporate networks and academic institutions.

“The existence of functional exploit code and confirmed exploitation reports suggests that attackers are well-acquainted with this vulnerability and are actively exploiting it in campaigns,” he said. “In light of the high level of privilege attainable through this exploit, it is crucial for organisations to prioritise deploying

This is the hidden content, please

• Sign In
• or
• Sign Up

’s official patch to mitigate potential damage.”

This is the hidden content, please

• Sign In
• or
• Sign Up

#Critical #SharePoint #Qakbotlinked #flaws #focus #Patch #Tuesday

This is the hidden content, please

• Sign In
• or
• Sign Up