https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26199 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26199 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-26199

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Mar 12, 2024

010
CVSS 7.8EPSS 0.04%High
CVE info copied to clipboard

Summary

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Office. The specific flaw exists within the Office Performance Monitor executable. By creating a symbolic link, an attacker can abuse the process to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

Impact

If exploited, an attacker can escalate privileges to SYSTEM level, which gives them complete control over the affected system. This allows them to execute arbitrary code with the highest level of permissions, potentially leading to full system compromise. The attacker could delete arbitrary files, install programs, view, change, or delete data, or create new accounts with full user rights.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

Microsoft has issued an update to correct this vulnerability. The patch is available, and details can be found at the Microsoft Security Response Center (MSRC) website.

Mitigation

1. Apply the security update provided by Microsoft as soon as possible. 2. Implement the principle of least privilege, ensuring users operate with minimal necessary permissions. 3. Monitor and restrict local access to systems, as the attack requires local access. 4. Implement robust access controls and user authentication mechanisms. 5. Regularly audit system files and monitor for unexpected changes or symbolic links. 6. Keep all Microsoft Office installations up to date with the latest security patches. 7. Use application whitelisting to control which applications can run on a system. 8. Implement and maintain a robust incident response plan in case of exploitation.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (110460)

Mar 12, 2024 at 12:00 AM
CVE Assignment

NVD published the first details for CVE-2024-26199

Mar 12, 2024 at 10:15 AM
CVSS

A CVSS base score of 7.8 has been assigned.

Mar 12, 2024 at 5:01 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-26199. See article

Mar 12, 2024 at 5:27 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Mar 12, 2024 at 6:45 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.1%)

Mar 13, 2024 at 2:38 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/office
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-294/
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

ZDI-24-294: Microsoft Office Performance Monitor Link Following Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Office. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

News

March 2024 Security Updates - Release Notes
Security Update Guide Blog Posts ; February 15, 2024, New Security Advisory Tab Added to the Microsoft Security Update Guide ; January 11, 2022, Coming ...
March 2024 Security Updates - Release Notes
This release consists of the following 61 Microsoft CVEs: Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?
March 2024 Threat Advisory – Top 5
SecurityHQ is aware of various threat actors that are actively exploiting a critical severity authentication bypass vulnerability (CVE-2024-1709), and a high-severity path traversal vulnerability (CVE-2024-1708) found in ConnectWise ScreenConnect servers. Successful exploitation of these vulnerabilities could result in Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Spoofing and Denial of Service.
MSP cybersecurity news digest, March 19, 2024
Magnet Goblin, a financially motivated threat actor, is rapidly integrating newly disclosed one-day vulnerabilities into its arsenal, focusing on breaching edge devices and public-facing services to deploy malware on compromised hosts. Another significant fix is CVE-2024-20671, addressing a Microsoft Defender Security Feature Bypass flaw, with CVE-2024-21411 focusing on a Skype for Consumer Remote Code Execution Vulnerability.
Technical Bulletin March 2024
In the previous technical bulletin, Microsoft Patch Tuesday provided a fix for the vulnerability known as CVE-2024-21412, which allows attackers to bypass the Microsoft SmartScreen that pops up when the user attempts to install software or execute actions with administrator privileges. During that period, Fortinet also patched a CSV injection vulnerability known as CVE-2023-47534, which allowed attackers to execute commands and code on the vulnerable systems.
See 68 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI