8.8 CVE-2024-38189

CISA Kev Catalog Privilege Escalation RCE Injection SQL Buffer Overflow RCI XSS Patch Exploit
 

Microsoft Project Remote Code Execution Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-38189

Categories

CWE-NVD-noinfo

CWE-20 : Improper Input Validation
The product receives input or data, but it doesnot validate or incorrectly validates that the input has theproperties that are required to process the data safely andcorrectly. When custom input validation is required, such as when enforcing business rules, manual analysis is necessary to ensure that the validation is properly implemented. Fuzzing techniques can be useful for detecting input validation errors. When unexpected inputs are provided to the software, the software should not crash or otherwise become unstable, and it should generate application-controlled error messages. If exceptions or interpreter-generated error messages occur, this indicates that the input was not detected and handled within the application logic itself. Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173). Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls. When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined. Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow. Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input's values fall within the expected range of allowable values and that multi-field consistencies are maintained. When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so. Large language model (LLM) management tool does notvalidate the format of a digest value (CWE-1287) from aprivate, untrusted model registry, enabling relativepath traversal (CWE-23), a.k.a. Probllama Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24) Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV. Chain: improper input validation (CWE-20) leads to integer overflow (CWE-190) in mobile OS, as exploited in the wild per CISA KEV. Chain: backslash followed by a newline can bypass a validation step (CWE-20), leading to eval injection (CWE-95), as exploited in the wild per CISA KEV. Chain: insufficient input validation (CWE-20) in browser allows heap corruption (CWE-787), as exploited in the wild per CISA KEV. Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. Chain: security product has improper input validation (CWE-20) leading to directory traversal (CWE-22), as exploited in the wild per CISA KEV. Improper input validation of HTTP requests in IP phone, as exploited in the wild per CISA KEV. Chain: improper input validation (CWE-20) in firewall product leads to XSS (CWE-79), as exploited in the wild per CISA KEV. Chain: caching proxy server has improper input validation (CWE-20) of headers, allowing HTTP response smuggling (CWE-444) using an "LF line ending" Eval injection in Perl program using an ID that should only contain hyphens and numbers. SQL injection through an ID that was supposed to be numeric. lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption. insufficient validation enables XSS driver in security product allows code execution due to insufficient validation infinite loop from DNS packet with a label that points to itself infinite loop from DNS packet with a label that points to itself missing parameter leads to crash HTTP request with missing protocol version number leads to crash request with missing parameters leads to information exposure system crash with offset value that is inconsistent with packet size size field that is inconsistent with packet size leads to buffer over-read product uses a denylist to identify potentially dangerous content, allowing attacker to bypass a warning security bypass via an extra header empty packet triggers reboot incomplete denylist allows SQL injection NUL byte in theme name causes directory traversal impact to be worse kernel does not validate an incoming pointer before dereferencing it anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution anti-virus product allows DoS via zero-length field driver does not validate input from userland to the kernel kernel does not validate parameters sent in from userland, allowing code execution lack of validation of string length fields allows memory consumption or buffer over-read lack of validation of length field leads to infinite loop lack of validation of input to an IOCTL allows code execution zero-length attachment causes crash zero-length input causes free of uninitialized pointer crash via a malformed frame structure infinite loop from a long SMTP request router crashes with a malformed packet packet with invalid version number leads to NULL pointer dereference crash via multiple "." characters in file extension

References

secure@microsoft.com Patch


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:project_2016:*:*:*:*:*:*:*:* < 16.0.5461.1001


REMEDIATION


Patch

Url
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38189


EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
https://github.com/vx7z/CVE-2024-38189

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
10 Buffer Overflow via Environment Variables
High
101 Server Side Include (SSI) Injection
High
109 Object Relational Mapping Injection
High
110 SQL Injection through SOAP Parameter Tampering
Very High
104 Cross Zone Scripting
High
108 Command Line Execution through SQL Injection
Very High
120 Double Encoding
Medium
13 Subverting Environment Variable Values
Very High
135 Format String Injection
High
136 LDAP Injection
High
14 Client-side Injection-induced Buffer Overflow
High
153 Input Data Manipulation
Medium
182 Flash Injection
Medium
209 XSS Using MIME Type Mismatch
Medium
22 Exploiting Trust in Client
High
23 File Content Injection
Very High
230 Serialized Data with Nested Payloads
High
231 Oversized Serialized Data Payloads
High
24 Filter Failure through Buffer Overflow
High
250 XML Injection
261 Fuzzing for garnering other adjacent user/sensitive data
Medium
267 Leverage Alternate Encoding
High
28 Fuzzing
Medium
3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Medium
31 Accessing/Intercepting/Modifying HTTP Cookies
High
42 MIME Conversion
High
43 Exploiting Multiple Input Interpretation Layers
High
45 Buffer Overflow via Symbolic Links
High
46 Overflow Variables and Tags
High
47 Buffer Overflow via Parameter Expansion
High
473 Signature Spoof
52 Embedding NULL Bytes
High
53 Postfix, Null Terminate, and Backslash
High
588 DOM-Based XSS
Very High
63 Cross-Site Scripting (XSS)
Very High
64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
High
664 Server Side Request Forgery
High
67 String Format Overflow in syslog()
Very High
7 Blind SQL Injection
High
71 Using Unicode Encoding to Bypass Validation Logic
High
72 URL Encoding
High
73 User-Controlled Filename
High
78 Using Escaped Slashes in Alternate Encoding
High
79 Using Slashes in Alternate Encoding
High
8 Buffer Overflow in an API Call
High
80 Using UTF-8 Encoding to Bypass Validation Logic
High
81 Web Server Logs Tampering
High
83 XPath Injection
High
85 AJAX Footprinting
Low
88 OS Command Injection
High
9 Buffer Overflow in Local Command-Line Utilities
High


MITRE


Techniques

id description
T1027 Obfuscated Files or Information
T1036.001 Masquerading: Invalid Code Signature
T1539 Steal Web Session Cookie
T1553.002 Subvert Trust Controls:Code Signing
T1562.003 Impair Defenses:Impair Command History Logging
T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking
T1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1027 Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software.
T1036.001 Require signed binaries.
T1539 Train users to identify aspects of phishing attempts where they're asked to enter credentials into a site that has the incorrect domain for the application they are logging into. Additionally, train users not to run untrusted JavaScript in their browser, such as by copying and pasting code or dragging and dropping bookmarklets.
T1562.003 Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
T1574.006 When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
T1574.007 Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.