Managed Vulnerability Scanning: Key Findings and the Importance of Regular Patching

There is no doubt about the value of conducting Managed Vulnerability Scanning. Trustwave has posted multiple blogs on the topic, (just check here, here, and here) for a look at how Trustwave approaches this very important cybersecurity procedure.

One point we have not covered is exactly what kind of vulnerabilities Trustwave SpiderLabs’ analysts find during a scan. Are they truly dangerous? What would happen if the client had opted to give a pass to an MVS occurrence?

To answer this question as completely as possible I took a look back at the scans conducted in September 2024 and here are the three most common issues we discovered and the vulnerabilities they can exploit. There is one overriding theme with all three. Each could be negated if the organization had kept its system properly patched.

Remember, Patch Tuesday isn’t just the first Tuesday of every month! It’s a reminder that patching is an important part of a solid cybersecurity hygiene program.

KB5043064: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (September 2024)

A scan found the remote Windows host is missing Security Update 5043064. It is, therefore, potentially affected by multiple vulnerabilities.

• Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43461): This is a spoofing vulnerability in the Windows MSHTML Platform that was patched last September 10, 2024, but details about its exploitation in the wild emerged only on September 13, 2024. This vulnerability was exploited as part of an attack chain related to CVE-2024-38112, allowing an attacker to manipulate the UI to display misleading information. This spoofed data can deceive users into taking incorrect actions, often serving as a component in phishing attacks.
• Windows Remote Access Connection Manager Elevation of Privilege Vulnerability (CVE-2024-38240): This is an elevation of privilege vulnerability in the Windows Remote Access Connection Manager. An attacker exploiting this flaw could gain elevated permissions on the system, potentially allowing them to execute malicious code or access sensitive information. This could occur if the attacker tricks a user into running a specially crafted application.
• Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-21416, CVE-2024-38045): A remote code execution vulnerability exists within the Windows TCP/IP stack, which is especially concerning as it allows attackers to execute arbitrary code on vulnerable systems. When systems are vulnerable to such exploits, a malicious actor can remotely execute commands without needing physical access to the machine. This can lead to unauthorized access to sensitive data, complete control over the system, and the potential for lateral movement within the network, compromising multiple systems.

The issue is fixed by applying Security Update 5043064.

KB5043050: Windows 10 version 1809 / Windows Server 2019 Security Update (September 2024)

The remote Windows host is missing security update 5043050. It is, therefore, affected by multiple vulnerabilities

• Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43461): same as above
• Windows Remote Desktop Licensing Service Spoofing Vulnerability (CVE-2024-43455): This is a spoofing vulnerability in the Windows Remote Desktop Licensing Service. By exploiting this vulnerability, the attacker could gain unauthorized access to sensitive information or disrupt legitimate remote desktop sessions. To successfully exploit this vulnerability, an attacker must send specially crafted requests to the Terminal Server Licensing Service, which needs to be running and accessible over the network.
• Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability (CVE-2024-38260, CVE-2024-38263, CVE-2024-43454, CVE-2024-43467): A remote code execution (RCE) flaw in the Windows Remote Desktop Licensing Service. Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

The issue is fixed by applying Security Update 5043050

KB5043138: Windows Server 2012 R2 Security Update (September 2024)

The remote Windows host is missing security update 5043138. It is, therefore, affected by multiple vulnerabilities. These include

• Windows MSHTML Platform Spoofing Vulnerability (CVE-2024-43461): same as above
• Windows Remote Desktop Licensing Service Spoofing Vulnerability (CVE-2024-43455): same as above.
• Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability (CVE-2024-38260, CVE-2024-38263, CVE-2024-43454, CVE-2024-43467): same as above.

The issue is fixed by applying Security Update 5043138.

The Benefit of Trustwave Managed Vulnerability Scanning

Trustwave Managed Vulnerability Scanning (MVS) is a powerful tool designed to give client’s complete visibility into their network's assets and the vulnerabilities they harbor.

Trustwave MVS removes the complexity from vulnerability scanning. Our team of security experts, SpiderLabs, takes the reins, conducting thorough scans across your network on your behalf. This frees up your valuable time and resources to focus on core business functions while ensuring your critical assets' security.

Here's a closer look at what Trustwave MVS offers:

• Unveiling the Unknown: Discover all the assets within your network and their associated vulnerabilities. This comprehensive picture empowers you to make informed decisions about security strategies.
• A Multi-Faceted Approach: Go beyond basic scans with Trustwave MVS's diverse scanning options. Choose from discovery scans to identify active assets, network scans (internal and external) to assess internal and external threats, application scans to pinpoint vulnerabilities within your applications, and database scans to uncover security gaps in your data storage.
• Prioritizing Threats with Intelligence: Not all vulnerabilities are created equal. Trustwave MVS employs risk-based ranking to prioritize the most critical threats, allowing you to focus your resources on the areas that pose the biggest security risk.
• Minimizing False Positives: Reduce the time and effort wasted chasing false alarms. Trustwave MVS utilizes advanced techniques to minimize false positives, ensuring your team focuses on genuine threats.
• Adapting to Evolving Threats: The security landscape is constantly changing. Trustwave MVS offers up to three on-demand scans with the Elite Package, allowing you to scan your network again when new threats emerge or after deploying new assets.
• Expert Verification: Our team doesn't just provide raw data. Trustwave MVS includes manual verification of critical vulnerabilities by our security experts, ensuring accuracy and eliminating potential confusion.
• Compliance Made Simple: Meeting audit and compliance requirements can be a time-consuming hassle. Trustwave MVS streamlines the process by generating comprehensive reports demonstrating your network security commitment.