Microsoft Management Console Remote Code Execution Vulnerability

Executive Summary

On October 7, 2024, Microsoft released a security patch relating to the zero-day Microsoft Management Console Remote Code Execution (RCE) Vulnerability, CVE-2024-43572, on its Microsoft Security Response Center  – Security Updates page, providing details regarding the vulnerability and its determined exploitability.  The vulnerability allowed for malicious Microsoft Saved Console  files to be able to execute remote code onto targeted Microsoft systems and devices.  This vulnerability was addressed by Microsoft in their monthly security patch for October, which also addressed 118 additional vulnerabilities, 5 of which were zero-day vulnerabilities.

Background

Microsoft’s Microsoft Management Console (MMC) is a Windows tool which allows for users to create, save, and configure administrative controls (consoles) on any system with Microsoft’s Windows operating system.  The consoles called by the MMC allow users to manage the hardware, software, and network components on their systems through the use of snap-ins [1].  The MMC serves as a common interface for users to utilize snap-ins, which are services that users upload to the MMC, allowing users to manage and create management tools customized to the user’s specific needs [1].

The discovery of the vulnerability was credited to “Andres and Shady” by Microsoft. The MMC RCE vulnerability was given a base score of 7.8 and a severity rating of high, stressing the importance for users to update and apply the current security patch to mitigate further exploitation [2][3].  Microsoft also disclosed that the vulnerability was actively being exploited.

Exploitation

While how the vulnerability was executed was not publicly disclosed by Microsoft, it is assumed that the vulnerability could have been triggered by users uploading a malicious MMC snap-in file.  After uploading the malicious file, the file would have access to administrative-level privileges on the system, allowing it to conduct remote code execution attacks against vulnerable devices and services [4].  Remote code execution vulnerabilities and attacks are important to address because they allow for threat actors to attack compromised systems with malware, steal sensitive information, manipulate/destroy data, and allow attackers the ability to move across a network, expanding the attack surface [5].

Significance and Impact

Despite being not publicly disclosed as to what the definitive scope of impact that the vulnerability had, in 2023, there were an estimated 400 million systems that were running Windows 11 [6].  It is also estimated that by next year there will be over 700 million systems still running Windows 10, despite support for the operating system losing technical support in October 2025 [7].  Knowing that there are an estimated 1.1 billion systems running both Windows 10 and 11, suggests that the possibility for the RCE vulnerability to have been exploited across thousands, or even millions of devices, was more than likely.

Mitigation

On the second Tuesday of each month, coined “Patch Tuesday,” Microsoft releases a security patch addressing any present vulnerabilities they have discovered across their products and services at 10:00 AM PST [8].  It is essential that Windows users update their current systems in order to mitigate any additional risks and vulnerabilities they have present on their systems.  While Microsoft did not provide any specific Indicators of Compromise (IoC), it is always important to follow safe cybersecurity practices and policies.  This can include limiting user privileges, using role-based access controls (RBAC), and monitoring and disabling snap-ins that are not actively in use by a system.

Conclusion

Microsoft’s Management Console Remote Code Execution vulnerability highlights the importance of maintaining system security through regular security updates via patching.  Failure to update systems and apply regular security patches that are released by product developers, can lead to the weakening of an organization’s network and systems security.  The vulnerability also demonstrated the importance for a service provider such as Microsoft, to continuously monitor and mitigate security risks on its own services, as billions of users rely on the services and products they provide.

References

[1] Deland-Han et al. (2024, June 4). What is Microsoft Managemnet Console?. https://learn.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console

[2] Microsoft. (2024, October 7). Microsoft Management Console Remote Code Execution Vulnerability. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43572

[3] CVE. (2024, October 8). CVE-2024-43572. https://www.cve.org/CVERecord?id=CVE-2024-43572

[4] Abrams, L. (2024, October 8). Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws. https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2024-patch-tuesday-fixes-5-zero-days-118-flaws/

[5] Cloudflare. (n.d.). What is remote code execution? https://www.cloudflare.com/learning/security/what-is-remote-code-execution/

[6] Cunningham, A. (2023, October 18). Windows 11’s adoption continues to lag Windows 10’s, but it’s hard to compare. https://arstechnica.com/gadgets/2023/10/windows-11s-adoption-continues-to-lag-windows-10s-but-its-hard-to-compare/

[7] Bott, E. (2024, September 4). Microsoft has a big Windows 10 problem, and only one year to solve it. https://www.zdnet.com/article/microsoft-has-a-big-windows-10-problem-and-only-one-year-to-solve-it/

[8] Microsoft MSRC. (n.d.). Security Update Guide Faqs. https://www.microsoft.com/en-us/msrc/faqs-security-update-guide#:~:text=When%20does%20Microsoft%20release%20security,at%2010%3A00%20AM%20PST