Microsoft eased enterprise safety groups into 2024 with a comparatively mild January safety replace consisting of patches for 48 distinctive CVEs, simply two of which the corporate recognized as being of vital severity.
For the second straight month, Microsoft’s Patch Tuesday didn’t embody any zero-day bugs, that means directors will not must deal with any new vulnerabilities that attackers are actively exploiting in the mean time — one thing that occurred incessantly in 2023.
Simply Two Important Severity Bugs
As is often the case, the CVEs that Microsoft disclosed Jan. 9 affected a variety of its merchandise and included privilege escalation vulnerabilities, distant code execution flaws, safety bypass bugs, and different vulnerabilities. The corporate categorised 46 of the issues as being of Vital severity, together with a number of that attackers have been extra seemingly than to not exploit.
Certainly one of two vital severity bugs in Microsoft’s newest replace is CVE-2024-20674, a Home windows Kerberos safety characteristic bypass vulnerability that permits attackers to bypass authentication mechanisms and launch impersonation assaults. “Attackers can exploit this flaw by way of a machine-in-the-middle (MitM) assault,” says Saeed Abbasi, supervisor of vulnerability analysis at Qualys in feedback to Darkish Studying. “They obtain this by organising an area community spoofing state of affairs after which sending malicious Kerberos messages to trick a consumer machine into believing they’re speaking with a respectable Kerberos authentication server.”
The vulnerability requires the attacker to have entry to the identical native community because the goal. It is not remotely exploitable over the Web and requires proximity to the interior community. Even so, there’s a excessive probability of energetic exploitation makes an attempt within the close to future, Abbasi says.
Ken Breen, senior director of risk analysis at Immersive Labs, recognized CVE-2024-20674 as a bug that organizations would do effectively to patch rapidly. “These sorts of assault vectors are at all times useful to risk actors like ransomware operators and entry brokers,” as a result of they permit important entry to enterprise networks, based on an announcement from Breen.
The opposite vital vulnerability in Microsoft’s newest batch of safety updates is CVE-2024-20700, a distant code execution vulnerability in Home windows Hyper-Virtualization expertise. The vulnerability will not be particularly simple to use as a result of to take action, an attacker would already first must be contained in the community and adjoining to a weak pc, based on an announcement from Ben McCarthy, lead cybersecurity engineer at Immersive Labs.
The vulnerability additionally entails a race situation — a kind of challenge that is tougher for an attacker to use than many different vulnerability varieties. “This vulnerability has been launched as exploitation much less seemingly however as a result of Hyper-V runs as the very best privileges in a pc, it’s price occupied with patching,” McCarthy stated.
Excessive-Precedence Distant Code Execution Bugs
Safety researchers pointed to 2 different RCE bugs within the January replace that advantage precedence consideration: CVE-2024-21307 in Home windows Distant Desktop Consumer and CVE-2024-21318 in SharePoint Server.
Microsoft recognized CVE-2024-21307 as a vulnerability that attackers usually tend to exploit however has supplied little info on why, based on Breen. The corporate has famous that unauthorized attackers want to attend for a consumer to provoke a connection to have the ability to exploit the vulnerability.
“Because of this the attackers must create a malicious RDP server and use social engineering methods with the intention to trick a consumer into connecting,” Breen stated. “This isn’t as troublesome because it sounds, as malicious RDP servers are comparatively simple for attackers to arrange after which sending .rdp attachments in emails means a consumer solely has to open the attachment to set off the exploit.”
A Few Extra Exploitable Privilege Escalation Bugs
Microsoft’s January replace included patches for a number of privilege escalation vulnerabilities. Among the many most extreme of them is for CVE-2023-21310, a privilege escalation bug in Home windows Cloud Recordsdata Mini Filter Driver. The flaw is similar to CVE-2023-36036, a zero-day privilege escalation vulnerability in the identical expertise, which Microsoft disclosed in its November 2023 safety replace.
Attackers actively exploited that flaw to try to achieve system degree privileges on native machines — one thing they’ll do with the newly disclosed vulnerability as effectively. “This sort of privilege escalation step is incessantly seen by risk actors in community compromises,” Breen stated. “It might probably allow the attacker to disable safety instruments or run credential dumping instruments like Mimikatz that may then allow lateral motion or the compromise of area accounts.”
A number of the different necessary privilege escalation bugs included CVE-2024-20653 within the Home windows Frequent Log File System, CVE-2024-20698 in Home windows Kernel, CVE-2024-20683 in Win32k, and CVE-2024-20686 in Win32k. Microsoft has rated all of those flaws as points attackers usually tend to exploit, based on an announcement from Satnam Narang, senior employees analysis engineer at Tenable. “These bugs are generally used as a part of post-compromise exercise,” he stated. “That’s, as soon as attackers have gained an preliminary foothold onto programs.”
Among the many flaws that Microsoft ranked as necessary, however which want fast consideration, is CVE-2024-0056, a safety bypass characteristic in SQL, Abbasi says. The flaw allows an attacker to carry out a machine-in-the-middle assault, intercepting and doubtlessly altering TLS site visitors between a consumer and server, he notes. “If exploited, an attacker might decrypt, learn, or modify safe TLS site visitors, breaching the confidentiality and integrity of knowledge.” Abbasi says that an attacker might additionally leverage the flaw to use SQL Server by way of the SQL Information Supplier.
