Microsoft eased enterprise safety groups into 2024 with a comparatively gentle January safety replace consisting of patches for 48 distinctive CVEs, simply two of which the corporate recognized as being of crucial severity.
For the second straight month, Microsoft’s Patch Tuesday didn’t embody any zero-day bugs, that means directors will not must cope with any new vulnerabilities that attackers are actively exploiting in the mean time — one thing that occurred often in 2023.
Simply Two Crucial Severity Bugs
As is usually the case, the CVEs that Microsoft disclosed Jan. 9 affected a variety of its merchandise and included privilege escalation vulnerabilities, distant code execution flaws, safety bypass bugs, and different vulnerabilities. The corporate categorised 46 of the issues as being of Necessary severity, together with a number of that attackers had been extra possible than to not exploit.
Considered one of two crucial severity bugs in Microsoft’s newest replace is CVE-2024-20674, a Home windows Kerberos safety function bypass vulnerability that permits attackers to bypass authentication mechanisms and launch impersonation assaults. “Attackers can exploit this flaw by way of a machine-in-the-middle (MitM) assault,” says Saeed Abbasi, supervisor of vulnerability analysis at Qualys in feedback to Darkish Studying. “They obtain this by establishing a neighborhood community spoofing state of affairs after which sending malicious Kerberos messages to trick a consumer machine into believing they’re speaking with a reliable Kerberos authentication server.”
The vulnerability requires the attacker to have entry to the identical native community because the goal. It isn’t remotely exploitable over the Web and requires proximity to the interior community. Even so, there’s a excessive chance of lively exploitation makes an attempt within the close to future, Abbasi says.
Ken Breen, senior director of risk analysis at Immersive Labs, recognized CVE-2024-20674 as a bug that organizations would do effectively to patch shortly. “These sorts of assault vectors are at all times invaluable to risk actors like ransomware operators and entry brokers,” as a result of they allow vital entry to enterprise networks, in keeping with an announcement from Breen.
The opposite crucial vulnerability in Microsoft’s newest batch of safety updates is CVE-2024-20700, a distant code execution vulnerability in Home windows Hyper-Virtualization expertise. The vulnerability shouldn’t be particularly simple to use as a result of to take action, an attacker would already first have to be contained in the community and adjoining to a susceptible laptop, in keeping with an announcement from Ben McCarthy, lead cybersecurity engineer at Immersive Labs.
The vulnerability additionally entails a race situation — a sort of problem that is more durable for an attacker to use than many different vulnerability sorts. “This vulnerability has been launched as exploitation much less possible however as a result of Hyper-V runs as the best privileges in a pc, it’s price fascinated by patching,” McCarthy stated.
Excessive-Precedence Distant Code Execution Bugs
Safety researchers pointed to 2 different RCE bugs within the January replace that advantage precedence consideration: CVE-2024-21307 in Home windows Distant Desktop Shopper and CVE-2024-21318 in SharePoint Server.
Microsoft recognized CVE-2024-21307 as a vulnerability that attackers usually tend to exploit however has supplied little info on why, in keeping with Breen. The corporate has famous that unauthorized attackers want to attend for a person to provoke a connection to have the ability to exploit the vulnerability.
“Which means the attackers must create a malicious RDP server and use social engineering methods as a way to trick a person into connecting,” Breen stated. “This isn’t as tough because it sounds, as malicious RDP servers are comparatively simple for attackers to arrange after which sending .rdp attachments in emails means a person solely has to open the attachment to set off the exploit.”
A Few Extra Exploitable Privilege Escalation Bugs
Microsoft’s January replace included patches for a number of privilege escalation vulnerabilities. Among the many most extreme of them is for CVE-2023-21310, a privilege escalation bug in Home windows Cloud Recordsdata Mini Filter Driver. The flaw is similar to CVE-2023-36036, a zero-day privilege escalation vulnerability in the identical expertise, which Microsoft disclosed in its November 2023 safety replace.
Attackers actively exploited that flaw to attempt to achieve system degree privileges on native machines — one thing they’ll do with the newly disclosed vulnerability as effectively. “Any such privilege escalation step is often seen by risk actors in community compromises,” Breen stated. “It could allow the attacker to disable safety instruments or run credential dumping instruments like Mimikatz that may then allow lateral motion or the compromise of area accounts.”
Among the different vital privilege escalation bugs included CVE-2024-20653 within the Home windows Frequent Log File System, CVE-2024-20698 in Home windows Kernel, CVE-2024-20683 in Win32k, and CVE-2024-20686 in Win32k. Microsoft has rated all of those flaws as points attackers usually tend to exploit, in keeping with an announcement from Satnam Narang, senior employees analysis engineer at Tenable. “These bugs are generally used as a part of post-compromise exercise,” he stated. “That’s, as soon as attackers have gained an preliminary foothold onto programs.”
Among the many flaws that Microsoft ranked as vital, however which want fast consideration, is CVE-2024-0056, a safety bypass function in SQL, Abbasi says. The flaw permits an attacker to carry out a machine-in-the-middle assault, intercepting and probably altering TLS site visitors between a consumer and server, he notes. “If exploited, an attacker might decrypt, learn, or modify safe TLS site visitors, breaching the confidentiality and integrity of knowledge.” Abbasi says that an attacker might additionally leverage the flaw to use SQL Server by way of the SQL Information Supplier.
