Microsoft issues fixes for 48 CVEs on first Patch Tuesday for 2024

Wednesday, 10 January 2024 10:31

Microsoft issues fixes for 48 CVEs on first Patch Tuesday for 2024 Featured

Image by Tawanda Razika from Pixabay

Microsoft has issued patches for 48 CVEs in its first Patch Tuesday release for the year, with no zero-day or publicly disclosed vulnerabilities among them.

Security vendor Tenable said this count did not include CVE-2022-35737, a vulnerability in SQLite called “Stranger Strings” that was assigned by MITRE and patched in July 2022.

Satnam Narang, senior staff research engineer at Tenable, said this was the second successive Patch Tuesday with no zero-day vulnerabilities (either exploited or publicly disclosed) reported.

“Microsoft patched CVE-2024-21318, a remote code execution vulnerability in Microsoft SharePoint Server," he said.

"An authenticated attacker with Site Owner privileges could exploit this vulnerability, potentially obtaining access to highly sensitive files stored in this cloud-based server.

"Despite the authentication requirement, Microsoft said exploitation of this flaw is more likely. It is credited to researchers at STAR Labs SG Pte. Ltd.

"In September 2023, STAR Labs researchers published a blog post outlining successful chaining of two vulnerabilities in Microsoft SharePoint Server (CVE-2023-29357, CVE-2023-24955)."

Narang advised organisations that use SharePoint Server to apply these patches as soon as possible.

Other vulnerabilities that caught Narang's attending were several elevation of privilege vulnerabilities across several products including Windows Clouds Files Mini Filter Driver (CVE-2024-21310), Common Log File System (CVE-2024-20653), Windows Kernel (CVE-2024-20698) and Win32k (CVE-2024-20683, CVE-2024-20686) that are rated as Exploitation More Likely.

"These bugs are commonly used as part of post-compromise activity, that is, once attackers have gained an initial foothold onto systems, they would use these vulnerabilities to elevate privileges outside the bounds of current privileges, which are often limited," he explained.

"There is a steady stream of these flaws patched each month, with some having been exploited in the wild as zero-days. While much of the attention is paid to vulnerabilities marked as critical, such as remote code execution bugs or vulnerabilities with CVSS scores above 9, these serve as a reminder of the importance of patching vulnerabilities that are more likely to be exploited by attackers.”

Adam Barnett, lead software engineer at security outfit Rapid7, highlighted CVE-2024-20700, a remote code execution vulnerability in the Windows Hyper-V hardware virtualisation service.

"Microsoft ranks this vulnerability as critical under its own proprietary severity scale," he said. "However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network.

"The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur.

"However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host."

Barnett also pointed to CVE-2024-20674 for which all Windows versions had received a patch. "(This) describes a flaw in the Windows implementation of Kerberos," he elaborated. "By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network.

"Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely."

Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said according to the CVSS metric, the attack vector for the Kerberos vulnerability was categorised as “adjacent” (AV:A), indicating that the attacker must first gain access to a restricted network to launch the attack successfully.

"Moreover, successful exploitation could result in a scope change (S:C)," he added. "This indicates that the vulnerability’s impact extends beyond the security scope managed by the authority responsible for the affected component, affecting components managed by different security authorities."

Walters also pointed to CVE-2024-21307, a remote code execution vulnerability in the Remote Desktop Client, normally used for establishing remote desktop connections.

"This vulnerability is classified as a Remote Code Execution with an ‘Important’ severity rating and a CVSS score of 7.5 / 6.5," he noted. "Its successful exploitation poses a significant threat to the confidentiality, integrity, and availability of the system impacted.

"The vulnerability can be exploited remotely over a network connection, as its attack vector is network-based. The CVSS metric assigns a high attack complexity (AC:H) to this vulnerability, suggesting that sophisticated methods, potentially involving a race condition, are required for successful exploitation.

"No user interaction or special privileges are needed for exploitation. This implies that an unauthorised attacker could exploit this vulnerability by waiting for a user to connect to the compromised Remote Desktop Client, thereby enabling the execution of arbitrary code on the target system.

"The scope and impact of this vulnerability remain unchanged, posing a high risk to the system’s confidentiality, integrity, and availability. Exploitation could lead to unauthorised access, data manipulation, and disruption of system operations. The affected operating systems include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.

As of the original publication, there have been no demonstrations of proof-of-concept or confirmed exploitations. The maturity of any exploit code is considered unproven. The application of Microsoft’s official fix is recommended for mitigation.

Read 613 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GARTNER MARKET GUIDE FOR NDR 2022

You probably know that we are big believers in Network Detection and Response (NDR).

Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?

Picking the right NDR for your team and process can sometimes be the biggest challenge.

If you want to try out a Network Detection and Response tool, why not start with the best?

Vectra Network Detection and Response is the industry's most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.

Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.

DOWNLOAD NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!