Microsoft addressed 48 vulnerabilities for January 2024 Patch Tuesday, and most notably, none of the flaws were actively exploited as no zero-day vulnerabilities were published or patched on Jan. 9, making it the second consecutive Patch Tuesday with no zero-days.
The most critical vulnerability was CVE-2024-20674, which all current versions of Windows received a patch for.
Adam Barnett, lead software engineer at Rapid 7, described the bug as a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM) scenario, Barnett said an attacker could trick a client into thinking it’s communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network.
“Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.0 and Microsoft’s proprietary severity ranking of critical reflect that there’s no requirement for user interaction or prior authentication,” explained Barnett. “Microsoft also notes that it considers exploitation of this vulnerability more likely.”
Another critical bug security pros should focus on was CVE-2024-20700, a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service.
Barnett said Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network.
“The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur,” said Barnett. “However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.”
Another flaw that Microsoft rated “Important” with a CVSS score of 8.7 was CVE-2024-0056, a bug that lets an attacker perform a machine-in-the-middle (MITM) attack, intercepting and potentially altering transport layer security (TLS) traffic between a client and server.
Saeed Abbasi, manager of vulnerability research at the Qualys Threat Research Unit, said if exploited, an attacker could decrypt, read or modify secure TLS traffic, breaching the confidentiality and integrity of data. Also, Abbasi said the attacker could leverage it to exploit the SQL Server through the SQL Data Provider, potentially affecting the SQL Server itself.
“The successful exploitation of this vulnerability may not be limited to the initially compromised component,” said Abbasi. “Nonetheless, the high complexity of the attack implies that taking advantage of this vulnerability is a complex task. If exploited, this vulnerability could result in data breaches, compromise data integrity, and lead to unauthorized access to sensitive information.”
Abbasi added that security pros should strengthening network security to make MITM attacks more complex by using secure network protocols, monitoring network traffic for anomalies, and implementing robust firewall rules.
Other bugs security pros should focus in include a patch for Microsoft Office that disables the ability to insert 3D models from FilmBox (FBX) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution.
Rapid7’s Barnett said exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion.
In a related blog post, Microsoft recommended avoiding FBX and instead make use of the GLB 3D file format from now on. The blog post also offered instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommended against this. On the plus side: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.
Barnett pointed out that SharePoint admins should take note of CVE-2024-21318. Successful exploitation lets an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain.
“The advisory does mention that exploitation requires that an attacker must already be authenticated as ‘at least a Site Owner,’ although it’s not clear what level of privilege above Site Owner is implicated here,” said Barnett. “A user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.”
