Lucene search

K
rapid7blogAdam BarnettRAPID7BLOG:171ADCC05F36FB9F42275829066461EF
HistoryJan 09, 2024 - 9:23 p.m.

Patch Tuesday - January 2024

2024-01-0921:23:10
Adam Barnett
blog.rapid7.com
52
patch tuesday
microsoft
vulnerabilities
remote code execution
hyper-v
fbx
office
sharepoint
security
kerberos
mitm
windows

AI Score

9.8

Confidence

High

EPSS

0.894

Percentile

98.8%

Patch Tuesday - January 2024

Microsoft is addressing 49 vulnerabilities this January 2024 Patch Tuesday, including a single critical remote code execution vulnerability. Four browser vulnerabilities were published separately this month, and are not included in the total. No zero-day vulnerabilities are published or patched today.

Hyper-V: critical remote code execution

CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.

FBX 3D models in Office: arbitrary code execution

A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion. In a related blog post, Microsoft recommends avoiding FBX and instead making use of the GLB 3D file format from now on. The blog post also provides instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommends against this. Silver lining: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.

SharePoint: remote code execution

SharePoint admins should take note of CVE-2024-21318, which was added to CISA KEV on 2024-01-10. Successful exploitation allows an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain. The advisory does mention that exploitation requires that an attacker must already be authenticated as “at least a Site Owner,” although it’s not clear what level of privilege above Site Owner is implicated here; a user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.

Windows Kerberos: MitM security feature bypass

All current versions of Windows receive a patch for CVE-2024-20674, which describes a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network. Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely.

Exchange: no security patches two months in a row

Exchange admins bracing themselves for extra security patches this month after the lack of Exchange security patches last month are once again given a reprieve: there are no security patches for Exchange released today.

Better SQLite than never

The January 2024 Windows security updates include a patch for CVE-2022-35737, a vulnerability in SQLite versions prior to 3.39.2 first disclosed way back in August 2022. It’s not clear why Microsoft has chosen to patch this now, but it’s a welcome development nevertheless. Patch Tuesday watchers wondering why Windows comes with bundled SQLite may be interested to know that the WinUI library UX development framework provides SQLite interaction functionality, and the documentation mentions that SQLite is included with all supported versions of Windows.

Microsoft products lifecycle update

A number of Microsoft products transition from mainstream support to extended support as of today: Exchange Server 2019, Hyper-V Server 2019, SharePoint Server 2019, Skype for Business 2019 (both client and server), as well as various facets of Windows 10: Enterprise LTSC 2019, IoT Core LTSC, IoT Enterprise LTSC 2019, IoT LTSC 2019 Core, Windows Server 2019, Windows Server IoT 2019, and Windows Server IoT 2019 for Storage. Also moving to extended support: Dynamics SL 2018 and Project Server 2019. During the extended support lifecycle phase, Microsoft continues to provide security updates, but does not typically release new features. Extended support is not available for Microsoft consumer products.

Today marks the end of the road for Microsoft Dynamics CRM 2013, which moves past the end of extended support. No ESU program is available, so admins must move to a newer version of Dynamics CRM to continue receiving security updates.

Summary Charts

Patch Tuesday - January 2024Hyper-V always worth defender attention.Patch Tuesday - January 2024Remote Code Execution reclaims the top spot.Patch Tuesday - January 2024WIndows Message Queuing is now a perennial feature of Patch Tuesday.

Summary Tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20676 Azure Storage Mover Remote Code Execution Vulnerability No No 8

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-0225 Chromium: CVE-2024-0225 Use after free in WebGPU No No N/A
CVE-2024-0224 Chromium: CVE-2024-0224 Use after free in WebAudio No No N/A
CVE-2024-0223 Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE No No N/A
CVE-2024-0222 Chromium: CVE-2024-0222 Use after free in ANGLE No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability No No 9.1
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21312 .NET Framework Denial of Service Vulnerability No No 7.5
CVE-2024-20672 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5

Developer Tools Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21319 Microsoft Identity Denial of service vulnerability No No 6.8

Developer Tools SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-0056 Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability No No 8.7

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20674 Windows Kerberos Security Feature Bypass Vulnerability No No 9
CVE-2024-20654 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8
CVE-2024-20682 Windows Cryptographic Services Remote Code Execution Vulnerability No No 7.8
CVE-2024-20683 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20658 Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20653 Microsoft Common Log File System Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20652 Windows HTML Platforms Security Feature Bypass Vulnerability No No 7.5
CVE-2024-21307 Remote Desktop Client Remote Code Execution Vulnerability No No 7.5
CVE-2024-20661 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2024-20657 Windows Group Policy Elevation of Privilege Vulnerability No No 7
CVE-2024-20655 Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability No No 6.6
CVE-2024-21320 Windows Themes Spoofing Vulnerability No No 6.5
CVE-2024-20680 Windows Message Queuing Client (MSMQC) Information Disclosure No No 6.5
CVE-2024-20663 Windows Message Queuing Client (MSMQC) Information Disclosure No No 6.5
CVE-2024-20660 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2024-20664 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2024-21314 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2024-20692 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability No No 5.7
CVE-2024-21311 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability No No 5.3
CVE-2024-20662 Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability No No 4.9
CVE-2024-20691 Windows Themes Information Disclosure Vulnerability No No 4.7

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21318 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-20677 Microsoft Office Remote Code Execution Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20681 Windows Subsystem for Linux Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21309 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20698 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21310 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20686 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2024-20700 Windows Hyper-V Remote Code Execution Vulnerability No No 7.5
CVE-2024-20687 Microsoft AllJoyn API Denial of Service Vulnerability No No 7.5
CVE-2024-20696 Windows Libarchive Remote Code Execution Vulnerability No No 7.3
CVE-2024-20697 Windows Libarchive Remote Code Execution Vulnerability No No 7.3
CVE-2024-20666 BitLocker Security Feature Bypass Vulnerability No No 6.6
CVE-2024-20690 Windows Nearby Sharing Spoofing Vulnerability No No 6.5
CVE-2024-21316 Windows Server Key Distribution Service Security Feature Bypass No No 6.1
CVE-2024-21306 Microsoft Bluetooth Driver Spoofing Vulnerability No No 5.7
CVE-2024-20699 Windows Hyper-V Denial of Service Vulnerability No No 5.5
CVE-2024-20694 Windows CoreMessaging Information Disclosure Vulnerability No No 5.5
CVE-2024-21305 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability No No 4.4
CVE-2024-21325 Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability No No N/A

Windows Mariner vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-35737 MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow No No N/A

Updates

  • 2024-01-09: Added mention of SQLite vulnerability CVE-2022-35737.
  • 2024-01-10: CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability added to CISA KEV.