Microsoft has issued patches for 48 CVEs in its first Patch Tuesday release for the year, with no zero-day or publicly disclosed vulnerabilities among them.
Security vendor Tenable said this count did not include CVE-2022-35737, a vulnerability in SQLite called “Stranger Strings” that was assigned by MITRE and patched in July 2022.
Satnam Narang, senior staff research engineer at Tenable, said this was the second successive Patch Tuesday with no zero-day vulnerabilities (either exploited or publicly disclosed) reported.
“Microsoft patched CVE-2024-21318, a remote code execution vulnerability in Microsoft SharePoint Server," he said.
{loadposition sam08}"An authenticated attacker with Site Owner privileges could exploit this vulnerability, potentially obtaining access to highly sensitive files stored in this cloud-based server.
"Despite the authentication requirement, Microsoft said exploitation of this flaw is more likely. It is credited to researchers at STAR Labs SG Pte. Ltd.
"In September 2023, STAR Labs researchers published a blog post outlining successful chaining of two vulnerabilities in Microsoft SharePoint Server (CVE-2023-29357, CVE-2023-24955)."
Narang advised organisations that use SharePoint Server to apply these patches as soon as possible.
Other vulnerabilities that caught Narang's attending were several elevation of privilege vulnerabilities across several products including Windows Clouds Files Mini Filter Driver (CVE-2024-21310), Common Log File System (CVE-2024-20653), Windows Kernel (CVE-2024-20698) and Win32k (CVE-2024-20683, CVE-2024-20686) that are rated as Exploitation More Likely.
"These bugs are commonly used as part of post-compromise activity, that is, once attackers have gained an initial foothold onto systems, they would use these vulnerabilities to elevate privileges outside the bounds of current privileges, which are often limited," he explained.
"There is a steady stream of these flaws patched each month, with some having been exploited in the wild as zero-days. While much of the attention is paid to vulnerabilities marked as critical, such as remote code execution bugs or vulnerabilities with CVSS scores above 9, these serve as a reminder of the importance of patching vulnerabilities that are more likely to be exploited by attackers.”
Adam Barnett, lead software engineer at security outfit Rapid7, highlighted CVE-2024-20700, a remote code execution vulnerability in the Windows Hyper-V hardware virtualisation service.
"Microsoft ranks this vulnerability as critical under its own proprietary severity scale," he said. "However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network.
"The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur.
"However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host."
Barnett also pointed to CVE-2024-20674 for which all Windows versions had received a patch. "(This) describes a flaw in the Windows implementation of Kerberos," he elaborated. "By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network.
"Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely."
Mike Walters, president and co-founder of risk-based patch management software vendor Action1, said according to the CVSS metric, the attack vector for the Kerberos vulnerability was categorised as “adjacent” (AV:A), indicating that the attacker must first gain access to a restricted network to launch the attack successfully.
"Moreover, successful exploitation could result in a scope change (S:C)," he added. "This indicates that the vulnerability’s impact extends beyond the security scope managed by the authority responsible for the affected component, affecting components managed by different security authorities."
Walters also pointed to CVE-2024-21307, a remote code execution vulnerability in the Remote Desktop Client, normally used for establishing remote desktop connections.
"This vulnerability is classified as a Remote Code Execution with an ‘Important’ severity rating and a CVSS score of 7.5 / 6.5," he noted. "Its successful exploitation poses a significant threat to the confidentiality, integrity, and availability of the system impacted.
"The vulnerability can be exploited remotely over a network connection, as its attack vector is network-based. The CVSS metric assigns a high attack complexity (AC:H) to this vulnerability, suggesting that sophisticated methods, potentially involving a race condition, are required for successful exploitation.
"No user interaction or special privileges are needed for exploitation. This implies that an unauthorised attacker could exploit this vulnerability by waiting for a user to connect to the compromised Remote Desktop Client, thereby enabling the execution of arbitrary code on the target system.
"The scope and impact of this vulnerability remain unchanged, posing a high risk to the system’s confidentiality, integrity, and availability. Exploitation could lead to unauthorised access, data manipulation, and disruption of system operations. The affected operating systems include Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.
As of the original publication, there have been no demonstrations of proof-of-concept or confirmed exploitations. The maturity of any exploit code is considered unproven. The application of Microsoft’s official fix is recommended for mitigation.