Microsoft fixes critical flaws in Windows Kerberos, Hyper-V (CVE-2024-20674, CVE-2024-20700)

For January 2024 Patch Tuesday, Microsoft has released fixes for 49 CVE-numbered vulnerabilities, two of which are critical: CVE-2024-20674 and CVE-2024-20700.

None of the vulnerabilities fixed this time aroundare under active exploitation or have been previously publicly disclosed.

The critical fixes (CVE-2024-20674, CVE-2024-20700)

CVE-2024-20674 is a security feature bypass vulnerability that may allow attackers to impersonate Windows’ Kerberos server.

“An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server,” Microsoft explains.

Though an attacker must first gain access to the restricted network before running an attack, Microsoft thinks that the likelihood of attackers exploiting this flaw is considerable and the complexity of attack is low, and has therefore urged admins to prioritize testing and deploying this patch.

CVE-2024-20700 is a remote code execution flaw in Windows’ Hyper-V native hypervisor. Once again, an attacker first needs to gain access to the restricted network before deploying an exploit for this flaw. But they would also need to win a race condition.

As noted by Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, “we’ve seen plenty of Pwn2Own winners use race conditions in their exploits” – but this requirement makes a successful attack more difficult.

Other fixes to implement sooner rather than later

Satnam Narang, senior staff research engineer at Tenable, singled out CVE-2024-21318, a remote code execution vulnerability in Microsoft SharePoint Server.

“An authenticated attacker with Site Owner privileges could exploit this vulnerability, potentially obtaining access to highly sensitive files stored in this cloud-based server. Despite the authentication requirement, Microsoft says exploitation of this flaw is more likely. Organizations that use SharePoint Server should apply these patches as soon as possible,” he told Help Net Security.

Other vulnerabilities deemed more likely to be exploited are several elevation of privilege vulnerabilities in Windows Clouds Files Mini Filter Driver (CVE-2024-21310), Common Log File System (CVE-2024-20653), Windows Kernel (CVE-2024-20698) and Win32k (CVE-2024-20683, CVE-2024-20686), Narang also pointed out.

Finally, Microsoft has fixed CVE-2024-20677, a vulnerability in Microsoft Office that could lead to remote code execution via FBX files.

“An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim’s information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment,” says Microsoft.

The company fixed this flaw by disabling the ability to insert FBX files in Word, Excel, PowerPoint and Outlook for Windows and Mac.

“3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time,” Microsoft added.