Two Zero-Day Fixes on Patch Tuesday

Summary

Every second Tuesday of the month, Microsoft releases many security fixes to several of its software solutions, this is known as “Patch Tuesday.” This time around there have been several critical vulnerabilities and zero-days which have been remediated with the recent fixes. A total of two zero-day vulnerabilities and five critical vulnerabilities alongside 60+ other various vulnerabilities of varying severity. This report will only cover the most critical/notable vulnerabilities.

Impact Assessment

Two Actively Exploited Zero Days

• CVE-2024-21412 - (CVSS 3.1- 8.1/7.1)- Internet shortcut files security feature Bypass vulnerability. An unauthenticated attacker could send a user a specific file that would allow the attacker to bypass security checkpoints. However, the attacker must convince the user to click on the file to start the attack.
• CVE-2024-21351- (CVSS 3.1-7.6/6.6) - Windows SmartScreen Security Feature Bypass Vulnerability, an authorized attacker must send a user a corrupted file and have the user open it up. If the attacker can exploit this vulnerability, they will be able to bypass the SmartScreen Security feature. They will also be able to execute code that could lead to data exposure and lack of system availability.

Five Critical severity vulnerabilities

• CVE-2024-21410 – (CVSS 3.1 – 9.8 / 9.1) – Microsoft Exchange Server Elevation of Privilege Vulnerability, an attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf. An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.
• CVE-2024-21380 – (CVSS 3.1 – 8.0 / 7.0) – Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability, to exploit this vulnerability the attacker would have to convince the user to click on a specifically crafted URL, win a race condition, and be authenticated. If exploited the vulnerability could lead to the attacker gaining the ability to interact with other tenant’s applications and content, they would obtain read, write, and delete functionality, and allow them to access sensitive user data.
• CVE-2024-20684 – (CVSS 3.1 – 6.5 / 5.7) – Windows Hyper-V Denial of Service Vulnerability, if an attacker is successful at exploiting the vulnerability the attacker could affect the functionality of the Hyper-V host.
• CVE-2024-21413 - (CVSS 3.1 - 9.8/8.5) - Microsoft Outlook Remote Code Execution Vulnerability, an attacker could create a link that is able to bypass the Protected View Protocol, which can lead to potential leaking of local NTLM credential information and remote code execution.
• CVE-2024-21357 – (CVSS 3.1 – 7.5 / 6.5) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability, an attacker would have to take additional steps to prepare for the target environment before exploitation. The attack cannot be performed across multiple networks (i.e., a WAN) and would need to be on the same network or on a virtual network.  Microsoft indicates a high impact on confidentiality, integrity, and availability if this vulnerability were to be exploited.

There is a total of 67 other CVEs (Common Vulnerabilities and Exposures) associated with February 2024 Patch Tuesday which has been released by Microsoft. All CVEs can be viewed at the Microsoft Security Update Guide, below there is a list of affected software for all new CVEs associated with the recent updates.

Affected Products/Software

Internet Shortcut Files, Windows SmartScreen ,Microsoft Exchange Server, Microsoft Windows, Windows Message Queuing, Microsoft Azure Kubernetes Service, Azure File Sync, Microsoft Dynamics, Microsoft WDAC OLE DB provider for SQL, Microsoft Office OneNote, Microsoft Office Outlook, Microsoft Windows DNS, Microsoft Teams for Android, Azure Site Recovery, Windows Kernel, Windows LDAP - Lightweight Directory Access Protocol, Microsoft WDAC ODBC Driver, Windows Internet Connection Sharing (ICS), SQL Server, Windows Win32K – ICOMP, Role: DNS Server, Windows USB Serial Driver, Windows Hyper-V, Skype for Business, Microsoft Defender for Endpoint, Trusted Compute Base,  Azure Stack, Microsoft Office, .NET, Azure Active Directory, Microsoft Office Word, Windows OLE, Microsoft ActiveX, Azure Connected Machine Agent, Azure DevOps

What It Means for You

If you are a regular user of Windows, simply checking your operating system for updates and restarting will be all that must be done. However, if you are part of an organization reviewing the affected products list above for any affected products and reviewing and planning to apply the updates to the environment must be done. Not all updates/fixes to the above products are applied through an OS update, but most are.

Remediation

Checking for updates and restarting endpoints for Microsoft Windows devices. Microsoft server devices is different, see the article here on how to upgrade Microsoft server instances.

Most remediations will require a restart of the device after updates are found. For more information about what products are affected and to have updates for each vulnerability please refer to the MSRC links and KB articles from Microsoft. Use the following link to the Microsoft Security Update Guide and search for potential affected products and their associated KB articles. Ensure to select date range and select “Update Tuesday” to search for all relevant KBs and updates. This will allow a more accurate determination of what update each of the affected software requires.

Business Implications

Microsoft patch Tuesday patches 100s of vulnerabilities every year and sheds light on actively exploited vulnerabilities. It is important that these zero-day vulnerabilities are prioritized in an emergency fashion as exploitation of any of these vulnerabilities could be devastating. Microsoft products are one of the most actively used and as a result have many attackers working tirelessly to find and exploit vulnerabilities.

Access Point Technology Recommends

Patch: Patch the Operating Systems of all affected devices and review the affected products list for any other products which could be vulnerable. If so, refer to the MSRC update guide for specific information on patching the vulnerabilities.

Ensure proper cadence: These vulnerabilities should be patched promptly as there are two actively exploited zero days.

Test: It is paramount to test these patches before launching to all users if you are within an organization. Operating System changes can have a significant impact on day-to-day operations.

Rollback: Have a rollback plan in place to ensure that an update will not break the production environment.

Associated Bulletins

https://msrc.microsoft.com/update-guide/

‍