The January 2024 Security Update Review
January 09, 2024 | Dustin ChildsWelcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
Adobe Patches for January 2024
For January, Adobe released a single patch addressing six CVEs in Substance 3D Stager. All six bugs are rated Important with the most severe allowing arbitrary code execution.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for January 2024
This month, Microsoft released 49 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; and Internet Explorer. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 53.
Of the new patches released today, two are rated Critical and 47 are rated Important in severity. This release is coincidentally the same number of CVEs addressed in both the January 2019 and January 2020 releases.
None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a security feature bypass in Kerberos:
- CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability
This is the highest-rated CVSS for this month and one of the two Critical-rated patches. The bug would allow an unauthenticated attacker to perform a machine-in-the-middle (MitM) that spoofs a Kerberos server. An affected client would receive what they believe to be authentic messages from the Kerberos authentication server. While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly.
- CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability
This is the other Critical-rated patch for January, although “remote” in this case actually means network adjacent. Microsoft doesn’t provide much of a description beyond that, so it’s not clear how the code execution would occur. However, they do note that neither authentication nor user interaction is required, which makes this vulnerability quite juicy to exploit writers. Although winning a race condition is required for successful exploitation, we’ve seen plenty of Pwn2Own winners use race conditions in their exploits.
- CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Besides being a mouthful of a title, this SFB bug could allow an MITM attacker to decrypt, read, or modify TLS traffic between an affected client and server. If you happen to be using these data providers, you’ll also need to take additional steps to be fully protected. The bulletin lists the additional NuGet packages you’ll need to load to completely resolve this vulnerability. Microsoft links to an article that claims to provide further information on the steps admins need to take to be protected, but as of now, that link leads nowhere. I’ll update the blog once they update the link to something relevant. Note: Microsoft has updated the link to point to the article here.
| CVE | Title | Severity | CVSS | Public | Exploited | Type |
| CVE-2024-20700 | Windows Hyper-V Remote Code Execution Vulnerability | Critical | 7.5 | No | No | RCE |
| CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability | Critical | 9 | No | No | SFB |
| CVE-2024-0057 | .NET and Visual Studio Framework Security Feature Bypass Vulnerability | Important | 8.4 | No | No | SFB |
| CVE-2024-20672 | .NET Core and Visual Studio Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2024-21312 | .NET Framework Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2024-21319 | Microsoft Identity Denial of Service Vulnerability | Important | 6.8 | No | No | DoS |
| CVE-2024-20676 | Azure Storage Mover Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2024-20666 | BitLocker Security Feature Bypass Vulnerability | Important | 6.6 | No | No | SFB |
| CVE-2024-21305 | Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability | Important | 4.4 | No | No | SFB |
| CVE-2024-20652 | Internet Explorer Security Feature Bypass Vulnerability | Important | 7.5 | No | No | SFB |
| CVE-2024-20687 | Microsoft AllJoyn API Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2024-21306 | Microsoft Bluetooth Driver Spoofing Vulnerability | Important | 5.7 | No | No | Spoofing |
| CVE-2024-20653 | Microsoft Common Log File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-20692 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | Important | 5.7 | No | No | Info |
| CVE-2024-20661 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
| CVE-2024-20660 | Microsoft Message Queuing Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2024-20664 | Microsoft Message Queuing Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2024-21314 | Microsoft Message Queuing Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
| CVE-2024-20654 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
| CVE-2024-20677 | Microsoft Office Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2024-20655 | Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability | Important | 6.6 | No | No | RCE |
| CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
| CVE-2024-20658 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-0056 † | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability | Important | 8.7 | No | No | SFB |
| CVE-2022-35737 * | MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow | Important | 7.5 | No | No | RCE |
| CVE-2024-21307 | Remote Desktop Client Remote Code Execution Vulnerability | Important | 7.5 | No | No | RCE |
| CVE-2024-20656 | Visual Studio Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-20683 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-20694 | Windows CoreMessaging Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2024-21311 | Windows Cryptographic Services Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
| CVE-2024-20682 | Windows Cryptographic Services Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2024-20657 | Windows Group Policy Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
| CVE-2024-20699 | Windows Hyper-V Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
| CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-21309 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-20696 | Windows Libarchive Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
| CVE-2024-20697 | Windows Libarchive Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
| CVE-2024-20680 | Windows Message Queuing Client (MSMQC) Information Disclosure | Important | 6.5 | No | No | Info |
| CVE-2024-20663 | Windows Message Queuing Client (MSMQC) Information Disclosure | Important | 6.5 | No | No | Info |
| CVE-2024-20690 | Windows Nearby Sharing Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
| CVE-2024-20662 | Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability | Important | 4.9 | No | No | Info |
| CVE-2024-21316 | Windows Server Key Distribution Service Security Feature Bypass | Important | 6.1 | No | No | SFB |
| CVE-2024-20681 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
| CVE-2024-21313 | Windows TCP/IP Information Disclosure Vulnerability | Important | 5.3 | No | No | Info |
| CVE-2024-20691 | Windows Themes Information Disclosure Vulnerability | Important | 4.7 | No | No | Info |
| CVE-2024-21325 | Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
| CVE-2024-21320 | Windows Themes Spoofing Vulnerability | Important | 6.5 | No | No | Spoofing |
| CVE-2024-0222 * | Chromium: CVE-2024-0222 Use after free in ANGLE | High | N/A | No | No | RCE |
| CVE-2024-0223 * | Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE | High | N/A | No | No | RCE |
| CVE-2024-0224 * | Chromium: CVE-2024-0224 Use after free in WebAudio | High | N/A | No | No | RCE |
| CVE-2024-0225 * | Chromium: CVE-2024-0225 Use after free in WebGPU | High | N/A | No | No | RCE |
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
† Indicates further administrative actions are required to fully address the vulnerability.
Moving on to the other code execution bugs, most are of the “open and own” variety, where an attacker must convince a user to open a malicious file or browse to a specially crafted site to get arbitrary code execution. However, there are a couple of fixes that stand out. The first is an RCE in Office through FBX files. Microsoft is taking the unusual step of disabling that file type from being embedded within Office documents. However, they note “3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.” Here are some additional details about this change. According to Microsoft, you may not need the fix for the Printer Metadata Troubleshooter if you’ve already installed the tool listed in KB5034510. I would still apply the update to ensure the problem is fully addressed. There’s a fix for an RCE in RDP, but it’s in the client, not the server so that greatly reduces the threat of exploitation. The one Azure-related code execution bugs require specific privileges to be exploited. The SharePoint bug requires authentication, but anyone on the SharePoint site has the privileges needed to exploit this bug and take over the system. The bug in ODBC requires connecting to a malicious database. The bugs in Libarchive require the attacker to be authenticated as a guest user on the target system. The final RCE fix is found in OCSP. This bug requires an authenticated user to be assigned the “manage online responder” permission, which is typically reserved for privileged users. Still, now may be a good time to audit your domain to confirm which users have this permission.
There are only ten elevation of privilege (EoP) patches in this month’s release, and all but oneof them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. These types of bugs are usually paired with a code execution bug in the wild to take over a system. The lone exception to this is the bug in the Virtual Hard Disk, which could allow an attack to escalate privileges when processing “.vhdx” files in the kernel.
Looking at the 11 different information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. There are only two notable exceptions. The first is in Local Security Authority Subsystem Service (LSASS) and could allow an attacker to gain network secrets when an affected client connects to an AD Domain Controller. Microsoft notes this could be done by either sniffing traffic on a network or by running a malicious script. I don’t expect to see a lot of exploitation of this vulnerability, but it would be an interesting method of lateral movement after an initial compromise. The bug in TCP/IP requires an MITM attacker, but successful exploitation could lead to revealing unencrypted contents of IPsec packets from other sessions on a server.
In addition to the two I’ve already mentioned, there are five additional SFB patches released this month. The patch for .NET Framework and Visual Studio fixes a bug that could allow attackers to improperly validate X.509 certificates. That’s similar to the bug in the Windows Server Key Distribution Service. The bug in Hypervisor-Protected Code Integrity (HVCI) is specific to certain Microsoft Surface devices. The vulnerability incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with HVCI enabled. As expected, the bypass for BitLocker allows an attacker to bypass BitLocker protections. And you may have thought it was completely gone, but there’s a patch for Internet Explorer that addresses a bug that could allow bypassing zone restrictions.
The January release includes six fixes for denial-of-service (DoS) bugs, but Microsoft does not provide any real information for most of them. The bug in Hyper-V could allow a guest OS to somehow impact other guest OSes on the same hypervisor.
Lastly, there are four spoofing bugs receiving fixes this month. The bug in the Nearby Sharing feature could be triggered by an attacker with a similarly-named machine. I would love to see additional details on this one and find out how close the machine names need to be. The bug in the Azure Stack requires clicking a specially crafted URL. User interaction is also required for the Themes bug, but Microsoft notes you can disable NTLM as a mitigation. You’re not actually using NTLM, are you? You can also add a group policy to restrict outgoing NTLM traffic to remote servers. The bug in Bluetooth requires the attacker to both be in close proximity to a target and have a paired Bluetooth device.
No new advisories were released this month.
Looking Ahead
The next Patch Tuesday of 2024 will be on February 13, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!