Home / Threat Intelligence bulletins / Microsoft Patch Tuesday - January 2024

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Microsoft January 2024 Patch Tuesday: One critical remote code execution (RCE) vulnerability and four browser flaws were addressed as a part of 49 total security vulnerabilities addressed by Microsoft. A summary of the highlighted vulnerabilities has been outlined below:

An RCE vulnerability in the Windows Hyper-V hardware virtualisation service, tracked as CVE-2024-20700, has been ranked with a high-severity score (CVSS 3.1 score: 7.5), but has been designated as critical according to Microsoft’s scoring designation. The lower rating on the Common Vulnerability Scoring System Scale (CVSS) is likely due to the complexity of the attack and the fact that the setup is non-deterministic, requiring a specific outcome from a race condition. However, this attack does require a threat actor to have access to the target’s restricted network.

Filmbox 3D models (FBX files) are no longer able to be inserted into Microsoft Office documents, a step taken to defend against the leveraging of the arbitrary code execution flaw, tracked as CVE-2024-20677 (CVSS 3.1 score: 7.8). Models which were statically inserted into old Office documents continue to be vulnerable to this exploit, since this patch does not remove FBX files from existing documents, however, models which were inserted using the ‘link to file’ option will no longer be inserted into existing documents since these would have been accessed dynamically as required. Microsoft advises using GLB 3D file formats instead. However, FBX format files can still be added to Office documents if this patch is circumvented using a registry modification, an option that Microsoft strongly advises against.

SharePoint servers are vulnerable to an RCE vulnerability, tracked as CVE-2024-21318 (CVSS 3.1 8.8). Unlike several previous SharePoint RCE flaws, this common vulnerability exposure (CVE) requires the threat actor to attain site administrator privileges or higher. This site owner requirement means that this vulnerability would likely be performed as part of an exploit chain or could be implemented as part of insider threat operations.

A critical severity Kerberos security feature bypass flaw tracked as CVE-2024-20674 (CVSS 3.1 score: 9.1) was patched for all current Windows versions. Successful compromise requires a threat actor to have an established presence on the target network, however, no prior authentication is required. Traffic could reach this malicious host through a machine-in-the-middle attack or through other local network spoofing techniques. The critical severity score for this vulnerability reflects the wide scope of impacted resources with Microsoft noting that this vulnerability is ‘more likely’ to be exploited.

An August 2022 RCE vulnerability for SQLite, tracked as CVE-2022-35737 (CVSS 3.1 score: 7.5), was also patched within the January 2024 disclosure. Remediations relating to this patch were present in SQLite versions 3.39.2 or below.

Impact

Successful exploitation of CVE-2024-20700 would likely allow a threat actor on the same subnet as the hypervisor to execute code in a SYSTEM context on the Hyper-V host.

Successful exploitation of CVE-2024-20677 would require a threat actor to interact with a malicious FBX file as an Office user, likely resulting in information disclosure or downtime.

Successful exploitation of CVE-2024-21318 would almost certainly allow an authenticated threat actor with Site Owner permission to leverage this flaw to inject and subsequently execute arbitrary code within the context of the target SharePoint Server.

Successful exploitation of CVE-2024-20674 would likely allow a threat actor to bypass authentication and impersonate the client user on the network by establishing a machine-in-the-middle (MITM) attack and subsequently sending a malicious Kerberos message to the target machine to spoof itself as the Kerberos authentication server.

In summary, it is likely that the exploitation of the vulnerabilities outlined above would lead to a total loss of confidentiality, availability, and integrity of data.

Vulnerability Detection

Security patches for these vulnerabilities have been released by Microsoft. Previous product versions, therefore, remain vulnerable to potential exploitation.

Affected Products

A full list of the affected products pertaining to the January 2024 Patch Tuesday can be found on the Microsoft January 2024 Security Update page.

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday January 2024 Security Guide.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Last month, Microsoft published remediations for 42 security flaws within the December 2023 Patch Tuesday release, including one zero-day flaw and eight RCE vulnerabilities. Moving into the January disclosure, RCE and privilege escalation vulnerabilities continue to be leading attack vectors accounting for 24.5% and 20.4% of disclosed issues respectively, a trend that has continued from last month. Overall, the January 2024 Patch Tuesday disclosure resulted in the release of fewer vulnerabilities correlating to a lower number of products compared to recent times, a trend that has been detected to have emerged since the November 2023 Patch Tuesday release.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:

TA0002 – Execution

TA0004 – Privilege Escalation