Sponsored By

Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security

A second, easy-to-exploit critical security vulnerability in Microsoft's first 2024 Patch Tuesday allows RCE within Hyper-Virtualization.

5 Min Read
Concept illustration of bug in software code
Soure: Andrii Yalanskyi via Shutterstock

Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity.

For the second straight month, Microsoft's Patch Tuesday did not include any zero-day bugs, meaning administrators won't have to contend with any new vulnerabilities that attackers are actively exploiting at the moment — something that happened frequently in 2023.

Just Two Critical Severity Bugs

As is typically the case, the CVEs that Microsoft disclosed Jan. 9 affected a wide range of its products and included privilege escalation vulnerabilities, remote code execution flaws, security bypass bugs, and other vulnerabilities. The company classified 46 of the flaws as being of Important severity, including several that attackers were more likely than not to exploit.

One of two critical severity bugs in Microsoft's latest update is CVE-2024-20674, a Windows Kerberos security feature bypass vulnerability that allows attackers to bypass authentication mechanisms and launch impersonation attacks. "Attackers can exploit this flaw via a machine-in-the-middle (MitM) attack," says Saeed Abbasi, manager of vulnerability research at Qualys in comments to Dark Reading. "They achieve this by setting up a local network spoofing scenario and then sending malicious Kerberos messages to trick a client machine into believing they are communicating with a legitimate Kerberos authentication server."

The vulnerability requires the attacker to have access to the same local network as the target. It's not remotely exploitable over the Internet and requires proximity to the internal network. Even so, there is a high likelihood of active exploitation attempts in the near future, Abbasi says.

Ken Breen, senior director of threat research at Immersive Labs, identified CVE-2024-20674 as a bug that organizations would do well to patch quickly. "These kinds of attack vectors are always valuable to threat actors like ransomware operators and access brokers," because they enable significant access to enterprise networks, according to a statement from Breen.

The other critical vulnerability in Microsoft's latest batch of security updates is CVE-2024-20700, a remote code execution vulnerability in Windows Hyper-Virtualization technology. The vulnerability is not especially easy to exploit because to do so, an attacker would already first need to be inside the network and adjacent to a vulnerable computer, according to a statement from Ben McCarthy, lead cybersecurity engineer at Immersive Labs.

The vulnerability also involves a race condition — a type of issue that's harder for an attacker to exploit than many other vulnerability types. "This vulnerability has been released as exploitation less likely but because Hyper-V runs as the highest privileges in a computer, it is worth thinking about patching," McCarthy said.

High-Priority Remote Code Execution Bugs

Security researchers pointed to two other RCE bugs in the January update that merit priority attention: CVE-2024-21307 in Windows Remote Desktop Client and CVE-2024-21318 in SharePoint Server.

Microsoft identified CVE-2024-21307 as a vulnerability that attackers are more likely to exploit but has provided little information on why, according to Breen. The company has noted that unauthorized attackers need to wait for a user to initiate a connection to be able to exploit the vulnerability.  

"This means that the attackers have to create a malicious RDP server and use social engineering techniques in order to trick a user into connecting," Breen said. "This is not as difficult as it sounds, as malicious RDP servers are relatively easy for attackers to set up and then sending .rdp attachments in emails means a user only has to open the attachment to trigger the exploit."

A Few More Exploitable Privilege Escalation Bugs

Microsoft's January update included patches for several privilege escalation vulnerabilities. Among the most severe of them is for CVE-2023-21310, a privilege escalation bug in Windows Cloud Files Mini Filter Driver. The flaw is very similar to CVE-2023-36036, a zero-day privilege escalation vulnerability in the same technology, which Microsoft disclosed in its November 2023 security update.

Attackers actively exploited that flaw to try and gain system level privileges on local machines — something they can do with the newly disclosed vulnerability as well. "This type of privilege escalation step is frequently seen by threat actors in network compromises," Breen said. "It can enable the attacker to disable security tools or run credential dumping tools like Mimikatz that can then enable lateral movement or the compromise of domain accounts."

Some of the other important privilege escalation bugs included CVE-2024-20653 in the Windows Common Log File System, CVE-2024-20698 in Windows Kernel, CVE-2024-20683 in Win32k, and CVE-2024-20686 in Win32k. Microsoft has rated all of these flaws as issues attackers are more likely to exploit, according to a statement from Satnam Narang, senior staff research engineer at Tenable. "These bugs are commonly used as part of post-compromise activity," he said. "That is, once attackers have gained an initial foothold onto systems."

Among the flaws that Microsoft ranked as important, but which need quick attention, is CVE-2024-0056, a security bypass feature in SQL, Abbasi says. The flaw enables an attacker to perform a machine-in-the-middle attack, intercepting and potentially altering TLS traffic between a client and server, he notes. "If exploited, an attacker could decrypt, read, or modify secure TLS traffic, breaching the confidentiality and integrity of data." Abbasi says that an attacker could also leverage the flaw to exploit SQL Server via the SQL Data Provider.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights