Last updated at Fri, 23 Feb 2024 21:35:59 GMT
Microsoft is addressing 49 vulnerabilities this January 2024 Patch Tuesday, including a single critical remote code execution vulnerability. Four browser vulnerabilities were published separately this month, and are not included in the total. No zero-day vulnerabilities are published or patched today.
Hyper-V: critical remote code execution
CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.
FBX 3D models in Office: arbitrary code execution
A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion. In a related blog post, Microsoft recommends avoiding FBX and instead making use of the GLB 3D file format from now on. The blog post also provides instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommends against this. Silver lining: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.
SharePoint: remote code execution
SharePoint admins should take note of CVE-2024-21318, which was added to CISA KEV on 2024-01-10. Successful exploitation allows an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain. The advisory does mention that exploitation requires that an attacker must already be authenticated as “at least a Site Owner,” although it’s not clear what level of privilege above Site Owner is implicated here; a user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.
Windows Kerberos: MitM security feature bypass
All current versions of Windows receive a patch for CVE-2024-20674, which describes a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network. Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely.
Exchange: no security patches two months in a row
Exchange admins bracing themselves for extra security patches this month after the lack of Exchange security patches last month are once again given a reprieve: there are no security patches for Exchange released today.
Better SQLite than never
The January 2024 Windows security updates include a patch for CVE-2022-35737, a vulnerability in SQLite versions prior to 3.39.2 first disclosed way back in August 2022. It's not clear why Microsoft has chosen to patch this now, but it's a welcome development nevertheless. Patch Tuesday watchers wondering why Windows comes with bundled SQLite may be interested to know that the WinUI library UX development framework provides SQLite interaction functionality, and the documentation mentions that SQLite is included with all supported versions of Windows.
Microsoft products lifecycle update
A number of Microsoft products transition from mainstream support to extended support as of today: Exchange Server 2019, Hyper-V Server 2019, SharePoint Server 2019, Skype for Business 2019 (both client and server), as well as various facets of Windows 10: Enterprise LTSC 2019, IoT Core LTSC, IoT Enterprise LTSC 2019, IoT LTSC 2019 Core, Windows Server 2019, Windows Server IoT 2019, and Windows Server IoT 2019 for Storage. Also moving to extended support: Dynamics SL 2018 and Project Server 2019. During the extended support lifecycle phase, Microsoft continues to provide security updates, but does not typically release new features. Extended support is not available for Microsoft consumer products.
Today marks the end of the road for Microsoft Dynamics CRM 2013, which moves past the end of extended support. No ESU program is available, so admins must move to a newer version of Dynamics CRM to continue receiving security updates.
Summary Charts
Summary Tables
Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-20676 | Azure Storage Mover Remote Code Execution Vulnerability | No | No | 8 |
Browser vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-0225 | Chromium: CVE-2024-0225 Use after free in WebGPU | No | No | N/A |
| CVE-2024-0224 | Chromium: CVE-2024-0224 Use after free in WebAudio | No | No | N/A |
| CVE-2024-0223 | Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE | No | No | N/A |
| CVE-2024-0222 | Chromium: CVE-2024-0222 Use after free in ANGLE | No | No | N/A |
Developer Tools vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-0057 | NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability | No | No | 9.1 |
| CVE-2024-20656 | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-21312 | .NET Framework Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2024-20672 | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 |
Developer Tools Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-21319 | Microsoft Identity Denial of service vulnerability | No | No | 6.8 |
Developer Tools SQL Server vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-0056 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability | No | No | 8.7 |
ESU Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability | No | No | 9 |
| CVE-2024-20654 | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8 |
| CVE-2024-20682 | Windows Cryptographic Services Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2024-20683 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-20658 | Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-20653 | Microsoft Common Log File System Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-20652 | Windows HTML Platforms Security Feature Bypass Vulnerability | No | No | 7.5 |
| CVE-2024-21307 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 7.5 |
| CVE-2024-20661 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2024-20657 | Windows Group Policy Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2024-20655 | Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability | No | No | 6.6 |
| CVE-2024-21320 | Windows Themes Spoofing Vulnerability | No | No | 6.5 |
| CVE-2024-20680 | Windows Message Queuing Client (MSMQC) Information Disclosure | No | No | 6.5 |
| CVE-2024-20663 | Windows Message Queuing Client (MSMQC) Information Disclosure | No | No | 6.5 |
| CVE-2024-20660 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2024-20664 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2024-21314 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2024-20692 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | No | No | 5.7 |
| CVE-2024-21311 | Windows Cryptographic Services Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2024-21313 | Windows TCP/IP Information Disclosure Vulnerability | No | No | 5.3 |
| CVE-2024-20662 | Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability | No | No | 4.9 |
| CVE-2024-20691 | Windows Themes Information Disclosure Vulnerability | No | No | 4.7 |
Microsoft Office vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2024-20677 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2024-20681 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-21309 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2024-20700 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.5 |
| CVE-2024-20687 | Microsoft AllJoyn API Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2024-20696 | Windows Libarchive Remote Code Execution Vulnerability | No | No | 7.3 |
| CVE-2024-20697 | Windows Libarchive Remote Code Execution Vulnerability | No | No | 7.3 |
| CVE-2024-20666 | BitLocker Security Feature Bypass Vulnerability | No | No | 6.6 |
| CVE-2024-20690 | Windows Nearby Sharing Spoofing Vulnerability | No | No | 6.5 |
| CVE-2024-21316 | Windows Server Key Distribution Service Security Feature Bypass | No | No | 6.1 |
| CVE-2024-21306 | Microsoft Bluetooth Driver Spoofing Vulnerability | No | No | 5.7 |
| CVE-2024-20699 | Windows Hyper-V Denial of Service Vulnerability | No | No | 5.5 |
| CVE-2024-20694 | Windows CoreMessaging Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2024-21305 | Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability | No | No | 4.4 |
| CVE-2024-21325 | Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability | No | No | N/A |
Windows Mariner vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2022-35737 | MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow | No | No | N/A |
Updates
- 2024-01-09: Added mention of SQLite vulnerability CVE-2022-35737.
- 2024-01-10: CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability added to CISA KEV.
