nnattalli - stock.adobe.com

Windows Kerberos, Hyper-V vulns among January Patch Tuesday bugs

Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulns to be alert to, including a number of man-in-the-middle attack vectors

Microsoft has released a total of 49 new patches marking the first Patch Tuesday event of 2024, addressing a variety of vulnerabilities across its product estate, among them two critical bugs affecting Windows Kerberos and Windows Hyper-V, but no zero-days or Exchange issues.

This is the second relatively light Patch Tuesday drop on the jump – Microsoft having addressed barely 30 issues in December 2023, and no zero-day issues to trouble security teams and sysadmins then, either.

The two critical vulnerabilities are tracked as CVE-2024-20674 in Windows Kerberos and CVE-2024-20700 in Windows Hyper-V.

The first of these is a security feature bypass flaw that can be taken advantage of through a so-called man-in-the-middle (MITM) attack, or another method of network spoofing, then sending a malicious Kerberos message to the victim machine pretending to be the legitimate Kerberos authentication server, and from there gain additional privileges on restricted systems.

“The vulnerability requires the attacker to have access to the same local network as the target,” said Saeed Abbasi, product manager for vulnerability research at the Qualys Threat Research Unit. “It’s not remotely exploitable over the internet but requires proximity to the internal network.

“Also, this breach can spread to areas not directly managed by the compromised system’s security protocols. There is a high likelihood of active exploitation attempts in the near future.

“Beyond standard patching, consider enhancing network monitoring capabilities,” said Abbasi. “Look for unusual patterns or anomalies in network traffic that could indicate a MITM attack or unauthorised Kerberos traffic.”

Read more about Patch Tuesday

The second critical vulnerability is a remote code execution (RCE) flaw, which is rather more vaguely described by Microsoft and appears to be harder to exploit, as it hinges on a threat actor winning a race condition to successfully take advantage of it, although from then on it needs no further privileges or user interaction.

Mike Walters, president and co-founder of Action1, said the vulnerability had implications for the confidentiality, integrity and availability of the targeted system.

“Exploitation could enable an attacker to run arbitrary code with the privileges of the Hyper-V host, potentially compromising the entire system,” he said.

“[But] as of the initial publication, there has been no public disclosure or confirmed instances of this vulnerability being exploited. The maturity of any exploit code remains unproven.”

Meet me in the middle

A third vulnerability of particular note for January is tracked as CVE-2024-0056, a security feature bypass vulnerability in Microsoft.Data.SqlClient and System.Data.Sql Client SQL Data Provider, another flaw that is exploitable through a MITM attack – a scenario where a threat actor intercepts messages between two systems that think they are communicating with one another.

“If exploited, an attacker could decrypt, read or modify secure TLS traffic, breaching the confidentiality and integrity of data,” said Qualys’ Abbasi. “Also, the attacker could leverage it to exploit the SQL Server through the SQL Data Provider, potentially affecting the SQL Server itself.

“The successful exploitation of this vulnerability may not be limited to the initially compromised component,” he said. “Nonetheless, the high complexity of the attack implies that taking advantage of this vulnerability is a complex task. If exploited, this vulnerability could result in data breaches, compromise data integrity and lead to unauthorised access to sensitive information.” 

As an additional step, Abbasi advised defenders to strengthen network security to make MITM attacks more complex using secure network protocols, enhanced monitoring and more robust firewall rules.

End of the line

The January 2024 Patch Tuesday also marks the point at which a number of Microsoft products and services transition out of mainstream security support and enter extended support.

These include Exchange Server 2019, Hyper-V Server 2019, SharePoint Server 2019, Skype for Business 2019 clients and servers, Dynamics SL 2018 and Project Server 2019, as well as parts of Windows 10: Enterprise LTSC 2019, IoT Core LTSC 2019, IoT LTSC 2019 Core, Windows Server 2019, Windows Server IoT 2019, and Windows Server IoT 2019 for Storage.

“During the extended support lifecycle phase, Microsoft continues to provide security updates, but does not typically release new features. Extended support is not available for Microsoft consumer products,” said Rapid7 lead software engineer Adam Barnett.

Read more on Application security and coding requirements