Threat Intelligence

Adversary Simulation

Active Defense

Introduction

On February 13, 2024, Microsoft released their monthly Patch Tuesday security updates (see here), totaling 73 new Microsoft CVE’s, including 2 Zero-day vulnerabilities, and 1 non-Microsoft security update. Below we discuss the vulnerabilities of the highest severity, based on our analysis.

Our process for analyzing and rating Patch Tuesday involves utilizing  our experience with Red and Blue teaming to distill the whole list to those needing to patch immediately vs. waiting for your normal patching processes. Not every highly rated CVE should be considered Critical just as a lower rated CVE score may present a vulnerability that is actually Critical based on ease of exploitation, exposure of the vulnerability, and other key factors.

Also keep in mind that in your specific environment, even our ratings may need an adjustment.

Below are the vulnerabilities we consider important this month.

Zero-day Vulnerabilities (2)

CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability

Description –  Allows attackers to bypass security features related to Internet Shortcut files via nesting .lnk files in each other, bypassing SmartScreen. Used as a chain with CVE-2024-21351.

  • Affected Software: Any recent Windows OS version, 10, 11, Server 2019, etc
  • Severity: Moderate
  • CVSS Score: 8.1
  • Type: Security Feature Bypass
  • Details: This is a social engineering attack. An attacker would send the targeted user a specially crafted file designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the content. Instead, the attacker would have to convince them to take action by clicking on the file link.
  • MITRE ATT&CK Mappings: T1553.002, T1200

 

CVE-2024-21351- Windows SmartScreen Security Feature Bypass Vulnerability

Description – An ongoing exploitation of this vulnerability has been observed in the wild. Attackers are exploiting the zone identifier alternate data stream linked to a file, manipulating it to deceive Windows SmartScreen during reputation checks. This manipulation has the potential to enable malicious files to circumvent Windows SmartScreen and execute harmful code. This newly identified vulnerability is expected to be leveraged in the final stages of phishing attacks.

OSec strongly advises organizations dependent on Microsoft Defender and SmartScreen for their endpoint protection to promptly apply the available patch to mitigate this risk.

 

  • Affected Software: MS Defender SmartScreen
  • Severity: Moderate
  • CVSS Score: 7.6
  • Type: Security Feature Bypass
  • Details: When downloading a file, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. If the file is a nested .lnk file, this is sufficient to bypass Microsoft SmartScreen. (CVE-2024-21412)
  • When running the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 the SmartScreen does a reputation check.
  • MITRE ATT&CK Mappings: T1211, T1566.001, T1553.002, T1204.002

 

Critical Elevation of Privilege Vulnerability (1)

CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability

Description – Elevation of privilege in Microsoft Exchange Server: this vulnerability enables attackers to gain elevated privileges and compromise server integrity.

  • Affected Software: Microsoft Exchange Server
  • Severity: Critical
  • CVSS Score: 9.8
  • Type: Security Feature Bypass
  • Details: An attacker targeting an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.
  • MITRE ATT&CK Mappings: N/A

 

Critical Remote Code Execution Vulnerabilities (2) 

CVE-2024-21413 – Microsoft Outlook Remote Code Execution Vulnerability

Description – This Microsoft Outlook vulnerability is exploitable by a user opening a malicious file sent by an attacker.

  • Affected Software: Microsoft Outlook
  • Severity: Critical
  • CVSS Score: 9.8
  • Type: Remote Code Execution
  • Details: Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Simply viewing the file in the preview pane could trigger the code effects.
  • MITRE ATT&CK Mappings: T1211, T1566.001, T1553.002, T1204.002

 

CVE-2024-21357 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Description – Allows remote code execution through specially crafted packets.

  • Affected Software: Microsoft Windows
  • Severity: Critical
  • CVSS Score: 7.5
  • Type: Remote Code Execution
  • Details: An attacker can perform Remote Code Execution on other Windows machines on the same network via utilizing tools like ARP scanning to detect other machines to target. By utilizing this vulnerability attackers could laterally move throughout the network once an initial foothold is obtained.
  • MITRE ATT&CK Mappings: N/A

 

Critical Spoofing Vulnerability (1) 

CVE-2021-43890 – Windows AppX Installer Spoofing Vulnerability

Description – An attacker can use this vulnerability to send a file that looks like a regular AppX install but contains malicious code. Of note is that AppX files are supposed to be “safe” packages and are also hard-to-remove once installed compared to a normal .msi installer. Additionally, processes run from a .AppX usually have some sort of process protection, so killing them is difficult.

  • Affected Software: Microsoft Windows
  • Severity: Important
  • CVSS Score: 7.1
  • Type: Spoofing
  • Details: This vulnerability can be exploited by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader. An attacker crafts a malicious attachment to be used in phishing campaigns, and would then have to convince the user to open the attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative rights.
  • MITRE ATT&CK Mappings: T1211, T1566.001, T1553.002, T1204.002

 

Important Arbitrary Code Execution Vulnerabilities (6)

CVE-2024-21384 – Microsoft Office OneNote Remote Code Execution Vulnerability

Description – Allows Arbitrary code execution when a user opens a specially crafted file via social engineering.

  • Affected Software: Microsoft Office
  • Severity: Important
  • CVSS Score: 7.8
  • Type: Arbitrary Code Execution
  • Details: The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). This is a typical social engineering attack. An attacker would need to craft a special email attachment or some other way to deliver the malicious code to the local system internally where it would need to be executed by a user thus giving the attacker elevated privileges, including read, write, and delete functionality.
  • MITRE ATT&CK Mappings: T1203, T1566.001

 

CVE-2024-21376 – Microsoft Azure Kubernetes Service (AKS) Confidential Container Remote Code Execution Vulnerability

Description- Arbitrary Code execution allowing cross container exploitation and breakout/break-in in Kubernetes.

  • Affected Software: Microsoft Azure Kubernetes
  • Severity: Important
  • CVSS Score: 9.0
  • Type: Arbitrary Code Execution
  • Details: The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). An unauthenticated attacker can move the same Kubernetes workload onto a machine they control, where the attacker has root privileges. An attacker can access the untrusted AKS node and AKS Confidential Container to take over confidential guests and containers beyond the network stack it might be bound to.
  • MITRE ATT&CK Mappings: T1610, T1190

CVE-2024-21363 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Description – Taking advantage of Microsoft Message Queuing (MSMQ) and via social engineering would lead to Arbitrary Code Execution (ACE).

  • Affected Software: Microsoft Message Queuing
  • Severity: Important
  • CVSS Score: 7.8
  • Type: Arbitrary Code Execution
  • Details: Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. This could either be carried out by a phishing or other social engineering attack or if the attacker already has basic user access to a system.
  • MITRE ATT&CK Mappings: N/A

 

CVE-2024-20673 – Microsoft Office Remote Code Execution Vulnerability

Description – Remote code execution delivered via social engineering like phishing, thus giving the attacker elevated privileges on the target system.

  • Affected Software: Microsoft Office 2016
  • Severity: Important
  • CVSS Score: 7.8
  • Type: Arbitrary Code Execution
  • Details: The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability
  • For example, when the CVSS score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
  • MITRE ATT&CK Mappings: T1203, T1566.001

 

CVE-2024-21379 – Microsoft Word Remote Code Execution Vulnerability

Description – Delivery via some form of social engineering like phishing would allow an attacker to execute malicious code upon user action.

  • Affected Software: Microsoft Word
  • Severity: Important
  • CVSS Score: 7.8
  • Type: Arbitrary Code Execution
  • Details: The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.
  • For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
  • This attack also only needs a user to view in the preview pane to trigger the malicious code. An attacker who successfully exploits this vulnerability could gain high privileges, which include read, write, and delete functionality on the local system where access is obtained.
  • MITRE ATT&CK Mappings: T1203, T1566.001

 

CVE-2024-21378 – Microsoft Outlook Remote Code Execution Vulnerability

Description – Vulnerability in Microsoft Outlook allows code execution, delivery would need to occur via social engineering.

  • Affected Software: Microsoft Outlook
  • Severity: Important
  • CVSS Score: 8.0
  • Type: Arbitrary Code Execution
  • Details: This attack must be delivered via social engineering. While that is common and prevalent in this case simply viewing the file using ‘Preview Pane’ will cause the malicious code to trigger so it does not take much human interaction.
  • MITRE ATT&CK Mappings: T1203, T1566.001