Report Name: Microsoft Patch Tuesday, January 2024
Generated: 2024-01-29 21:54:08

Product Name	Prevalence	U	C	H	M	L	A	Comment
Microsoft Message Queuing	0.9			6			6	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
Windows Kernel	0.9		1				1	Windows Kernel
Windows TCP/IP	0.9			1			1	Windows component
Windows Win32k	0.9			2			2	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
.NET Framework	0.8			1			1	.NET Framework
BitLocker	0.8				1		1	A full volume encryption feature included with Microsoft Windows versions starting with Windows Vista
Chromium	0.8		1		10		11	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Bluetooth Driver	0.8				1		1	Microsoft Bluetooth Driver
Microsoft Edge	0.8				1		1	Web browser
Microsoft Office	0.8			1			1	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Windows Cloud Files Mini Filter Driver	0.8				1		1	Windows component
Windows CoreMessaging	0.8				1		1	Windows component
Windows Cryptographic Services	0.8			1	1		2	Windows component
Windows Group Policy	0.8				1		1	Windows component
Windows HTML Platforms	0.8			1			1	Windows component
Windows Kerberos	0.8			1			1	Windows component
Windows Kernel-Mode Driver	0.8				1		1	Windows component
Windows Libarchive	0.8			2			2	Windows component
Windows Nearby Sharing	0.8			1			1	Windows component
Windows Online Certificate Status Protocol (OCSP)	0.8				1		1	Windows component
Windows Remote Desktop Client	0.8			1			1	Remote Desktop Protocol Client
Windows Subsystem for Linux	0.8				1		1	Windows component
Windows Themes	0.8				2		2	Windows component
.NET	0.7			1		1	2	.NET
SQLite	0.7			1			1	SQLite is a database engine written in the C programming language
Windows Hyper-V	0.6			1	1		2	Hardware virtualization component of the client editions of Windows NT
Azure DevOps Server	0.5				1		1	Azure DevOps Server
Azure Storage Mover	0.5			1			1	Azure Storage Mover
Hypervisor-Protected Code Integrity (HVCI)	0.5			1			1	Hypervisor-Protected Code Integrity (HVCI)
Microsoft AllJoyn API	0.5				1		1	Microsoft AllJoyn API
Microsoft Common Log File System	0.5				1		1	Microsoft Common Log File System
Microsoft Local Security Authority Subsystem Service	0.5				1		1	Microsoft Local Security Authority Subsystem Service
Microsoft ODBC Driver	0.5			1			1	Microsoft ODBC Driver
Microsoft Online Certificate Status Protocol (OCSP)	0.5			1			1	Microsoft Online Certificate Status Protocol (OCSP)
Microsoft Printer Metadata Troubleshooter Tool	0.5			1			1	Microsoft Printer Metadata Troubleshooter Tool
Microsoft SharePoint Server	0.5			1			1	Microsoft SharePoint Server
Microsoft Virtual Hard Disk	0.5				1		1	Microsoft Virtual Hard Disk
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider	0.5			1			1	Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider
NET, .NET Framework, and Visual Studio	0.5			1			1	NET, .NET Framework, and Visual Studio
Windows 10 1607	0.5				1		1	Product detected by o:microsoft:windows_10_1607 (exists in CPE dict)
Visual Studio	0.3			1			1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0			11			11
Authentication Bypass	0.95			1			1
Security Feature Bypass	0.9			4	3		7
Elevation of Privilege	0.85		1	3	6		10
Information Disclosure	0.83			6	5		11
Denial of Service	0.7			3	2		5
Memory Corruption	0.5		1	1	10		12
Spoofing	0.4			1	3		4
Unknown Vulnerability Type	0					1	1

Source	U	C	H	M	L	A
MS PT Extended		1		12		13
Qualys		1	7	3		11
Tenable		1	5	2		8
Rapid7			5			5
ZDI			3			3

Urgent (0)

Critical (2)

1. Elevation of Privilege - Windows Kernel (CVE-2024-20698) - Critical [658]

Description: Windows Kernel Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-20698 is an EoP vulnerability in the Microsoft Windows Kernel. It was assigned a CVSSv3 score of 7.8 and is rated as important and “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

2. Memory Corruption - Chromium (CVE-2023-7024) - Critical [627]

Description: Chromium: CVE-2023-7024 Heap buffer overflow in WebRTC. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-7024 exists in the wild.

MS PT Extended: CVE-2023-7024 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

High (30)

3. Memory Corruption - SQLite (CVE-2022-35737) - High [575]

Description: MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow

Tenable: Microsoft patched 48 CVEs in its January 2024 Patch Tuesday release, with two rated critical and 46 rated as important. Our counts omitted CVE-2022-35737, a vulnerability in SQLite called “Stranger Strings” that was assigned by MITRE and patched in July 2022. For the second straight month, Microsoft did not patch any zero-day vulnerabilities that were exploited or publicly disclosed.

Rapid7: The January 2024 Windows security updates include a patch for CVE-2022-35737, a vulnerability in SQLite versions prior to 3.39.2 first disclosed way back in August 2022. It's not clear why Microsoft has chosen to patch this now, but it's a welcome development nevertheless. Patch Tuesday watchers wondering why Windows comes with bundled SQLite may be interested to know that the WinUI library UX development framework provides SQLite interaction functionality, and the documentation mentions that SQLite is included with all supported versions of Windows.

Rapid7: 2024-01-09: Added mention of SQLite vulnerability CVE-2022-35737.

4. Elevation of Privilege - Visual Studio (CVE-2024-20656) - High [558]

Description: Visual Studio Elevation of Privilege Vulnerability

5. Security Feature Bypass - Hypervisor-Protected Code Integrity (HVCI) (CVE-2024-21305) - High [505]

Description: Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability

6. Security Feature Bypass - NET, .NET Framework, and Visual Studio (CVE-2024-0057) - High [503]

Description: NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

7. Remote Code Execution - Windows Remote Desktop Client (CVE-2024-21307) - High [490]

Description: Remote Desktop Client Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

8. Denial of Service - .NET Framework (CVE-2024-21312) - High [470]

Description: .NET Framework Denial of Service Vulnerability

9. Security Feature Bypass - Windows HTML Platforms (CVE-2024-20652) - High [460]

Description: Windows HTML Platforms Security Feature Bypass Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

10. Remote Code Execution - Microsoft Office (CVE-2024-20677) - High [454]

Description: Microsoft Office Remote Code Execution Vulnerability. A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365. 3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time. This change is effective as of the January 9, 2024 security update.

Rapid7: A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion. In a related blog post, Microsoft recommends avoiding FBX and instead making use of the GLB 3D file format from now on. The blog post also provides instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommends against this. Silver lining: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.

11. Denial of Service - .NET (CVE-2024-20672) - High [453]

Description: .NET Denial of Service Vulnerability

12. Remote Code Execution - Azure Storage Mover (CVE-2024-20676) - High [452]

Description: Azure Storage Mover Remote Code Execution Vulnerability

13. Remote Code Execution - Microsoft SharePoint Server (CVE-2024-21318) - High [440]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21318 is a RCE vulnerability affecting Microsoft SharePoint Server. With a CVSSv3 score of 8.8, this flaw can be exploited by an authenticated attacker with at least Site Owner privileges. While no active exploitation has been observed at the time the vulnerability was patched, Microsoft rates this vulnerability as “Exploitation More Likely.”

Tenable: CVE-2024-21318 is credited to multiple researchers at STAR Labs, who in September, published a blog post outlining the successful chaining of two vulnerabilities affecting Microsoft SharePoint Server. The exploit chain consisted of an EoP vulnerability CVE-2023-29357 and a RCE vulnerability, CVE-2023-24955. While a proof-of-concept was released, it was not weaponizable as designed, and required additional work to achieve RCE. While that vulnerability chain does not appear to have been abused, we strongly recommend patching SharePoint servers as soon as possible. As demonstrated by the STAR Labs exploit chain, attackers seek out unpatched vulnerabilities as part of their attempts to exploit networks. Timely patching is a crucial defense step in securing your organization.

Rapid7: SharePoint admins should take note of CVE-2024-21318, which was added to CISA KEV on 2024-01-10. Successful exploitation allows an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain. The advisory does mention that exploitation requires that an attacker must already be authenticated as “at least a Site Owner,” although it’s not clear what level of privilege above Site Owner is implicated here; a user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.

14. Remote Code Execution - Windows Cryptographic Services (CVE-2024-20682) - High [430]

Description: Windows Cryptographic Services Remote Code Execution Vulnerability

15. Remote Code Execution - Microsoft ODBC Driver (CVE-2024-20654) - High [428]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability

16. Authentication Bypass - Windows Kerberos (CVE-2024-20674) - High [422]

Description: Windows Kerberos Security Feature Bypass Vulnerability

Qualys: CVE-2024-20674: Windows Kerberos Security Feature Bypass Vulnerability Kerberos is a secure authentication protocol used as a default authentication policy for Windows. It is used to authenticate users and computers on a Windows network. Kerberos is also used as a basis for single sign-on and access control. An attacker must first gain access to the restricted network before running an attack. An unauthenticated attacker could exploit the vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique. An attacker must then send a malicious Kerberos message to the client victim machine to impersonate the Kerberos authentication server.

Tenable: Microsoft’s January 2024 Patch Tuesday Addresses 48 CVEs (CVE-2024-20674)

Tenable: CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability

Tenable: CVE-2024-20674 is a critical security feature bypass vulnerability affecting Windows Kerberos, an authentication protocol designed to verify user or host identities. It was assigned a CVSSv3 score of 9.0 and is rated as “Exploitation More Likely” according to the Microsoft Exploitability Index.

Rapid7: All current versions of Windows receive a patch for CVE-2024-20674, which describes a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network. Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely.

ZDI: CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability. This is the highest-rated CVSS for this month and one of the two Critical-rated patches. The bug would allow an unauthenticated attacker to perform a machine-in-the-middle (MitM) that spoofs a Kerberos server. An affected client would receive what they believe to be authentic messages from the Kerberos authentication server. While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly.

17. Security Feature Bypass - Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider (CVE-2024-0056) - High [422]

Description: Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

ZDI: CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability. Besides being a mouthful of a title, this SFB bug could allow an MITM attacker to decrypt, read, or modify TLS traffic between an affected client and server. If you happen to be using these data providers, you’ll also need to take additional steps to be fully protected. The bulletin lists the additional NuGet packages you’ll need to load to completely resolve this vulnerability. Microsoft links to an article that claims to provide further information on the steps admins need to take to be protected, but as of now, that link leads nowhere. I’ll update the blog once they update the link to something relevant. Note: Microsoft has updated the link to point to the article here.

18. Remote Code Execution - Windows Hyper-V (CVE-2024-20700) - High [421]

Description: Windows Hyper-V Remote Code Execution Vulnerability

Qualys: CVE-2024-20700: Windows Hyper-V Remote Code Execution Vulnerability Windows Hyper-V allows hardware virtualization. IT professionals and software developers use virtualization to test software on multiple operating systems. Hyper-V enables working professionals to perform these tasks smoothly. With the help of Hyper-V, one can create virtual hard drives, virtual switches, and numerous different virtual devices, all of which can be added to virtual machines. An attacker must first gain access to the restricted network before running an attack. Successful exploitation of the vulnerability requires an attacker to win a race condition.

Rapid7: CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.

ZDI: CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability. This is the other Critical-rated patch for January, although “remote” in this case actually means network adjacent. Microsoft doesn’t provide much of a description beyond that, so it’s not clear how the code execution would occur. However, they do note that neither authentication nor user interaction is required, which makes this vulnerability quite juicy to exploit writers. Although winning a race condition is required for successful exploitation, we’ve seen plenty of Pwn2Own winners use race conditions in their exploits.

19. Remote Code Execution - Windows Libarchive (CVE-2024-20696) - High [419]

Description: Windows Libarchive Remote Code Execution Vulnerability

20. Remote Code Execution - Windows Libarchive (CVE-2024-20697) - High [419]

Description: Windows Libarchive Remote Code Execution Vulnerability

21. Information Disclosure - Microsoft Message Queuing (CVE-2024-20660) - High [417]

Description: Microsoft Message Queuing Information Disclosure Vulnerability

22. Information Disclosure - Microsoft Message Queuing (CVE-2024-20663) - High [417]

Description: Windows Message Queuing Client (MSMQC) Information Disclosure

23. Information Disclosure - Microsoft Message Queuing (CVE-2024-20664) - High [417]

Description: Microsoft Message Queuing Information Disclosure Vulnerability

24. Information Disclosure - Microsoft Message Queuing (CVE-2024-20680) - High [417]

Description: Windows Message Queuing Client (MSMQC) Information Disclosure

25. Information Disclosure - Microsoft Message Queuing (CVE-2024-21314) - High [417]

Description: Microsoft Message Queuing Information Disclosure Vulnerability

26. Spoofing - Windows Nearby Sharing (CVE-2024-20690) - High [416]

Description: Windows Nearby Sharing Spoofing Vulnerability

27. Elevation of Privilege - Windows Win32k (CVE-2024-20683) - High [408]

Description: Win32k Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20683 and CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability

Tenable: CVE-2024-20683 and CVE-2024-20686 are EoP vulnerabilities in Microsoft’s Win32k, a core kernel-side driver used in Windows. Both vulnerabilities received CVSSv3 scores of 7.8 and are rated “Exploitation More Likely.” Successful exploitation could allow an attacker to gain SYSTEM privileges on an affected host. EoP vulnerabilities are often abused by malicious actors after gaining initial access to a system and in 2023, 14 EoP vulnerabilities in Win32k were patched by Microsoft. While neither of these two vulnerabilities has been reported as exploited in the wild by Microsoft, one of the 14 patched in 2023 was exploited as a zero-day, CVE-2023-29336, which was patched in the May 2023 Patch Tuesday release.

28. Elevation of Privilege - Windows Win32k (CVE-2024-20686) - High [408]

Description: Win32k Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20683 and CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability

Tenable: CVE-2024-20683 and CVE-2024-20686 are EoP vulnerabilities in Microsoft’s Win32k, a core kernel-side driver used in Windows. Both vulnerabilities received CVSSv3 scores of 7.8 and are rated “Exploitation More Likely.” Successful exploitation could allow an attacker to gain SYSTEM privileges on an affected host. EoP vulnerabilities are often abused by malicious actors after gaining initial access to a system and in 2023, 14 EoP vulnerabilities in Win32k were patched by Microsoft. While neither of these two vulnerabilities has been reported as exploited in the wild by Microsoft, one of the 14 patched in 2023 was exploited as a zero-day, CVE-2023-29336, which was patched in the May 2023 Patch Tuesday release.

29. Denial of Service - Microsoft Message Queuing (CVE-2024-20661) - High [405]

Description: Microsoft Message Queuing Denial of Service Vulnerability

30. Information Disclosure - Windows TCP/IP (CVE-2024-21313) - High [405]

Description: Windows TCP/IP Information Disclosure Vulnerability

31. Remote Code Execution - Microsoft Online Certificate Status Protocol (OCSP) (CVE-2024-20655) - High [404]

Description: Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability

32. Remote Code Execution - Microsoft Printer Metadata Troubleshooter Tool (CVE-2024-21325) - High [404]

Description: Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability

Medium (29)

33. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2024-21310) - Medium [392]

Description: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Tenable: CVE-2024-21310 is an EoP vulnerability in the Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It was assigned a CVSSv3 score of 7.8 and is rated as important and “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

34. Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-21309) - Medium [392]

Description: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

35. Elevation of Privilege - Windows Subsystem for Linux (CVE-2024-20681) - Medium [392]

Description: Windows Subsystem for Linux Elevation of Privilege Vulnerability

36. Memory Corruption - Chromium (CVE-2023-6705) - Medium [389]

Description: Chromium: CVE-2023-6705 Use after free in WebRTC. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-6705 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

37. Security Feature Bypass - BitLocker (CVE-2024-20666) - Medium [389]

Description: BitLocker Security Feature Bypass Vulnerability

38. Security Feature Bypass - Microsoft Edge (CVE-2023-36878) - Medium [389]

Description: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

MS PT Extended: CVE-2023-36878 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

39. Elevation of Privilege - Windows Group Policy (CVE-2024-20657) - Medium [380]

Description: Windows Group Policy Elevation of Privilege Vulnerability

40. Memory Corruption - Chromium (CVE-2024-0225) - Medium [377]

Description: Chromium: CVE-2024-0225 Use after free in WebGPU. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-0225 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

41. Information Disclosure - Windows Online Certificate Status Protocol (OCSP) (CVE-2024-20662) - Medium [376]

Description: Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability

42. Memory Corruption - Chromium (CVE-2023-6702) - Medium [365]

Description: Chromium: CVE-2023-6702 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-6702 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

43. Memory Corruption - Chromium (CVE-2023-6703) - Medium [365]

Description: Chromium: CVE-2023-6703 Use after free in Blink. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-6703 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

44. Memory Corruption - Chromium (CVE-2023-6704) - Medium [365]

Description: Chromium: CVE-2023-6704 Use after free in libavif. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-6704 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

45. Memory Corruption - Chromium (CVE-2023-6706) - Medium [365]

Description: Chromium: CVE-2023-6706 Use after free in FedCM. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-6706 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

46. Memory Corruption - Chromium (CVE-2023-6707) - Medium [365]

Description: Chromium: CVE-2023-6707 Use after free in CSS. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-6707 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

47. Memory Corruption - Chromium (CVE-2024-0222) - Medium [365]

Description: Chromium: CVE-2024-0222 Use after free in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-0222 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

48. Memory Corruption - Chromium (CVE-2024-0223) - Medium [365]

Description: Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-0223 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

49. Memory Corruption - Chromium (CVE-2024-0224) - Medium [365]

Description: Chromium: CVE-2024-0224 Use after free in WebAudio. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-0224 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

50. Information Disclosure - Windows CoreMessaging (CVE-2024-20694) - Medium [364]

Description: Windows CoreMessaging Information Disclosure Vulnerability

51. Information Disclosure - Windows Cryptographic Services (CVE-2024-21311) - Medium [364]

Description: Windows Cryptographic Services Information Disclosure Vulnerability

52. Information Disclosure - Windows Themes (CVE-2024-20691) - Medium [352]

Description: Windows Themes Information Disclosure Vulnerability

53. Security Feature Bypass - Windows 10 1607 (CVE-2024-21316) - Medium [351]

Description: Windows Server Key Distribution Service Security Feature Bypass

54. Elevation of Privilege - Microsoft Common Log File System (CVE-2024-20653) - Medium [342]

Description: Microsoft Common Log File System Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20653 | Microsoft Common Log File System Elevation of Privilege Vulnerability

Tenable: CVE-2024-20653 is an EoP vulnerability in the Microsoft Common Log File System (CLFS). It was assigned a CVSSv3 score of 7.8 and is rated as important and “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

55. Elevation of Privilege - Microsoft Virtual Hard Disk (CVE-2024-20658) - Medium [342]

Description: Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability

56. Denial of Service - Microsoft AllJoyn API (CVE-2024-20687) - Medium [339]

Description: Microsoft AllJoyn API Denial of Service Vulnerability

57. Spoofing - Windows Themes (CVE-2024-21320) - Medium [335]

Description: Windows Themes Spoofing Vulnerability

Qualys: CVE-2024-21320: Windows Themes Spoofing Vulnerability This vulnerability has a CVSS:3.1 6.5 / 5.7 Policy Compliance Control IDs (CIDs): 8243      Configure ‘Network Security:Restrict NTLM: Outgoing NTLM traffic to remote servers’ 8230      Configure ‘Network Security:Restrict NTLM: Add remote server exceptions for NTLM authentication’ The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [8243, 8230] The next Patch Tuesday falls on February 13, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patch’s webinar.’

58. Information Disclosure - Microsoft Local Security Authority Subsystem Service (CVE-2024-20692) - Medium [326]

Description: Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

59. Denial of Service - Windows Hyper-V (CVE-2024-20699) - Medium [308]

Description: Windows Hyper-V Denial of Service Vulnerability

60. Spoofing - Microsoft Bluetooth Driver (CVE-2024-21306) - Medium [300]

Description: Microsoft Bluetooth Driver Spoofing Vulnerability

61. Spoofing - Azure DevOps Server (CVE-2023-21751) - Medium [261]

Description: Azure DevOps Server Spoofing Vulnerability

MS PT Extended: CVE-2023-21751 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

Low (1)

62. Unknown Vulnerability Type - .NET (CVE-2024-21319) - Low [190]

Description: {'ms_cve_data_all': 'Microsoft Identity Denial of service vulnerability', 'nvd_cve_data_all': 'Microsoft Identity Denial of service vulnerability', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Microsoft Identity Denial of service vulnerability', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

Exploitation in the wild detected (1)

Memory Corruption (1)

• Chromium (CVE-2023-7024)

MS PT Extended: CVE-2023-7024 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

Public exploit exists, but exploitation in the wild is NOT detected (4)

Elevation of Privilege (2)

• Windows Kernel (CVE-2024-20698)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-20698 is an EoP vulnerability in the Microsoft Windows Kernel. It was assigned a CVSSv3 score of 7.8 and is rated as important and “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

• Visual Studio (CVE-2024-20656)

Memory Corruption (1)

• SQLite (CVE-2022-35737)

Tenable: Microsoft patched 48 CVEs in its January 2024 Patch Tuesday release, with two rated critical and 46 rated as important. Our counts omitted CVE-2022-35737, a vulnerability in SQLite called “Stranger Strings” that was assigned by MITRE and patched in July 2022. For the second straight month, Microsoft did not patch any zero-day vulnerabilities that were exploited or publicly disclosed.

Rapid7: The January 2024 Windows security updates include a patch for CVE-2022-35737, a vulnerability in SQLite versions prior to 3.39.2 first disclosed way back in August 2022. It's not clear why Microsoft has chosen to patch this now, but it's a welcome development nevertheless. Patch Tuesday watchers wondering why Windows comes with bundled SQLite may be interested to know that the WinUI library UX development framework provides SQLite interaction functionality, and the documentation mentions that SQLite is included with all supported versions of Windows.

Rapid7: 2024-01-09: Added mention of SQLite vulnerability CVE-2022-35737.

Security Feature Bypass (1)

• Hypervisor-Protected Code Integrity (HVCI) (CVE-2024-21305)

Other Vulnerabilities (57)

Security Feature Bypass (6)

• NET, .NET Framework, and Visual Studio (CVE-2024-0057)
• Windows HTML Platforms (CVE-2024-20652)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

• Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider (CVE-2024-0056)

ZDI: CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability. Besides being a mouthful of a title, this SFB bug could allow an MITM attacker to decrypt, read, or modify TLS traffic between an affected client and server. If you happen to be using these data providers, you’ll also need to take additional steps to be fully protected. The bulletin lists the additional NuGet packages you’ll need to load to completely resolve this vulnerability. Microsoft links to an article that claims to provide further information on the steps admins need to take to be protected, but as of now, that link leads nowhere. I’ll update the blog once they update the link to something relevant. Note: Microsoft has updated the link to point to the article here.

• BitLocker (CVE-2024-20666)
• Microsoft Edge (CVE-2023-36878)

MS PT Extended: CVE-2023-36878 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

• Windows 10 1607 (CVE-2024-21316)

Remote Code Execution (11)

• Windows Remote Desktop Client (CVE-2024-21307)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

• Microsoft Office (CVE-2024-20677)

Rapid7: A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion. In a related blog post, Microsoft recommends avoiding FBX and instead making use of the GLB 3D file format from now on. The blog post also provides instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommends against this. Silver lining: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.

• Azure Storage Mover (CVE-2024-20676)
• Microsoft SharePoint Server (CVE-2024-21318)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21318 is a RCE vulnerability affecting Microsoft SharePoint Server. With a CVSSv3 score of 8.8, this flaw can be exploited by an authenticated attacker with at least Site Owner privileges. While no active exploitation has been observed at the time the vulnerability was patched, Microsoft rates this vulnerability as “Exploitation More Likely.”

Tenable: CVE-2024-21318 is credited to multiple researchers at STAR Labs, who in September, published a blog post outlining the successful chaining of two vulnerabilities affecting Microsoft SharePoint Server. The exploit chain consisted of an EoP vulnerability CVE-2023-29357 and a RCE vulnerability, CVE-2023-24955. While a proof-of-concept was released, it was not weaponizable as designed, and required additional work to achieve RCE. While that vulnerability chain does not appear to have been abused, we strongly recommend patching SharePoint servers as soon as possible. As demonstrated by the STAR Labs exploit chain, attackers seek out unpatched vulnerabilities as part of their attempts to exploit networks. Timely patching is a crucial defense step in securing your organization.

Rapid7: SharePoint admins should take note of CVE-2024-21318, which was added to CISA KEV on 2024-01-10. Successful exploitation allows an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain. The advisory does mention that exploitation requires that an attacker must already be authenticated as “at least a Site Owner,” although it’s not clear what level of privilege above Site Owner is implicated here; a user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.

• Windows Cryptographic Services (CVE-2024-20682)
• Microsoft ODBC Driver (CVE-2024-20654)
• Windows Hyper-V (CVE-2024-20700)

Qualys: CVE-2024-20700: Windows Hyper-V Remote Code Execution Vulnerability Windows Hyper-V allows hardware virtualization. IT professionals and software developers use virtualization to test software on multiple operating systems. Hyper-V enables working professionals to perform these tasks smoothly. With the help of Hyper-V, one can create virtual hard drives, virtual switches, and numerous different virtual devices, all of which can be added to virtual machines. An attacker must first gain access to the restricted network before running an attack. Successful exploitation of the vulnerability requires an attacker to win a race condition.

Rapid7: CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.

ZDI: CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability. This is the other Critical-rated patch for January, although “remote” in this case actually means network adjacent. Microsoft doesn’t provide much of a description beyond that, so it’s not clear how the code execution would occur. However, they do note that neither authentication nor user interaction is required, which makes this vulnerability quite juicy to exploit writers. Although winning a race condition is required for successful exploitation, we’ve seen plenty of Pwn2Own winners use race conditions in their exploits.

• Windows Libarchive (CVE-2024-20696, CVE-2024-20697)
• Microsoft Online Certificate Status Protocol (OCSP) (CVE-2024-20655)
• Microsoft Printer Metadata Troubleshooter Tool (CVE-2024-21325)

Denial of Service (5)

• .NET Framework (CVE-2024-21312)
• .NET (CVE-2024-20672)
• Microsoft Message Queuing (CVE-2024-20661)
• Microsoft AllJoyn API (CVE-2024-20687)
• Windows Hyper-V (CVE-2024-20699)

Authentication Bypass (1)

• Windows Kerberos (CVE-2024-20674)

Qualys: CVE-2024-20674: Windows Kerberos Security Feature Bypass Vulnerability Kerberos is a secure authentication protocol used as a default authentication policy for Windows. It is used to authenticate users and computers on a Windows network. Kerberos is also used as a basis for single sign-on and access control. An attacker must first gain access to the restricted network before running an attack. An unauthenticated attacker could exploit the vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique. An attacker must then send a malicious Kerberos message to the client victim machine to impersonate the Kerberos authentication server.

Tenable: Microsoft’s January 2024 Patch Tuesday Addresses 48 CVEs (CVE-2024-20674)

Tenable: CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability

Tenable: CVE-2024-20674 is a critical security feature bypass vulnerability affecting Windows Kerberos, an authentication protocol designed to verify user or host identities. It was assigned a CVSSv3 score of 9.0 and is rated as “Exploitation More Likely” according to the Microsoft Exploitability Index.

Rapid7: All current versions of Windows receive a patch for CVE-2024-20674, which describes a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network. Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely.

ZDI: CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability. This is the highest-rated CVSS for this month and one of the two Critical-rated patches. The bug would allow an unauthenticated attacker to perform a machine-in-the-middle (MitM) that spoofs a Kerberos server. An affected client would receive what they believe to be authentic messages from the Kerberos authentication server. While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly.

Information Disclosure (11)

• Microsoft Message Queuing (CVE-2024-20660, CVE-2024-20663, CVE-2024-20664, CVE-2024-20680, CVE-2024-21314)
• Windows TCP/IP (CVE-2024-21313)
• Windows Online Certificate Status Protocol (OCSP) (CVE-2024-20662)
• Windows CoreMessaging (CVE-2024-20694)
• Windows Cryptographic Services (CVE-2024-21311)
• Windows Themes (CVE-2024-20691)
• Microsoft Local Security Authority Subsystem Service (CVE-2024-20692)

Spoofing (4)

• Windows Nearby Sharing (CVE-2024-20690)
• Windows Themes (CVE-2024-21320)

Qualys: CVE-2024-21320: Windows Themes Spoofing Vulnerability This vulnerability has a CVSS:3.1 6.5 / 5.7 Policy Compliance Control IDs (CIDs): 8243      Configure ‘Network Security:Restrict NTLM: Outgoing NTLM traffic to remote servers’ 8230      Configure ‘Network Security:Restrict NTLM: Add remote server exceptions for NTLM authentication’ The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [8243, 8230] The next Patch Tuesday falls on February 13, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patch’s webinar.’

• Microsoft Bluetooth Driver (CVE-2024-21306)
• Azure DevOps Server (CVE-2023-21751)

MS PT Extended: CVE-2023-21751 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

Elevation of Privilege (8)

• Windows Win32k (CVE-2024-20683, CVE-2024-20686)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20683 and CVE-2024-20686 | Win32k Elevation of Privilege Vulnerability

Tenable: CVE-2024-20683 and CVE-2024-20686 are EoP vulnerabilities in Microsoft’s Win32k, a core kernel-side driver used in Windows. Both vulnerabilities received CVSSv3 scores of 7.8 and are rated “Exploitation More Likely.” Successful exploitation could allow an attacker to gain SYSTEM privileges on an affected host. EoP vulnerabilities are often abused by malicious actors after gaining initial access to a system and in 2023, 14 EoP vulnerabilities in Win32k were patched by Microsoft. While neither of these two vulnerabilities has been reported as exploited in the wild by Microsoft, one of the 14 patched in 2023 was exploited as a zero-day, CVE-2023-29336, which was patched in the May 2023 Patch Tuesday release.

• Windows Cloud Files Mini Filter Driver (CVE-2024-21310)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Tenable: CVE-2024-21310 is an EoP vulnerability in the Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It was assigned a CVSSv3 score of 7.8 and is rated as important and “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

• Windows Kernel-Mode Driver (CVE-2024-21309)
• Windows Subsystem for Linux (CVE-2024-20681)
• Windows Group Policy (CVE-2024-20657)
• Microsoft Common Log File System (CVE-2024-20653)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-20683 & CVE-2024-20686 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-20698 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21307 is a remote code execution vulnerability in a Remote Desktop Client. Successful exploitation of the vulnerability requires an attacker to win a race condition. An unauthenticated attacker must wait for a user to initiate a connection to exploit the vulnerability. CVE-2024-20652 is a security feature bypass vulnerability in Internet Explorer. An attacker must prepare the target environment to improve exploit reliability. CVE-2024-20653 is an elevation of privilege vulnerability in the Microsoft Common Log File System. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21310 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-21318 is a remote code execution vulnerability in Microsoft SharePoint Server. An attacker must be authenticated with the Site Owner’s permission to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code in the context of SharePoint Server.

Tenable: CVE-2024-20653 | Microsoft Common Log File System Elevation of Privilege Vulnerability

Tenable: CVE-2024-20653 is an EoP vulnerability in the Microsoft Common Log File System (CLFS). It was assigned a CVSSv3 score of 7.8 and is rated as important and “Exploitation More Likely.” An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges to SYSTEM.

• Microsoft Virtual Hard Disk (CVE-2024-20658)

Memory Corruption (10)

• Chromium (CVE-2023-6702, CVE-2023-6703, CVE-2023-6704, CVE-2023-6705, CVE-2023-6706, CVE-2023-6707, CVE-2024-0222, CVE-2024-0223, CVE-2024-0224, CVE-2024-0225)

MS PT Extended: CVE-2023-6702 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2023-6704 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2024-0223 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2023-6707 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2023-6706 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2024-0225 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2023-6705 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2024-0224 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2023-6703 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

MS PT Extended: CVE-2024-0222 was published before January 2024 Patch Tuesday from 2023-12-13 to 2024-01-08

Unknown Vulnerability Type (1)

• .NET (CVE-2024-21319)