February 2024 Patch Tuesday: Updates and Analysis

Microsoft has released security updates for 73 vulnerabilities for its February 2024 Patch Tuesday rollout. These include two actively exploited zero-days (CVE-2024-21412 and CVE-2024-21351), both of which are security feature bypass flaws. Five of the vulnerabilities addressed today are rated Critical while the remaining 68 are rated Important or Moderate.

February 2024 Risk Analysis

This month’s leading risk type is remote code execution (41%) followed by elevation of privilege (22%) and spoofing (14%).

Figure 1. Breakdown of February 2024 Patch Tuesday attack types

 

Windows products received the most patches this month with 44, followed by Extended Security Update (ESU) with 32 and Azure with 9.

Figure 2. Breakdown of product families affected by February 2024 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Affecting Internet Shortcut Files

Internet Shortcut Files has received a patch for CVE-2024-21412, which has a severity of Important and a CVSS score of 8.1. This vulnerability allows an unauthenticated attacker to bypass a security feature called “Mark of the Web” (MotW) warnings on Windows machines. The targeted user would need to be convinced to click on a specially crafted file that is designed to bypass the displayed security checks. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity CVSS Score CVE Description
Important 8.1 CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability

Table 1. Zero-day in Internet Shortcut Files

Actively Exploited Zero-Day Vulnerability Affecting Windows SmartScreen

Windows SmartScreen has received a patch for CVE-2024-21351, which has a severity of Moderate and a CVSS score of 7.6. This security feature bypass vulnerability on Windows Defender SmartScreen can potentially lead to partial data exposure and/or issues with system availability. The attacker would need to convince the user to open a malicious file that could bypass SmartScreen and potentially gain code execution. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity CVSS Score CVE Description
Moderate 7.6 CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability

Table 2. Zero-day in Windows SmartScreen

Critical Vulnerabilities Affecting Microsoft Windows, Extended Security Update, Dynamics, Exchange Server and Microsoft Office

CVE-2024-21410 is a Critical elevation of privilege (EoP) vulnerability affecting Microsoft Exchange Server and has a CVSS score of 9.8. An attacker that successfully exploits this vulnerability can relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange server and be authenticated as that user. NTLM hashes are important for gaining account access due to the use of challenge-response protocols in secure authentication. This vulnerability potentially allows attackers to crack NTLM hashes or deploy an NTLM relay attack.

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14), Exchange Server did not enable relay protections for NTLM credentials (called Extended Protection for Authentication or EPA) by default, which would have protected against one of the attack types mentioned earlier. Microsoft has provided a “Exchange Server Health Checker script” that provides an overview of the Extended Protection status of the customer’s Exchange server.

CVE-2024-21413 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Outlook and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows the attacker to send a maliciously crafted link that bypasses the security feature. This can lead to credential exposure and RCE, enabling attackers to gain privileged functionality.

CVE-2024-21380 is a Critical information disclosure vulnerability affecting Microsoft Dynamics Business Central (formerly known as Dynamics NAV) and has a CVSS score of 8.0. This vulnerability could allow the attacker to gain the ability to interact with other SaaS tenants’ applications and content. The user would have to be convinced by the attacker to click on a specially crafted URL, and the execution would need to win a race condition for a successful exploitation. This can lead to unauthorized access to the victim’s account.

CVE-2024-21357 is a Critical RCE vulnerability affecting Windows Pragmatic General Multicast (PGM) network transport protocol and has a CVSS score of 7.6. The attack complexity is high due to the additional actions a threat actor would need to take for successful exploitation. Exploitation is limited to within the same network or virtual network systems that are connected.

CVE-2024-20684 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 6.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.

Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability
Critical 9.8 CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
Critical 8.0 CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
Critical 7.5 CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Critical 6.5 CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability

Table 3. Critical vulnerabilities in Windows, ESU, Dynamics, Exchange Server and Microsoft Office

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *