Microsoft followed up one of the lightest recent Patch Tuesdays in December with another month of no zero-day vulnerabilities and only two critical issues.   

Many of the company’s monthly security updates in 2023 included vulnerabilities that were actively being exploited in the wild or had publicly available exploits already in circulation.   

The company started out 2024 by disclosing 48 vulnerabilities on Tuesday across its suite of products and services, 46 of which are considered of “important” severity. 

One of the critical vulnerabilities patched Tuesday is CVE-2024-20674, a security bypass vulnerability in the Windows Kerberos authentication protocol. An attacker could carry out a man-in-the-middle attack to exploit this vulnerability and spoof the Kerberos authentication server, therefore bypassing the authentication process. 

Because of Keberos’ presence on several of the most popular operating systems, Microsoft considers this vulnerability “more likely” to be exploited.  

The other critical issue is CVE-2024-20700, which can lead to remote code execution. This vulnerability in Windows Hyper-V can be exploited if an adversary wins a race condition. Also, they must first gain access to a restricted network before an exploit can work. 

There are two other remote code execution vulnerabilities that are worth mentioning, both of which Microsoft considers to be of “important” severity: CVE-2024-21307, which exists in Windows Remote Desktop Client, and CVE-2024-21318, which affects SharePoint Server. 

In the case of CVE-2024-21307, the vulnerability can be triggered if an authenticated user connects to a malicious remote desktop server where the remote desktop host server sends a specially crafted Server RDP Preconnection that targets the remote client's drive redirection virtual channel. This could lead to remote code execution on the victim's machine. 

CVE-2024-21318 is relatively easier for an attacker to hypothetically exploit, only requiring them to write and inject specific code to SharePoint Server.

The Windows Kernel also contains an elevation of privilege vulnerability, CVE-2024-20698, which could allow an attacker to gain SYSTEM privileges. There is little other information on how an attacker could exploit this vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62847 – 62850 and 62854 – 62861. There are also Snort 3 rules 300797 – 300802.