{"id":2329,"date":"2024-01-09T23:00:00","date_gmt":"2024-01-09T23:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/ics-ot-security\/critical-windows-kerberos-bug-microsoft-security-bypass"},"modified":"2024-01-09T23:00:00","modified_gmt":"2024-01-09T23:00:00","slug":"patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/01\/09\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security\/","title":{"rendered":"Patch Now: Critical Windows Kerberos Bug Bypasses Microsoft Security"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Microsoft eased enterprise security teams into 2024 with a relatively light January security update consisting of patches for 48 unique CVEs, just two of which the company identified as being of critical severity.<\/span><\/p>\n

For the second straight month, Microsoft’s Patch Tuesday did not include any zero-day bugs, meaning administrators won’t have to contend with any new vulnerabilities that attackers are actively exploiting at the moment \u2014 something that happened frequently in 2023.<\/span><\/p>\n

Just Two Critical Severity Bugs<\/span><\/h2>\n

As is typically the case, the CVEs that <\/span>Microsoft disclosed Jan. 9<\/a><\/span> affected a wide range of its products and included privilege escalation vulnerabilities, remote code execution flaws, security bypass bugs, and other vulnerabilities. The company classified 46 of the flaws as being of Important severity, including several that attackers were more likely than not to exploit.<\/span><\/p>\n

One of two critical severity bugs in Microsoft’s latest update is <\/span>CVE-2024-20674<\/a><\/span>, a Windows Kerberos security feature bypass vulnerability that allows attackers to bypass authentication mechanisms and launch impersonation attacks. “Attackers can exploit this flaw via a machine-in-the-middle (MitM) attack,” says Saeed Abbasi, manager of vulnerability research at Qualys in comments to Dark Reading. “They achieve this by setting up a local network spoofing scenario and then sending malicious Kerberos messages to trick a client machine into believing they are communicating with a legitimate Kerberos authentication server.”<\/span><\/p>\n

The vulnerability requires the attacker to have access to the same local network as the target. It’s not remotely exploitable over the Internet and requires proximity to the internal network. Even so, there is a high likelihood of active exploitation attempts in the near future, Abbasi says.<\/span><\/p>\n

Ken Breen, senior director of threat research at Immersive Labs, identified <\/span>CVE-2024-20674<\/a><\/span> as a bug that organizations would do well to patch quickly. “These kinds of attack vectors are always valuable to threat actors like ransomware operators and access brokers,” because they enable significant access to enterprise networks, according to a statement from Breen.<\/span><\/p>\n

The other critical vulnerability in Microsoft’s latest batch of security updates is CVE-2024-20700, a remote code execution vulnerability in Windows Hyper-Virtualization technology. The vulnerability is not especially easy to exploit because to do so, an attacker would already first need to be inside the network and adjacent to a vulnerable computer, according to a statement from Ben McCarthy, lead cybersecurity engineer at Immersive Labs.<\/span><\/p>\n

The vulnerability also involves a race condition \u2014 a type of issue that’s harder for an attacker to exploit than many other vulnerability types. “This vulnerability has been released as exploitation less likely but because Hyper-V runs as the highest privileges in a computer, it is worth thinking about patching,” McCarthy said.<\/span><\/p>\n

High-Priority Remote Code Execution Bugs<\/span><\/h2>\n

Security researchers pointed to two other RCE bugs in the January update that merit priority attention: <\/span>CVE-2024-21307<\/a><\/span> in Windows Remote Desktop Client and <\/span>CVE-2024-21318<\/a><\/span> in SharePoint Server.<\/span><\/p>\n

Microsoft identified CVE-2024-21307 as a vulnerability that attackers are more likely to exploit but has provided little information on why, according to Breen. The company has noted that unauthorized attackers need to wait for a user to initiate a connection to be able to exploit the vulnerability.  <\/span><\/p>\n

“This means that the attackers have to create a malicious RDP server and use social engineering techniques in order to trick a user into connecting,” Breen said. “This is not as difficult as it sounds, as malicious RDP servers are relatively easy for attackers to set up and then sending .rdp attachments in emails means a user only has to open the attachment to trigger the exploit.”<\/span><\/p>\n

A Few More Exploitable Privilege Escalation Bugs<\/span><\/h2>\n

Microsoft’s January update included patches for several privilege escalation vulnerabilities. Among the most severe of them is for <\/span>CVE-2023-21310<\/a><\/span>, a privilege escalation bug in Windows Cloud Files Mini Filter Driver. The flaw is very similar to <\/span>CVE-2023-36036<\/a><\/span>, a zero-day privilege escalation vulnerability in the same technology, which Microsoft disclosed in its <\/span>November 2023 security update<\/a><\/span>.<\/span><\/p>\n

Attackers actively exploited that flaw to try and gain system level privileges on local machines \u2014 something they can do with the newly disclosed vulnerability as well. “This type of privilege escalation step is frequently seen by threat actors in network compromises,” Breen said. “It can enable the attacker to disable security tools or run credential dumping tools like Mimikatz that can then enable lateral movement or the compromise of domain accounts.”<\/span><\/p>\n

Some of the other important privilege escalation bugs included <\/span>CVE-2024-20653<\/a><\/span> in the Windows Common Log File System, <\/span>CVE-2024-20698<\/a><\/span> in Windows Kernel, <\/span>CVE-2024-20683<\/a><\/span> in Win32k, <\/span>and CVE-2024-20686<\/a><\/span> in Win32k. Microsoft has rated all of these flaws as issues attackers are more likely to exploit, according to a statement from Satnam Narang, senior staff research engineer at Tenable. “These bugs are commonly used as part of post-compromise activity,” he said. “That is, once attackers have gained an initial foothold onto systems.”<\/span><\/p>\n

Among the flaws that Microsoft ranked as important, but which need quick attention, is <\/span>CVE-2024-0056,<\/a><\/span> a security bypass feature in SQL, Abbasi says. The flaw enables an attacker to perform a machine-in-the-middle attack, intercepting and potentially altering TLS traffic between a client and server, he notes. “If exploited, an attacker could decrypt, read, or modify secure TLS traffic, breaching the confidentiality and integrity of data.” Abbasi says that an attacker could also leverage the flaw to exploit SQL Server via the SQL Data Provider.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft eased enterprise security teams into 2024 with a relatively<\/p>\n","protected":false},"author":12,"featured_media":2330,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2329","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=1000%2C631&ssl=1",1000,631,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=300%2C189&ssl=1",300,189,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=640%2C404&ssl=1",640,404,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=640%2C404&ssl=1",640,404,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=1000%2C631&ssl=1",1000,631,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=1000%2C631&ssl=1",1000,631,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=1000%2C631&ssl=1",1000,631,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/01\/patch-now-critical-windows-kerberos-bug-bypasses-microsoft-security.jpg?fit=1000%2C631&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2329"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2329\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2330"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}