ION Threat Advisory: February Update
Executive Summary
This February Update consists of 80 patches for Microsoft products. Of these, five are critical and two are being actively exploited as reported in the CISA Known Exploited Vulnerabilities Catalogue.
Actively Exploited Vulnerabilities
- CVE-2024-21412 Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability CVSS 8.1 – An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, attacker would have to convince a victim to click on the file link.
- CVE-2024-21351 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability CVSS 7.6 – Allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both.
Critical Vulnerabilities
The following vulnerabilities are classified as critical but have not yet been actively exploited or publicly disclosed.
- CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
- CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
- CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability
- CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
The Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410) is noteworthy as an attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user. The CVSS for this vulnerability is 9.8 – the highest for this month.
Additionally, the Microsoft Outlook Remote Code Execution Vulnerability (CVE-2024-21413) can allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. An attacker could craft a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and remote code execution (RCE). The CVSS for this vulnerability is 9.8 as well.
Countermeasures and Patches
- Apply patches as soon as possible, after appropriate testing.
References
Sans Report: https://isc.sans.edu/diary/Microsoft+February+2024+Patch+Tuesday/30646/