Microsoft Patch Tuesday Analysis - April 2024

Introduction

April 9, 2024, Microsoft released their monthly Patch Tuesday security updates, totalling over 150 new Microsoft CVE’S. Below we discuss the vulnerabilities of the highest severity, based on our analysis, as well as two vulnerabilities that are under active exploitation at the moment.

Our process for analyzing and rating Patch Tuesday is: we use our experience with Red and Blue teaming to distill the whole list to those needing to patch immediately vs. waiting for your normal patching processes. Not every highly rated CVE should be considered Critical just as a lower rated CVE score may present a vulnerability that is actually Critical based on ease of exploitation, exposure of the vulnerability, and other key factors.

Of the 150 CVE’s released this month, including 67 Remote Code Execution vulnerabilities, OSec rated these two vulnerabilities under active exploitation in the wild,  three Remote Code Execution vulnerabilities, and one Escalation of Privilege vulnerability most concerning and should be addressed immediately:

Vulnerabilities Under Active Exploitation (2)

The vulnerabilities below have been reported to be under active exploitation by threat actors. These should be considered for immediate patching.

CVE-2024-26234 – Proxy Driver Spoofing Vulnerability

Description –

This was first detected in the wild by Sophos in December, 2023. An executable signed by a valid Microsoft Hardware Publisher Certificate was flagged as potentially malicious. Sophos believes the certificate was possibly stolen from a Chinese software company.

Microsoft has decided to not disclose any information regarding this vulnerability. It is unclear whether this vulnerability is an actual flaw in Windows proxy driver or an update to the Windows Driver.STL revocation list to blacklist the certificate used in the attack.

This vulnerability and attack highlights the use of valid certificates to sign malware, bypassing an industry-wide accepted security practice, and a stark reminder that certificates alone, that supposedly promise the software has been developed by a trusted developer, is not enough to stop motivated, malicious actors.

• Severity: 6.7 (Medium)
• Type: Spoofing Vulnerability
• MITRE ATTACK Mappings:
  • T1562.001: Impair Defenses: Disable or Modify Tools – By exploiting the vulnerability, attackers might disable or modify security mechanisms.
  • T1211: Exploitation for Defense Evasion – This vulnerability could be used to evade security mechanisms and maintain persistence on a compromised system.

CVE-2024-29988 – SmartScreen Prompt Security Feature Bypass Vulnerability

Description – This vulnerability allows bypassing Microsoft Defender SmartScreen, a built-in native feature that checks if a website or file is malicious. While Microsoft has not marked this vulnerability as being exploited in the wild, Trend Micro’s Zero Day Initiative disagrees.

This could allow threat actors to deploy malware after bypassing non-Microsoft antivirus and EDR (Endpoint Detection and Response). SmartScreen is often seen as the last line of defense on Windows for preventing malicious executables. Several threat actors have exploited similar vulnerabilities in the past for this exact purpose.

• Severity: 8.8 (High)
• Type: Security Feature Bypass Vulnerability
• MITRE ATTACK Mappings:
  • T1562.001: Impair Defenses: Disable or Modify Tools – By exploiting the vulnerability, attackers might disable or modify security mechanisms.
  • T1211: Exploitation for Defense Evasion – This vulnerability could be used to evade security mechanisms and maintain persistence on a compromised system.

Remote Code Execution (RCE) Vulnerabilities (3)

CVE-2024-20678 – Remote Procedure Call Runtime Remote Code Execution Vulnerability

Description – This vulnerability results in remote code execution through Windows Remote Procedure Call (RPC). While this requires prior authentication, any authenticated user, regardless of privilege, is able to exploit this. However, it is unclear whether guest accounts are also affected. Successful exploitation can result in privilege escalation to the RPC’s service account.

When this vulnerability is chained with another vulnerability that allows stealing NTLM hashes, such as the CVE-2024-20670 also released this month, or a NTLM relay attack, it can result in complete system takeovers.

This can also assist in lateral movement in networks as systems that use Active Directory will allow a credential to be used on multiple machines. This RCE can be used to escalate privilege and take over multiple machines, allowing attackers to gain a stronger foothold.

• Severity: 8.8 (High)
• Type: Remote Code Execution
• MITRE ATTACK Mappings:
  • T1562.001: Impair Defenses: Disable or Modify Tools – Potential for attackers to impair defense mechanisms, leveraging the vulnerability to disable or alter security tools and evade detection.
  • T1211: Exploitation for Defense Evasion – The vulnerability can facilitate attackers in circumventing security mechanisms, possibly maintaining persistent access to a compromised host.

CVE-2024-26257 – Microsoft Excel Remote Code Execution Vulnerability

Description – This vulnerability results in remote code execution from a malicious Microsoft Excel file being opened. While the victim must open the malicious file, phishing attacks are very common, and are often effective on non-technically savvy victims.

Microsoft Office 2021 for Mac has not yet received an update to remediate this vulnerability. We strongly recommend users exercise extreme caution when opening untrusted Excel files on Microsoft Office 2021 for Mac.

• Severity: 7.8 (High)
• Type: Remote Code Execution
• MITRE ATTACK Mappings:
  • T1203: Exploitation for Client Execution – The vulnerability could be exploited to execute code on the victim’s machine via a crafted document.
  • T1068: Exploitation for Privilege Escalation – Following initial exploitation, this vulnerability may be further leveraged to escalate privileges on the affected system.

CVE-2024-29050 – Windows Cryptographic Services Remote Code Execution Vulnerability 

Description – This vulnerability exploits a flaw in Windows Cryptographic Services that results in remote code execution. This is triggered by importing a malicious certificate into the victim’s system.

The attack scenario is creating a public WiFi hotspot and prompting victims to install a malicious certificate in order to authenticate, or via a captive portal. Installing a certificate to access the internet is common practice in enterprise environments and some public WiFi hotspots. By utilizing this vulnerability an attacker could take over any Windows system connecting to the targeted hotspot.

• Severity: 8.4 (High)
• Type: Remote Code Execution
• MITRE ATTACK Mappings:
  • T1485: Data Destruction – Attackers may leverage the vulnerability to destroy data, affecting the integrity and availability of the system.
  • T1499: Endpoint Denial of Service – The flaw could be exploited to cause a denial of service, disrupting operations and accessibility

Spoofing Vulnerability (1) 

CVE-2024-20670 – Outlook for Windows Spoofing Vulnerability

Description – This vulnerability leaks a user’s Net-NTLMv2 hash by sending an email with a malicious link. Clicking on the malicious link in the Outlook client will leak the hash to an attacker-controlled server.

Stolen NTLM hashes can be used in a relay attack to impersonate the victim and authenticate to other services. NTLM relay attacks are common and have been used by state-backed advanced persistent threat (APT) groups in the past.

• Severity: 8.1 (High)
• Type:  Spoofing
• MITRE ATTACK Mappings:
  • T1566: Phishing – This vulnerability may be exploited in phishing campaigns to deceive users into believing they are interacting with trusted sources.
  • T1606: Modify System Image – An attacker could modify the Outlook application to embed malicious code or content.