February 2024 Patch Tuesday: Two Zero-Days Amid 73 Vulnerabilities
Microsoft has released security updates for 73 vulnerabilities for its February 2024 Patch Tuesday rollout. These include two actively exploited zero-days (CVE-2024-21412 and CVE-2024-21351), both of which are security feature bypass flaws. Five of the vulnerabilities addressed today are rated Critical while the remaining 68 are rated Important or Moderate.
February 2024 Risk Analysis
This month’s leading risk type is remote code execution (41%) followed by elevation of privilege (22%) and spoofing (14%).
Windows products received the most patches this month with 44, followed by Extended Security Update (ESU) with 32 and Azure with 9.
Actively Exploited Zero-Day Vulnerability Affecting Internet Shortcut Files
Internet Shortcut Files has received a patch for CVE-2024-21412, which has a severity of Important and a CVSS score of 8.1. This vulnerability allows an unauthenticated attacker to bypass a security feature called “Mark of the Web” (MotW) warnings on Windows machines. The targeted user would need to be convinced to click on a specially crafted file that is designed to bypass the displayed security checks. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.
Severity | CVSS Score | CVE | Description |
Important | 8.1 | CVE-2024-21412 | Internet Shortcut Files Security Feature Bypass Vulnerability |
Table 1. Zero-day in Internet Shortcut Files
Actively Exploited Zero-Day Vulnerability Affecting Windows SmartScreen
Windows SmartScreen has received a patch for CVE-2024-21351, which has a severity of Moderate and a CVSS score of 7.6. This security feature bypass vulnerability on Windows Defender SmartScreen can potentially lead to partial data exposure and/or issues with system availability. The attacker would need to convince the user to open a malicious file that could bypass SmartScreen and potentially gain code execution. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.
Severity | CVSS Score | CVE | Description |
Moderate | 7.6 | CVE-2024-21351 | Windows SmartScreen Security Feature Bypass Vulnerability |
Table 2. Zero-day in Windows SmartScreen
Critical Vulnerabilities Affecting Microsoft Windows, Extended Security Update, Dynamics, Exchange Server and Microsoft Office
CVE-2024-21410 is a Critical elevation of privilege (EoP) vulnerability affecting Microsoft Exchange Server and has a CVSS score of 9.8. An attacker that successfully exploits this vulnerability can relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange server and be authenticated as that user. NTLM hashes are important for gaining account access due to the use of challenge-response protocols in secure authentication. This vulnerability potentially allows attackers to crack NTLM hashes or deploy an NTLM relay attack.
Prior to the Exchange Server 2019 Cumulative Update 14 (CU14), Exchange Server did not enable relay protections for NTLM credentials (called Extended Protection for Authentication or EPA) by default, which would have protected against one of the attack types mentioned earlier. Microsoft has provided a “Exchange Server Health Checker script” that provides an overview of the Extended Protection status of the customer’s Exchange server.
CVE-2024-21413 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Outlook and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows the attacker to send a maliciously crafted link that bypasses the security feature. This can lead to credential exposure and RCE, enabling attackers to gain privileged functionality.
CVE-2024-21380 is a Critical information disclosure vulnerability affecting Microsoft Dynamics Business Central (formerly known as Dynamics NAV) and has a CVSS score of 8.0. This vulnerability could allow the attacker to gain the ability to interact with other SaaS tenants’ applications and content. The user would have to be convinced by the attacker to click on a specially crafted URL, and the execution would need to win a race condition for a successful exploitation. This can lead to unauthorized access to the victim’s account.
CVE-2024-21357 is a Critical RCE vulnerability affecting Windows Pragmatic General Multicast (PGM) network transport protocol and has a CVSS score of 7.6. The attack complexity is high due to the additional actions a threat actor would need to take for successful exploitation. Exploitation is limited to within the same network or virtual network systems that are connected.
CVE-2024-20684 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 6.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.
Severity | CVSS Score | CVE | Description |
Critical | 9.8 | CVE-2024-21410 | Microsoft Exchange Server Elevation of Privilege Vulnerability |
Critical | 9.8 | CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability |
Critical | 8.0 | CVE-2024-21380 | Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability |
Critical | 7.5 | CVE-2024-21357 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
Critical | 6.5 | CVE-2024-20684 | Windows Hyper-V Denial of Service Vulnerability |
Table 3. Critical vulnerabilities in Windows, ESU, Dynamics, Exchange Server and Microsoft Office
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- Stay tuned for the CrowdStrike 2024 Global Threat Report — to be released on Feb. 21, 2024 — to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
- See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
- Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
- Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster.
- Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.