Akamai’s Perspective on January’s Patch Tuesday 2024
New year, new CVEs. As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched. Of the 48 total CVEs this month, only 2 are critical, but we also have a new year bonus — 2 of the CVEs patched this month were found by Akamai researchers Ben Barnea and Tomer Peled.
In this blog post, we’ll assess how critical the vulnerabilities really are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Windows HTML Platforms
Although it’s called Windows HTML Platforms this month, we believe that this name also refers to Windows MSHTML like last month. MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.
Akamai researcher Ben Barnea found CVE-2024-20652, a security feature bypass vulnerability with a CVSS score of 7.5. The vulnerability itself is in MapUrlToZone, which is a function that is usually called to determine if a URL points to a resource on the machine, inside the network, or on the internet.
This vulnerability is similar to previously disclosed vulnerabilities. It causes MapUrlToZone to conclude that a URL resides in the intranet, while the URL actually points to an internet resource. This can be abused to bypass Outlook’s CVE-2023-23397 patch, and eventually lead to leaking NTLM credentials to a remote (attacker-controlled) destination.
Windows Themes
Microsoft Themes is a feature in Windows that lets a user change the way icons or fonts are displayed, among other possible changes. It is a built-in part of Windows.
Akamai researcher Tomer Peled found CVE-2024-21320, which is categorized as a spoofing vulnerability with CVSS score of 6.5. To be more precise, it is an authentication coercion vulnerability because it causes the victim to initiate an NTLM authentication.
To trigger the vulnerability, a user needs only to view a malicious theme file using Explorer, without any further interaction (it’s not even necessary to open the theme file explicitly). We will share more details about this vulnerability in an upcoming blog post, so stay tuned.
Another CVE (CVE-2024-20691) was patched in Windows Themes this month — an information disclosure vulnerability that can disclose heap memory to attackers, provided they win a race condition.
Windows Hyper-V
Windows Hyper-V is the native hypervisor in Windows. It allows the hosting of virtual machines (guests) on a single host machine. Virtualization is very common in enterprise networks, as it allows saving on hardware costs.
In our observations, 90% of environments had at least one machine with Hyper-V enabled (hosts), and an average of 25% of Windows machines had Hyper-V enabled.
There were two vulnerabilities patched in Hyper-V this month, one of them critical.
- CVE-2024-20699 is a denial-of-service (DoS) vulnerability that attackers can trigger on vulnerable guest machines. It requires that the attackers have local access to the vulnerable guest.
- CVE-2024-20700 is a critical remote code execution vulnerability that allows attackers to run code on vulnerable Hyper-V machines.
Mitigation
Since CVE-2024-20700 requires network access, it should be possible to use network segmentation to limit the scope of access to Hyper-V hosts, thereby reducing the risk of attack. This is not intended as an alternative to patching, but rather as a short-term solution. To detect Hyper-V hosts, you can use the following OSQuery:
Windows Kerberos
Kerberos stands as the backbone of the Windows domain architecture. It is the default authentication mechanism, having replaced NTLM. There was a single critical vulnerability in Kerberos patched this month: CVE-2024-20674.
From Microsoft’s description of the vulnerability, it allows for impersonation and requires the attacker to establish a machine-in-the-middle (MITM) channel with a victim client. This would allow the attacker to masquerade as an authentication server.
Attack chain
To our understanding, a successful exploitation chain should look something like this:
- The attacker establishes a MITM position over a victim. This can be done in a plethora of ways, such as ARP, LLMNR, or DNS poisoning. (Akamai researcher Ori David recently discovered a new vector for achieving MITM via DHCP DNS spoofing.)
- The attacker sends a malicious Kerberos message to the victim, which causes them to believe that the attacker’s machine is the Kerberos authentication server.
- Once the client connects to the attacker’s machine, the vulnerability allows the attacker to impersonate the client, and perform actions inside the domain in their name.
Mitigation
Since Kerberos is so integral to the Windows domain, it is crucial to patch your systems as soon as possible, especially since the vulnerability is marked as “exploitation more likely.” Since the vulnerability affects Kerberos clients, it is probably not enough to patch just the domain controllers — all Windows machines in the domain must be patched.
Patching so many systems can take some time, especially in larger domains. In the meantime, we have two suggestions to detect possible exploitation artifacts of the vulnerability.
- You can analyze the Windows Event Log to look for anomalous logons in the network — Event IDs 4624 or 4625. If you see a user logon event originating from a machine that shouldn’t have that user, or with an unusual logon type (like network or batch), it should raise some concerns.
- Since Kerberos authentication is handled by the RPC interface for netlogon, you can use the RPC ETW log to search for clients that connect with netlogon to a machine that isn’t the domain controller. Our RPC visibility open source tool can help with that.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Remote code execution |
Local; require user to open maliciously crafted file |
||
Remote code execution |
Network |
||
Remote code execution |
Network |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.
