Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software. This month’s release covers seventy-three vulnerabilities in total. Two of them (CVE-2024-21351 and CVE-2024-21412) are known to be exploited in the wild.

The CCB would like to point your attention to following vulnerabilities:

CVE-2024-21412: Internet Shortcut Files (Actively exploited)

Security Feature Bypass Vulnerability. To exploit this CVE, an attacker must send the user a malicious file that is designed to bypass displayed security checks and convince the user to open the file. According to Trend Micro (https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-...) Water Hydra (aka DarkCasino) abused this vulnerability as part of an attack chain to infect victims with DarkMe malware (a remote access trojan). Water Hydra is an economically motivated APT group that also targets European forex traders and gambling platforms. They are also known for exploiting WinRAR zero-day CVE-2023-38831

CVE-2024-21351: Windows SmartScreen (Actively exploited)

Security Feature Bypass Vulnerability. An authorized attacker must send the user a malicious file and convince the user to open it. An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. Since 2022, five Windows SmartScreen flaws were revealed on Patch Tuesday, all exploited in the wild as zero-days. CISA added CVE-2024-21351 to the Known Exploited Vulnerabilities list, and Microsoft also mentions it as being exploited but other than that there is not much information available.

CVE-2024-21338 Windows Kernel (Actively Exploited)

Elevation of Privilege. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVE-2024-21410: Microsoft Exchange Server (Critical)

Elevation of Privilege An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.

Microsoft Exchange Server is a prime target for threat actors and ransomware groups, with numerous exploited vulnerabilities in the past. While CVE-2024-21410 hasn't been observed exploited yet, given attackers' preference for Exchange, it's crucial to patch it promptly.

Do mind, patching Exchange Server isn't easy. To address vulnerabilities, install Exchange Server 2019 Cumulative Update 14 (CU14) and ensure the Extended Protection for Authentication (EPA) feature is enabled. Microsoft offers more details for Exchange administrators in this article (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2024-...).

CVE-2024-21413: Microsoft Office Outlook (Critical)

Remote Code Execution Vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. An attacker could craft a malicious link that bypasses the Protected View Protocol, which leads to the leaking of local NTLM credential information and remote code execution (RCE).

To be protected, customers running Office 2016 need to install all the updates listed for their edition in the table on Microsoft’s Security Update (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21413)

CVE-2024-21357: Windows Pragmatic General Multicast (PGM) (Critical)

Remote Code Execution. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

CVE-2024-20684: Windows Hyper-V (Critical)

Denial of Service vulnerability. Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Hyper-V is Microsoft's hardware virtualization product that let’s users create and run virtual machines.

CVE-2024-21380: Microsoft Dynamics (Critical)

Information Disclosure vulnerability. Successful exploitation of this vulnerability requires an attacker to be authenticated and to win a race condition. The user would have to click on a specially crafted URL to be compromised by the attacker. 

An attacker who successfully exploited this vulnerability could craft a payload allowing them to access sensitive user data, which could result in unauthorized access to the victim's account or compromise of other confidential information.

CVE-2024-21379: Microsoft Office Word (Important)

Remote Code Execution. An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.

CVE-2024-21345: Windows Kernel (Important)

Elevation of Privilege. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. An authenticated attacker could run a specially crafted application that would give them control of the targeted destination and source of the copy.

CVE-2024-21371: Windows Kernel (Important)

Elevation of Privilege. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Successful exploitation of this vulnerability requires an attacker to win a race condition.

CVE-2024-21346: Windows Win32K – ICOMP (Important)

Remote Code Execution. Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

CVE-2024-21378: Microsoft Office Outlook (Important)

Remote Code Execution. An authorized attacker must send the user a malicious file and convince the user to open it. The attacker must be authenticated with LAN-access and have credentials for a valid Exchange user. An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.

UPDATE 15/04/2024: ** Several GitHub repositories are now hosting Proof of Concept code for this vulnerability. Given Outlook's widespread use across many organizations, it is a prime target for threat actors. Furthermore, as Proof of Concept code becomes increasingly accessible, it is even more important to promptly apply patches. If you don't update, you are putting your organisation's infrastructure at risk.