Pach Now: kriitiline Windows Kerberose viga läheb Microsofti turvalisusest mööda

Pach Now: kriitiline Windows Kerberose viga läheb Microsofti turvalisusest mööda

Ajatempel: 9. jaanuar 2024 6:00
Allikasõlm: 3052688

Microsoft vabastas ettevõtete turvameeskonnad aastasse 2024 suhteliselt kerge jaanuarikuu turvavärskendusega, mis koosnes 48 unikaalse CVE-i paikadest, millest ettevõte tuvastas kriitilise raskusastmega vaid kaks.

For the second straight month, Microsoft’s Patch Tuesday did not include any zero-day bugs, meaning administrators won’t have to contend with any new vulnerabilities that attackers are actively exploiting at the moment — something that happened frequently in 2023.

Ainult kaks kriitilist tõsidust

Nagu tavaliselt, on CVE-d seda Microsoft avalikustas 9. jaan mõjutas paljusid selle tooteid ning hõlmas privileegide eskalatsiooni haavatavusi, koodi kaugkäitamise vigu, turvalisuse möödaviiguvigu ja muid turvaauke. Ettevõte klassifitseeris 46 vigadest olulise raskusastmeks, sealhulgas mitmed, mida ründajad suurema tõenäosusega ära ei kasutanud.

One of two critical severity bugs in Microsoft’s latest update is CVE-2024-20674, a Windows Kerberos security feature bypass vulnerability that allows attackers to bypass authentication mechanisms and launch impersonation attacks. “Attackers can exploit this flaw via a machine-in-the-middle (MitM) attack,” says Saeed Abbasi, manager of vulnerability research at Qualys in comments to Dark Reading. “They achieve this by setting up a local network spoofing scenario and then sending malicious Kerberos messages to trick a client machine into believing they are communicating with a legitimate Kerberos authentication server.”

The vulnerability requires the attacker to have access to the same local network as the target. It’s not remotely exploitable over the Internet and requires proximity to the internal network. Even so, there is a high likelihood of active exploitation attempts in the near future, Abbasi says.

Ken Breen, Immersive Labsi ohuuuringute vanemdirektor, tuvastas CVE-2024-20674 as a bug that organizations would do well to patch quickly. “These kinds of attack vectors are always valuable to threat actors like ransomware operators and access brokers,” because they enable significant access to enterprise networks, according to a statement from Breen.

The other critical vulnerability in Microsoft’s latest batch of security updates is CVE-2024-20700, a remote code execution vulnerability in Windows Hyper-Virtualization technology. The vulnerability is not especially easy to exploit because to do so, an attacker would already first need to be inside the network and adjacent to a vulnerable computer, according to a statement from Ben McCarthy, lead cybersecurity engineer at Immersive Labs.

The vulnerability also involves a race condition — a type of issue that’s harder for an attacker to exploit than many other vulnerability types. “This vulnerability has been released as exploitation less likely but because Hyper-V runs as the highest privileges in a computer, it is worth thinking about patching,” McCarthy said.

Kõrge prioriteediga koodi kaugkäitamise vead

Turvateadlased osutasid jaanuari värskenduses veel kahele RCE veale, mis väärivad prioriteetset tähelepanu: CVE-2024-21307 Windows Remote Desktop Client'is ja CVE-2024-21318 SharePoint Serveris.

Microsoft tuvastas CVE-2024-21307 haavatavusena, mida ründajad tõenäolisemalt ära kasutavad, kuid Breeni sõnul on Microsoft andnud vähe teavet selle kohta, miks. Ettevõte on märkinud, et volitamata ründajad peavad haavatavuse ärakasutamiseks ootama, kuni kasutaja ühenduse loob.  

“This means that the attackers have to create a malicious RDP server and use social engineering techniques in order to trick a user into connecting,” Breen said. “This is not as difficult as it sounds, as malicious RDP servers are relatively easy for attackers to set up and then sending .rdp attachments in emails means a user only has to open the attachment to trigger the exploit.”

Veel paar ärakasutatavat privileegide eskalatsiooni viga

Microsoft’s January update included patches for several privilege escalation vulnerabilities. Among the most severe of them is for CVE-2023-21310, privileegide eskalatsiooni viga Windowsi pilvefailide minifiltri draiveris. Viga on väga sarnane CVE-2023-36036, sama tehnoloogia nullpäeva privileegide eskalatsiooni haavatavus, mille Microsoft avalikustas oma Novembri 2023 turvavärskendus.

Attackers actively exploited that flaw to try and gain system level privileges on local machines — something they can do with the newly disclosed vulnerability as well. “This type of privilege escalation step is frequently seen by threat actors in network compromises,” Breen said. “It can enable the attacker to disable security tools or run credential dumping tools like Mimikatz that can then enable lateral movement or the compromise of domain accounts.”

Kaasa arvatud mõned muud olulised privileegide eskalatsiooni vead CVE-2024-20653 Windowsi ühises logifailisüsteemis CVE-2024-20698 Windowsi kernelis, CVE-2024-20683 Win32k-s, ja CVE-2024-20686 in Win32k. Microsoft has rated all of these flaws as issues attackers are more likely to exploit, according to a statement from Satnam Narang, senior staff research engineer at Tenable. “These bugs are commonly used as part of post-compromise activity,” he said. “That is, once attackers have gained an initial foothold onto systems.”

Vigade hulgas, mille Microsoft pidas oluliseks, kuid mis vajavad kiiret tähelepanu, on CVE-2024-0056, a security bypass feature in SQL, Abbasi says. The flaw enables an attacker to perform a machine-in-the-middle attack, intercepting and potentially altering TLS traffic between a client and server, he notes. “If exploited, an attacker could decrypt, read, or modify secure TLS traffic, breaching the confidentiality and integrity of data.” Abbasi says that an attacker could also leverage the flaw to exploit SQL Server via the SQL Data Provider.

Ajatempel:

Veel alates Tume lugemine