Patch Tuesday February 2024: High Impact Exchange Vulnerability Uprated on Day After Release as Exploitation Detected

Microsoft addressed 74 new vulnerabilities this month, two of which were marked as zero-day vulnerabilities that are relatively low impact as they provide bypasses for security flagging features in Windows. The bigger news is a third possible zero-day vulnerability that Microsoft re-categorized one day after release on February 14th, upgrading it from Exploitation More Likely to Exploitation Detected. We’ll get into the semantics of if it really qualifies as a zero-day below, but it should definitely have your attention.


Set your sights on the future of the MSP industry with the first ever MSP Horizons Report, jointly produced by N‑able and international MSP-focused research firm, Canalys…


Microsoft Vulnerabilities

Of the new vulnerabilities addressed this month, five are rated Critical. On the day of release there were only two vulnerabilities that were marked as Exploitation Detected, CVE-2024-21351 and CVE-2024-21412. One day later, on February 14th, Microsoft updated CVE-2024-21410 to indicate that it “was aware of exploitation of this vulnerability” by changing it from Exploitation More Likely to Exploitation Detected. As there is no further information about when Microsoft knew it was under active exploitation this could have been just an informational change based on new information provided to Microsoft, or it may have already been known to Microsoft. Either way this makes it a little fuzzy on whether you can call this a zero-day or not.

CVE-2024-21412, an Internet Shortcut Files Security Feature Bypass, and CVE-2024-21351, a Windows SmartScreen Security Feature Bypass, were both designated as under active exploitation on the day they were published, so giving them the label of zero-day is fairly cut and dry. While they are under active exploitation, the fact that they are only bypasses of Windows in-built security warning prompts means if you are using a modern endpoint security solution any impact should be mitigated—although not eliminated.

However, CVE-2024-21410 is an Exchange Server Elevation of Privilege vulnerability affecting Microsoft Exchange Server 2019 and 2016. This vulnerability is an NTLM hash disclosure that allows an attacker to capture and relay NTLM hashes against an Exchange Server to perform actions as the compromised user. Depending on the user’s permissions and scope of access this could allow an attacker to pivot and further compromise an environment. There is extensive additional information and mitigation instructions available from Microsoft here:

If you manage Exchange Server 2019 or 2016 this should be your priority action for the week.

It’s Not Only Patches

Microsoft releases more than just patches on Patch Tuesday. Sometimes they also release advisories and updates to older advisories. This month they updated ADV990001 to include new Servicing Stack Updates now available for Windows Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2 all of which are under Extended Security Updates as well as Windows 10 and Server 2016. While there’s nothing newsworthy in this particular advisory it’s important to remember they exist and you should ensure you review them as part of your Patch Tuesday process.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

CVE Number

CVE Title

Severity

Status

CVE-2024-21410

Microsoft Exchange Server Elevation of Privilege Vulnerability

ED

C

CVE-2024-21412

Internet Shortcut Files Security Feature Bypass Vulnerability

ED

I

CVE-2021-43890

Windows AppX Installer Spoofing Vulnerability

ED

I

CVE-2024-21351

Windows SmartScreen Security Feature Bypass Vulnerability

ED

M

CVE-2024-21380

Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

ELL

C

CVE-2024-20684

Windows Hyper-V Denial of Service Vulnerability

ELL

C

CVE-2024-21357

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

EML

C

CVE-2024-21379

Microsoft Word Remote Code Execution Vulnerability

EML

I

CVE-2024-21378

Microsoft Outlook Remote Code Execution Vulnerability

EML

I

CVE-2024-21371

Windows Kernel Elevation of Privilege Vulnerability

EML

I

CVE-2024-21346

Win32k Elevation of Privilege Vulnerability

EML

I

CVE-2024-21345

Windows Kernel Elevation of Privilege Vulnerability

EML

I

CVE-2024-21338

Windows Kernel Elevation of Privilege Vulnerability

EML

I

CVE-2024-21413

Microsoft Outlook Remote Code Execution Vulnerability

EU

C

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

 

 

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.