Patch Tuesday February 2024: High Impact Exchange Vulnerability Uprated on Day After Release as Exploitation Detected

Microsoft addressed 74 new vulnerabilities this month, two of which were marked as zero-day vulnerabilities that are relatively low impact as they provide bypasses for security flagging features in Windows. The bigger news is a third possible zero-day vulnerability that Microsoft re-categorized one day after release on February 14^th, upgrading it from Exploitation More Likely to Exploitation Detected. We’ll get into the semantics of if it really qualifies as a zero-day below, but it should definitely have your attention.

Set your sights on the future of the MSP industry with the first ever MSP Horizons Report, jointly produced by N‑able and international MSP-focused research firm, Canalys…

Microsoft Vulnerabilities

Of the new vulnerabilities addressed this month, five are rated Critical. On the day of release there were only two vulnerabilities that were marked as Exploitation Detected, CVE-2024-21351 and CVE-2024-21412. One day later, on February 14^th, Microsoft updated CVE-2024-21410 to indicate that it “was aware of exploitation of this vulnerability” by changing it from Exploitation More Likely to Exploitation Detected. As there is no further information about when Microsoft knew it was under active exploitation this could have been just an informational change based on new information provided to Microsoft, or it may have already been known to Microsoft. Either way this makes it a little fuzzy on whether you can call this a zero-day or not.

CVE-2024-21412, an Internet Shortcut Files Security Feature Bypass, and CVE-2024-21351, a Windows SmartScreen Security Feature Bypass, were both designated as under active exploitation on the day they were published, so giving them the label of zero-day is fairly cut and dry. While they are under active exploitation, the fact that they are only bypasses of Windows in-built security warning prompts means if you are using a modern endpoint security solution any impact should be mitigated—although not eliminated.

However, CVE-2024-21410 is an Exchange Server Elevation of Privilege vulnerability affecting Microsoft Exchange Server 2019 and 2016. This vulnerability is an NTLM hash disclosure that allows an attacker to capture and relay NTLM hashes against an Exchange Server to perform actions as the compromised user. Depending on the user’s permissions and scope of access this could allow an attacker to pivot and further compromise an environment. There is extensive additional information and mitigation instructions available from Microsoft here:

• 2024 H1 Cumulative Update for Exchange Server
• Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2
• Exchange Extended Protection Management

If you manage Exchange Server 2019 or 2016 this should be your priority action for the week.

It’s Not Only Patches

Microsoft releases more than just patches on Patch Tuesday. Sometimes they also release advisories and updates to older advisories. This month they updated ADV990001 to include new Servicing Stack Updates now available for Windows Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2 all of which are under Extended Security Updates as well as Windows 10 and Server 2016. While there’s nothing newsworthy in this particular advisory it’s important to remember they exist and you should ensure you review them as part of your Patch Tuesday process.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, EU = Exploitation Unlikely, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd