Microsoft February 2024 Patch Tuesday CVE Information

Posted:
02/26/2024
| By:
Al Calleo

Microsoft continues to make headlines as they publicly release information about several CVEs across products such as SmartScreen, Outlook, and Exchange. Some of the vulnerabilities detailed have likely been exploited in the wild.

Key Takeaways

  • Several Critical Microsoft CVEs have been outlined in Microsoft’s February 2024 Patch Tuesday
  • Up to 97,000 Microsoft Exchange 2019 servers are affected by CVE 2024-21410
  • APT groups have likely exploited these vulnerabilities in the wild.
  • Security updates and features are available for patching these vulnerabilities.

Background

CVE 2024-21410

Microsoft has disclosed a major vulnerability in Microsoft Exchange servers that could affect up to 97,000 endpoints. This vulnerability has been rated with a severity score of 9.8, indicating a critical vulnerability in this service. The vulnerability outlined in the CVE report released by Microsoft indicates this is an NTLM relay method similar to the exploitation of CVE-2023-23397 in Outlook, prompting them to classify this as having been exploited. This Outlook CVE has since been patched.  Microsoft previously made available optional mitigations to Exchange Server to protect against these relay attacks, but the most recent cumulative update enacts those mitigations by default to prevent Pass-the-Hash opportunities with NTLM hashes from other potential sources.

CVE-2024-21413  

CVE 2024-21413 is a critical vulnerability in Microsoft Outlook that could allow the leak of local NTLM hashes or remote code execution if an actor crafts a malicious link that would bypass the Protected View Protocol. Successful exploitation of this activity would allow an actor to bypass the Office Protected View and open in editing mode rather than protected mode.

CVE 2024-21412, CVE 2024-21351

These two CVEs bypass Windows SmartScreen, a feature of Microsoft Defender that is used to determine whether a site, app, or installer is potentially malicious. If it determines the content being accessed is malicious it would produce a warning page, recommending the user to proceed with caution. Both CVEs require an actor to send a malicious file to a victim and convince them to open it to fully exploit this vulnerability. APT Group Water Hydra has been purported to exploit some of these CVEs in their campaigns.

Prevention

In addition to some suggestions released by Microsoft to prevent the exploitation of this vulnerability we have provided some additional countermeasures.

  • Patch and Update Systems: All available security updates and patches to Microsoft Exchange servers and other vulnerable applications should be applied. Microsoft released Exchange Server 2019 Cumulative Update 14 that mitigates the critical Exchange vulnerability.
  • Enable Extended Protection for Authentication (EPA): EPA, or Extended Protection for Authentication, is a feature that was developed and released by Microsoft quite some time ago that provides additional security measures to prevent the relay of authentication sessions. This feature modifies the Security Support Provider Interface (SSPI) to enhance the way Windows authentication works so that credentials are not easily forwarded when IWA is enabled. Prior to the Exchange Server 2019 update provided above, Exchange Server did not enable EPA by default. So, if your environment prevents you from updating to the newest patch, it might be a good idea to enable this feature.
  • Network Security Measures: Implement network segmentation and firewall rules to limit the exposure of sensitive systems and restrict lateral movement within the network.
  • Monitor and Audit: Regularly monitor network traffic and audit logs for unusual activities that may indicate an NTLM relay attack or misuse of NTLM hashes.

Conclusion

Here at ConnectWise, we are continually monitoring the development of these CVEs and exploring possible detection methods around these vulnerabilities. As more information is revealed about the vulnerabilities, the CW CRU will be monitoring for new detection opportunities where possible.

A couple of the vulnerabilities included were observed to have been exploited in the wild.