January 2024 Patch Tuesday: 49 Vulnerabilities Disclosed on First Patch Tuesday of the Year
In a relatively quiet week for Microsoft Patch Tuesday, the vendor announced 49 vulnerabilities affecting Microsoft products, two of which are critical, and a number of remote code execution (RCE) vulnerabilities.
January 2024 Risk Analysis
This month’s leading risk type is remote code execution (24%), followed by information disclosure (22%) and elevation of privilege (20%).
Figure 1. Breakdown of January 2024 Patch Tuesday attack types (click to enlarge)
The Microsoft Windows product family received the most patches this month with 40, followed by Extended Support Updates (ESU; 22) and Microsoft Developer Tools (6).
Figure 2. Breakdown of product families affected by January 2024 Patch Tuesday (click to enlarge)
Critical Vulnerabilities in Kerberos and Microsoft Hyper-V
CVE-2024-20674 is a security feature bypass vulnerability that can allow a remote attacker to intercept a valid Kerberos authentication message from the authentication server and use it to impersonate the authentication server to the victim machine. This relationship can then be leveraged to intercept valid Kerberos authentication sessions and enable the attacker to harvest credentials from the victim to impersonate the victim to other services covered by the Kerberos single sign-on implementation.
According to Microsoft, this vulnerability has an adjacent attack vector, meaning the adversary must first be on the restricted network to intercept these messages. Though Microsoft does not have data to suggest this vulnerability has been exploited in the wild, they have noted that exploitation is very likely after this announcement.
| Rank | CVSS Score | CVE | Description |
| Critical | 9.0 | CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability |
Figure 3. Critical vulnerability in Kerberos
CVE-2024-20700 is a remote code execution vulnerability with high attack complexity present in the Windows Hyper-V subsystem. Little is publicly revealed about this vulnerability. However, given that Hyper-V is the built-in hypervisor for all Windows platforms, this vulnerability should be patched with haste.
| Rank | CVSS Score | CVE | Description |
| Critical | 7.5 | CVE-2024-20700 | Windows Hyper-V Remote Code Execution Vulnerability |
Figure 4. Critical vulnerability in Windows Hyper-V
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- Download the CrowdStrike 2023 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
- See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments.
- Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface™, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
- Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster.
- Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
