Microsoft decided to start the year off light with 48 CVEs that they issued and five more issued by other CNAs. Since four of those CVEs are for Edge (Chromium-based) (CVE-2024-0222, CVE-2024-0223, CVE-2024-0224, CVE-2024-0225) and came out on Friday, we’re only seeing 49 “new” CVEs. The reason I say “new” CVEs is that the SQLite CVE (CVE-2022-35737) is from 2022. The CVE was published in August, 2022, and last updated in October, 2022. In fact, the Trail of Bits blog has a very detailed write-up on this CVE. Given the details available, I’m surprised that Microsoft stated that this was not publicly disclosed. I’m not sure if Microsoft made a mistake or if they feel the path of exploitation is distinct enough from the original write-up that it would not be useful in exploiting this vulnerability. Either way, I’d love to see a clarification of why Microsoft addressed this CVE, but listed it as not disclosed.
Two Critical Vulnerabilities
There are only two vulnerabilities in this month’s patch drop that meet the CVSS 3.1 threshold for critical. An X.509 certificate parsing issue within the .NET Framework (CVE-2024-0057) and a Kerberos machine-in the-middle (MITM) attack that allows for impersonation (CVE-2024-20674). While they meet the threshold for critical, they both have contributing factors that decrease the risk.
With the X.509 certificate parsing issue, the issue occurs when building the certificate chain of trust. When building the certificate chain fails, it can return an incorrect reason code and applications could be developed to act based on that reason code. This could allow an attacker to bypass certain validation checks. This relies on the implementation of the code in the application, which is why Microsoft stated that they scored this vulnerability, “using a reasonable worst-case implementation scenario.” The real risk could be significantly lower.
With the Kerberos attack, the attacker must first find a way to establish a machine-in-the-middle attack on the network in order to spoof themselves as the Kerberos authentication server. The requirement to gain access to the network does, to some extent, reduce the risk when compared to other critical vulnerabilities.
I was very happy to see, based on the January release notes, that almost every CVE contained an FAQ. While I still don’t find the details to be as reliable as they were in the days of bulletins and non-cumulative patches, I think that this is a step in the right direction. In fact, only three CVEs did not contain FAQs – Microsoft Message Queuing Denial of Service (CVE-2024-20661), .NET Core and Visual Studio Denial of Service (CVE-2024-20672), and Microsoft AllJoyn API Denial of Service (CVE-2024-20687). Typically, Denial of Service are the less concerning than code execution vulnerabilities, so it was also a positive that only Denial of Service issues suffered from the lack of an FAQ.
Click here for more Patch Tuesday analysis.