This month, Microsoft addressed 49 new CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; and Internet Explorer. The release incorporates multiple Chromium bugs, bringing the total number of CVEs to 53. Of the new patches, 47 are rated Important and two are rated Critical in severity, coincidentally the same number of CVEs addressed in both the January 2019 and January 2020 releases. None of the CVEs released today are publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a security feature bypass in Kerberos:
CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability
This is the other Critical-rated patch for January. In this case, “remote” means network adjacent. Beyond that, Microsoft doesn’t provide much description, so it’s unclear how code execution would occur. However, it’s noted that neither authentication nor user interaction is required, making this vulnerability quite attractive to exploit writers. Although successful exploitation requires winning a race condition, race conditions have been used in many Pwn2Own exploits.
CVE-2024-20700 – Details
- CVE: CVE-2024-20700
- Title: Windows Hyper-V Remote Code Execution Vulnerability
- Severity: Critical
- CVSS: 7.5
- Public: No
- Exploited: No
- Type: RCE
More information in the web vendor.
You helped me a lot by posting this article and I love what I’m learning.