Black Arrow Cyber Advisory 11 January 2024 – Microsoft Patch Tuesday, Adobe, Android, Cisco, and SAP Updates

Executive summary

In its first Patch Tuesday of 2024, Microsoft has provided updates to address 49 security issues across its product range, including two critical vulnerabilities (CVE-2024-20700 and CVE-2024-20674). None of these vulnerabilities are listed as publicly known or under active exploitation. The two critical vulnerabilities affect Hyper-V, allowing remote code execution, and Kerberos, enabling attackers to bypass security features.

In addition to the updates from Microsoft, this week also saw Adobe fixing 6 vulnerabilities, Cisco patching 2 vulnerabilities, and Android addressing 59 vulnerabilities, none of which were critical. SAP also issued 12 new patches for its range of products, three of the patches were rated as critical.

What’s the risk to me or my business?

The vulnerabilities, if actively exploited could allow an attacker to perform remote code execution, the other vulnerability allows an attacker to perform a man in the middle attack and send a malicious message to impersonate themselves as the Kerberos authentication server, bypassing security features.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the critical vulnerabilities. Other patches should be applied in a reasonable time frame.

Technical Summary

CVE-2024-20700: This vulnerability if actively exploited, allows an attacker to impersonate the Kerberos authentication server and bypass security features.

CVE -2024-20674: This vulnerability if actively exploited, allows an attacker to perform remote code execution. Successful exploitation requires an attacker to gain access to the restricted network before running an attack.

Adobe

This month, Adobe has released fixes for six vulnerabilities that affect Adobe Substance 3D Stage 2.1.3 and earlier versions. None of these vulnerabilities were rated as critical. Currently, Adobe is not aware of any active exploitation of these vulnerabilities. The vulnerabilities include issues such as arbitrary code execution and memory leaks.

Android

In Google’s January Security Bulletin for Android, 59 vulnerabilities are addressed, including three that are critical in the Qualcomm section. None of these vulnerabilities appear to have been discovered and exploited by criminals prior to the release of the patches. The vulnerabilities include issues such as elevation of privileges and information disclosure.

Cisco

Cisco has released an update to address two privilege escalation CVEs in its Identity Services Engine (ISE). These vulnerabilities, which were disclosed in September, necessitate administrator-level privileges for exploitation. At present, Cisco has provided patches to rectify these issues, and no other workaround is available.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. These patches address 3 critical vulnerabilities affecting a variety of SAP products. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

Microsoft

Further details on other specific updates within this patch Tuesday can be found here:

https://www.theregister.com/2024/01/09/january_patch_tuesday/

https://www.ghacks.net/2024/01/09/the-first-windows-security-updates-of-2024-are-here/

Adobe

Further details of the vulnerabilities addressed in Adobe Substance 3D Stager be found here: https://helpx.adobe.com/security/products/substance3d_stager/apsb24-06.html

Android

Further details on the Android patches can be found here:

https://source.android.com/docs/security/bulletin/2024-01-01

Cisco

Further details on the Cisco patch can be found here:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-priv-esc-KJLp2Aw