Microsoft’s first Patch Tuesday of 2024 has landed with two bugs described as “critical” out of a total of 47 security fixes.
The worst is CVE-2024-20674, which is present in Windows Server versions as far back as 2008, as well as Windows 10 and Windows 11.
It’s a Kerberos security feature bypass which Microsoft said allows an impersonation attack, and carries a CVSS score of 9.0.
“An unauthenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server,” the advisory explained.
CVE-2024-20700 is also described by Microsoft as critical, in spite of a CVSS score of 7.5.
It’s a remote code execution vulnerability in Windows Hyper-V.
According to Microsoft’s advisory, the vulnerability would be difficult to exploit: the attacker would have to gain access to the restricted network that exposes the hypervisor, and would then need to “win a race condition”.
The bug is present in Windows 10, Windows 11, Microsoft Server 2019, and Server 2022, in a variety of builds and architectures.
The full list of patches is here.