CVE-2024-20652

External Control of File Name or Path (CWE-73)

Published: Jan 9, 2024

010
CVSS 8.1EPSS 0.2%High
CVE info copied to clipboard

Summary

A security feature bypass vulnerability exists in the Windows HTML Platform that allows an attacker to bypass security features, potentially leading to malicious code execution. This vulnerability affects all supported versions of Windows 10, Windows 11, and Windows Server from 2012 through 2022. The vulnerability specifically enables attackers to circumvent the MapURLToZone method by exploiting Lanman redirector or WebDav device paths to force an 'Intranet' Zone value.

Impact

An attacker who successfully exploits this vulnerability could execute arbitrary code on the target system with elevated privileges. This could lead to complete compromise of the affected system, enabling data theft, deployment of malware, and other severe impacts. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity. It affects the confidentiality, integrity, and availability of the system, all rated as "HIGH" impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Microsoft has released security updates to address this vulnerability. Patches are available through the regular Windows Update process for all affected versions. The specific patch versions vary by Windows version: - Windows 11 23H2: patched in version 10.0.22631.3007 - Windows 11 22H2: patched in version 10.0.22621.3007 - Windows 11 21H2: patched in version 10.0.22000.2713 - Windows 10 22H2, 21H2: patched in version 10.0.19045.3930 - Windows 10 1809: patched in version 10.0.17763.5329 - Windows 10 1607: patched in version 10.0.14393.6614 - Windows 10 1507: patched in version 10.0.10240.20402 - Windows Server 2022, 2019, 2016, 2012 R2, and 2012: patches available (specific version numbers not provided) It's crucial to update to these versions or later to mitigate the vulnerability.

Mitigation

1. Apply the latest security updates from Microsoft as soon as possible. 2. Prioritize patching on Internet-exposed systems first, then move to internal systems based on risk assessment and asset value. 3. Until patched, restrict untrusted HTML content and web browsing on affected systems. 4. Implement network segmentation and least privilege principles to limit potential impact. 5. Monitor systems for unusual activities that could indicate exploitation attempts. 6. Keep all Windows systems and applications up-to-date with the latest security patches as a general best practice.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-20652

Jan 9, 2024 at 10:15 AM
First Article

Feedly found the first article mentioning CVE-2024-20652. See article

Jan 9, 2024 at 6:01 PM / MSRC Security Update Guide
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jan 9, 2024 at 6:03 PM
EPSS

EPSS Score was set to: 0.2% (Percentile: 57.6%)

Jan 18, 2024 at 7:46 PM
Threat Intelligence Report

The vulnerability CVE-2024-20652 is a critical security feature bypass vulnerability in Windows HTML Platforms. It is currently being exploited in the wild by unknown actors. There are no proof-of-concept exploits available, and no mitigations, detections, or patches have been released yet. The impact on third-party vendors or technology downstream is unknown at this time. See article

Jan 25, 2024 at 12:29 PM
CVSS

A CVSS base score of 8.1 has been assigned.

Apr 11, 2024 at 8:20 PM / nvd
CVSS

A CVSS base score of 8.1 has been assigned.

May 28, 2024 at 9:20 PM / nvd
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_11_23h2
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

References

Microsoft January 2024 Patch Tuesday
Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 9.1, CVEs: CVE-2024-0056, CVE-2024-0057, CVE-2024-20652, CVE-2024-20653, CVE-2024-20654, CVE-2024-20655, CVE-2024-20656, CVE-2024-20657, CVE-2024-20658, CVE-2024-20660, CVE-2024-20661, CVE-2024-20662, CVE-2024-20663, CVE-2024-20664, CVE-2024-20666, CVE-2024-20672, CVE-2024-20674, CVE-2024-20676, CVE-2024-20677, CVE-2024-20680 (+33 other associated CVEs), Summary: Microsoft's January 2024 Patch Tuesday includes security updates for a total of 49 flaws and 12 remote code execution vulnerabilities. Only two vulnerabilities were classified as critical, with one being a Windows Kerberos Security Feature Bypass and the other a Hyper-V RCE. The number of bugs in each vulnerability category is listed below: - 10 Elevation of Privilege Vulnerabilities - 7 Security Feature Bypass Vulnerabilities - 12 Remote Code Execution Vulnerabilities - 11 Information Disclosure Vulnerabilities - 6 Denial of Service Vulnerabilities - 3 Spoofing Vulnerabilities The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th.
Microsoft January 2024 Security Updates
January 2024 Security UpdatesThis release consists of the following 48 Microsoft CVEs:Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations?SQL Server CVE-2024-0056 .NET and Visual Studio CVE-2024-0057 Windows Scripting CVE-2024-20652 Windows Common Log File System Driver CVE-2024-20653 Windows ODBC Driver CVE-2024-20654 Windows Online Certificate Status Protocol (OCSP) SnapIn CVE-2024-20655 Visual Studio CVE-2024-20656 Windows Group Policy CVE-2024-20657 Mi
Windows HTML Platforms Security Feature Bypass Vulnerability
What kind of security feature could be bypassed by successfully exploiting this vulnerability? Security Feature Bypass
See 2 more references

News

Microsoft Releases February 2024 Patch Tuesday Updates to Fix Two Zero-Day Windows Flaws
Microsoft fixed a critical Windows SmartScreen security feature bypass flaw that could lead to remote code execution. Microsoft addressed two zero-day flaws actively exploited by attackers, underlining the importance of prompt patching to mitigate security risks.
RT @nachoskrnl: Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;)…
RT @nachoskrnl : Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;)…
RT Ben Barnea: Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;) this vulner...
RT Ben Barnea Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;) this vulnerability in his blog post from 2016 https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html The vulnerable path is \\;LanmanRedirector\http://akamai.com\..\abc @tiraniddo
RT by @splinter_code: Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;) this vulnerability in his blog post from 2016 https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html The vulnerable path is \\;LanmanRedirector\http://akamai.com\..\abc @tiraniddo
Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;) this vulnerability in his blog post from 2016 googleprojectzero.blogspot.c… The vulnerable path is \\;LanmanRedirector\ akamai.com \..\abc @tiraniddo
RT by @Ivanlef0u: Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;) this vulnerability in his blog post from 2016 https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html The vulnerable path is \\;LanmanRedirector\http://akamai.com\..\abc @tiraniddo
Another MapUrlToZone vuln (CVE-2024-20652) that can be used to bypass Outlook's CVE-2023-23397 mitigation. James foresaw ;) this vulnerability in his blog post from 2016 googleprojectzero.blogspot.c… The vulnerable path is \\;LanmanRedirector\ akamai.com \..\abc @tiraniddo
See 66 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:High
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI