Exploit
CVE-2024-20656

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Jan 9, 2024

010
CVSS 7.8EPSS 0.15%High
CVE info copied to clipboard

Summary

A Visual Studio Elevation of Privilege Vulnerability has been identified. This vulnerability is related to improper link resolution before file access, also known as 'link following'. It affects multiple versions of Visual Studio, including Visual Studio 2022, 2019, 2017, and 2015 Update 3.

Impact

This vulnerability allows an attacker with local access and low privileges to potentially gain elevated privileges on the affected system. The attacker could exploit this to achieve high impacts on confidentiality, integrity, and availability of the system. Potential attack scenarios include symlink attacks, using malicious files, leveraging executable code in non-executable files, manipulating web input to file system calls, shortcut modification, and exploiting services file permissions weaknesses.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including securityonline.info.

Patch

Patches are available. Microsoft has released updates to address this vulnerability. The patches were first added on January 9, 2024.

Mitigation

To mitigate this vulnerability, it is strongly recommended to apply the latest security updates provided by Microsoft for the affected Visual Studio versions. Specifically: 1. For Visual Studio 2022, update to version 17.6.11 or later, 17.4.15 or later, or 17.2.23 or later. 2. For Visual Studio 2019, update to version 16.11.33 or later. 3. For Visual Studio 2017, update to version 15.9.59 or later. 4. For Visual Studio 2015, ensure Update 3 is installed and any subsequent security updates are applied. Additionally, implement the principle of least privilege, restricting local access and user permissions where possible to reduce the risk of exploitation.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-20656

Jan 9, 2024 at 10:15 AM
First Article

Feedly found the first article mentioning CVE-2024-20656. See article

Jan 9, 2024 at 6:01 PM / MSRC Security Update Guide
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jan 9, 2024 at 6:04 PM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Jan 12, 2024 at 12:10 PM
Threat Intelligence Report

The vulnerability CVE-2024-20656 is a local privilege escalation in the VSStandardCollectorService150 service. It is critical with a CVSS score of [score]. It is currently being exploited in the wild by [who]. There are no proof-of-concept exploits available, and no mitigations, detections, or patches have been released. There are no known downstream impacts to other third-party vendors or technology. See article

Jan 12, 2024 at 5:33 PM
Trending

This CVE started to trend in security discussions

Jan 12, 2024 at 7:11 PM
Exploitation in the Wild

Attacks in the wild have been reported by Vulnerability Archives • Penetration Testing. See article

EPSS

EPSS Score was set to: 0.15% (Percentile: 50.6%)

Jan 18, 2024 at 7:46 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/visual_studio_2022
+null more

Exploits

https://github.com/Wh04m1001/CVE-2024-20656
+null more

Patches

Microsoft
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

References

Visual Studio 2022 Release Notes
GitHub Copilot autocomplete is now available as an optional component, making it far easier to install along with a new Visual Studio install or for an administrator to package with an update. CVE-2023-32027 This advisory is republished to address a Microsoft ODBC Driver for SQL Server Remote Code Execution vulnerability in Visual Studio.
16.11.33
CVE-2022-24513 Elevation of privilege vulnerability A potential elevation of privilege vulnerability exists when the Microsoft Visual Studio updater service improperly parses local configuration data. Fixes an issue that could cause Visual Studio to build, debug, or run tests against binaries that weren't brought up to date with your latest code changes.
Microsoft January 2024 Patch Tuesday
Classification: Critical, Solution: Official Fix, Exploit Maturity: Not Defined, CVSSv3.1: 9.1, CVEs: CVE-2024-0056, CVE-2024-0057, CVE-2024-20652, CVE-2024-20653, CVE-2024-20654, CVE-2024-20655, CVE-2024-20656, CVE-2024-20657, CVE-2024-20658, CVE-2024-20660, CVE-2024-20661, CVE-2024-20662, CVE-2024-20663, CVE-2024-20664, CVE-2024-20666, CVE-2024-20672, CVE-2024-20674, CVE-2024-20676, CVE-2024-20677, CVE-2024-20680 (+33 other associated CVEs), Summary: Microsoft's January 2024 Patch Tuesday includes security updates for a total of 49 flaws and 12 remote code execution vulnerabilities. Only two vulnerabilities were classified as critical, with one being a Windows Kerberos Security Feature Bypass and the other a Hyper-V RCE. The number of bugs in each vulnerability category is listed below: - 10 Elevation of Privilege Vulnerabilities - 7 Security Feature Bypass Vulnerabilities - 12 Remote Code Execution Vulnerabilities - 11 Information Disclosure Vulnerabilities - 6 Denial of Service Vulnerabilities - 3 Spoofing Vulnerabilities The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th.
See 5 more references

News

From CVE to PoC: A Collection Maps Windows Privilege Escalation Landscape
This repository, hosted on Github, serves as a valuable resource for security researchers, penetration testers, and system administrators interested in understanding and mitigating privilege escalation attacks. Security researcher Michael Zhmaylo has assembled a comprehensive collection of publicly disclosed exploits for Local Privilege Escalation (LPE) vulnerabilities affecting Microsoft Windows operating systems.
[Meachines] [Medium] Compiled Git-RCE+Visual Studio 2019权限提升
信息收集 IP Address Opening Ports 10.10.11.26 TCP :3000,5000 $ nmap -p- 10.1
Exploits and vulnerabilities in Q1 2024
It’s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements. An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes.
Exploits and vulnerabilities in Q1 2024 – Source: securelist.com
It’s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements. An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes.
Exploits and vulnerabilities in Q1 2024
It’s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements. An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes.
See 94 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI