CISA adds Microsoft Windows bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds 2 Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

  • CVE-2024-21412 Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
  • CVE-2024-21351 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

This week. Microsoft released Patch Tuesday security updates for February 2024 that resolved a total of 72 vulnerabilities, including the above vulnerabilities that are actively exploited in the wild.

Below are the details of the two vulnerabilities:

CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.

Trend Micro researchers reported that the flaw CVE-2024-21412 was used in a zero-day attack chain by the APT group Water Hydra.

The popular researcher Will Dormann speculates that CVE-2024-21412 results from the partial fix of the vulnerability CVE-2023-36025. The fix for CVE-2023-36025 didn’t consider the case where a .URL file points to a .URL file, Dormann explained.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 5, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)