Microsoft released patches for 60 unique CVEs in its Patch Tuesday security update in March, only two of which are rated “critical” and need priority attention. Both affect Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution (RCE) bug; AND CVE-2024-21408, which is a Denial of Service (DoS) vulnerability.
The update includes fixes for a total of 18 RCE flaws and two dozen elevation of privilege vulnerabilities, some of which allow threat actors to gain administrative control of affected systems.
In particular, several vulnerabilities that Microsoft rates only as “important” in severity and less likely to be exploited still have severity scores higher than 9.0 out of 10 on the CVSS Vulnerability Severity Scale due to their potential impact, if of abuse.
“The one this month Patch Tuesday features a reduction in vulnerabilities fixed by Microsoft, to a total of 60, a decrease from 74 updates last month,” wrote Mike Walters, president and co-founder of Action1, in email comments. “Notably absent this month are zero-day vulnerability or proofs of concept (PoC), emphasizing a moment of relative calm.”
Hyper-V Critical RCE and DoS Vulnerabilities
The RCE bug in Hyper-V gives attackers a way to take complete control of affected systems and potentially compromise virtual machines hosted on the Hyper-V server, says Sarah Jones, cyber threat intelligence research analyst at Critical Start.
The DoS vulnerability, meanwhile, allows an adversary to crash the Hyper-V service, rendering it unusable.
“This could prevent users from accessing virtual machines (VMs) hosted on the Hyper-V server, potentially causing significant disruptions to critical business operations,” Jones notes. “If you use Hyper-V, it is critical to immediately install security updates to address these critical vulnerabilities and protect your systems.”
A flurry of Microsoft privilege escalation bugs
Microsoft has identified six of the vulnerabilities disclosed this week as flaws that threat actors are more likely to exploit in the future. Most of these were elevation-of-privilege vulnerabilities. Included CVE-2024-26170 in the Windows composite image file system; CVE-2024-26182 in the Windows kernel; CVE-2024-21433 in the Windows print spooler; AND CVE-2024-21437 in the Windows graphics component.
Satnam Narang, senior researcher at Tenable, described privilege escalation flaws as likely to be of greater concern in a post-exploit scenario to Advanced Persistent Threat (APT) actors, rather than to ransomware groups and other motivated actors financially.
“The objective of an APT group is typically related to espionage,” Narang explained in an emailed statement. “APT groups prefer to stay hidden as much as possible, while a ransomware affiliate focuses on a more “smash and grab” approach because their goal is financial gain.”
In an emailed comment, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, pointed to the Windows Kernel Elevation of Privilege Vulnerability (CVE-2024-26182) as something an attacker would be able to to exploit only if it had already gained access to an affected system. . But once successful, the bug would allow an attacker to gain full system-wide privileges.
“This type of vulnerability is typically used to completely take control of an important machine on a network, such as an Active Directory or an important Windows server,” McCarthy said.
Microsoft Bugs: Important, but high priority
A high-severity bug that Microsoft classified only as “major” was CVE-2024-21334a level 9.8 RCE vulnerability in the Open Management Infrastructure (OMI). Saeed Abbasi, head of vulnerability research at Qualys’ threat research unit, identifies the bug as one that should be high on the patch priority list because of that score.
“This vulnerability allows remote, unauthenticated attackers to execute arbitrary code on exposed OMI instances over the Internet by sending specially crafted requests that exploit a use-after-free error,” Abbasi said. “Given OMI’s role in managing IT environments, the potential impact is broad and potentially affects numerous systems accessible online.”
Although Microsoft considers exploitation less likely, the simplicity of the attack vector – a use-after-free (UAF) bug – against a critical component suggests that the threat level should not be underestimated, it warns. In the past, bugs like the OMIGOD set of OMI vulnerabilities in 2021 have attracted great interest to attackers.
CVE-2024-20671, a security feature bypass flaw in Microsoft Defender e CVE-2024-21421a spoofing vulnerability in the Azure SDK, are two other flaws that deserve more attention than their “important” ratings would suggest, according to some security experts.
“While these specific vulnerabilities have workarounds or patches, the increased focus of threat actors in these directions is concerning,” Tyler Reguly, senior manager of security at Fortra, said in prepared comments.
Also reported an elevation of privilege bug in Microsoft Authenticator (CVE-2024-21390) as something administrators should pay attention to. “Successful exploitation of the vulnerability could allow the attacker to gain access to multi-factor authentication of users [MFA] codes,” Reguly said. “Microsoft rated this with a CVSS score of 7.1 and indicated that user interaction is required as the victim would have to close and then reopen the application.”
Overall, for administrators used to dealing with large volumes of Microsoft patches, the last three months have been something of a break from the usual. For example, this is the second month in a row that Microsoft has not disclosed a zero-day bug in its monthly security update. So far in the first quarter of the year, Microsoft has released patches for a total of 181 CVEs, which is substantially lower than the first quarter average of 237 patches in each of the previous four years, Tenable’s Narang noted.
“The average number of CVEs fixed in March over the last four years was 86,” Narang said. “Only 60 CVEs have been fixed this month.”