Microsoft Patch Tuesday fixes two critical bugs
Microsoft fixed 60 vulnerabilities, including 18 remote code execution flaws in its March Patch Tuesday update.
Two of the bugs are rated ‘critical', 58 ‘important' and one ‘low' in terms of severity.
The relatively small number of fixes and absence of any zero-day flaws make it one of the lighter updates of recent months, but there are still issues to watch out for, security experts say. Some of these are hightlighted below.
Hyper-V
Two critical vulnerabilities in the Hyper-V hypervisor (CVE-2024-21407, CVSS score 8.1; CVE-2024-21408; CVSS score 5.5) were patched which could allow virtual machine escape and remote code execution on the host.
"CVE-2024-21407 allows an authenticated attacker on a guest virtual machine to execute arbitrary code on the host operating system by sending specially crafted file operation requests to hardware resources on the VM," Saeed Abbasi, manager, vulnerability research at Qualys, told Computing. "The impact of this vulnerability is significant, as it enables a guest-to-host escape, potentially compromising the entire virtualisation environment and all guest operating systems running on the affected server."
Azure Kubernetes Service
Attackers could exploit a bug in Azure Kubernetes Service (AKS) to gain elevated privileges and steal credentials, warned Adam Barnett, lead software engineer at Rapid7.
"Azure Kubernetes admins should take note of CVE-2024-21400 (CVSS 9.0), which allows an unauthenticated attacker to take over confidential guests and containers, with other outcomes including credential theft and resource impact beyond the scope managed by the Azure Kubernetes Service Confidential Containers (AKSCC)."
Exchange Server
Exchange Server vulnerabilities are a regular feature of Patch Tuesday updates, and this month is no exception. CVE-2024-26198 (CVSS 8.8) is a remote code execution (RCE) flaw that could be exploited by tricking a victim into opening a malicious file.
"It remains vitally important to patch any on-premises instances of Exchange, a perennial attacker favourite," said Barnett, who accused Microsoft of poor communication on this issue.
"Exchange 2016 admins who were dismayed by the lack of patch for last month's CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month's CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed."
Windows Print Spooler
Another Patch Tuesday perennial, Windows Print Spooler, saw a further glitch mitigated this month. CVE-2024-21433 (CVSS 7.0) is a privilege escalation bug that could allow an attacker to obtain the highest possible level of access on winning a race condition.
"This component has seen a total of 82 reported code vulnerabilities, with almost half of these discovered in 2022 and 2023 Little information is given by Microsoft other than to say attackers are more likely to exploit this vulnerability and, if able do so, can gain SYSTEM-level access." said Kev Breen, senior director threat research at Immersive Labs.
Open Management Infrastructure on Azure
The Open Management Infrastructure (OMI) agent on Linux Azure instances is vulnerable to RCE by unauthenticated attackers exploiting via an 'important' vulnerability (CVE-2024-21334, CVSS 9.8).
"For organisations running Linux-based cloud infrastructure in Azure, this one should be high on the list of things to patch," said Breen.
Microsoft says that attackers could connect to OMI instances over the internet, without authentication and send specially crafted packets in order to gain code execution with Root privileges. If the Linux machines do not need network listening, OMI incoming ports can be disabled, the company's advisory says.
Windows OLE
A vulnerability in Windows OLE (CVE-2024-21435, CVSS 8.8) could allow RCE via a specially crafted malicious document. When a victim runs this file, it loads the malicious DLL.
"With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system. The attack complexity has been described as low meaning there is less of a barrier to entry for attackers," said Ben McCarthy, lead cyber security engineer at Immersive Labs.
While admins are urged to deploy mitigations as soon as possible, Bleeping Computer reports that the KB5035849 cumulative update released during Patch Tuesday is failing to install on Windows 10 and Windows Server for many organisations.