This month’s Patch Tuesday saw security teams welcome a relatively calm month when it comes to fixed vulnerabilities in software products.
March saw a reduction in the number of vulnerabilities fixed by Microsoft, with just 61 flaws requiring attention, compared to 74 in February.
Notably, only two of these vulnerabilities were critical, fewer than in February, and there were no zero-day vulnerabilities of Proof of Concepts (PoCs) published in the month’s fixes.
None of the flaws included in the update were described as publicly known or under active attack at the time of release, but six were identified as more likely to be exploited.
Here’s a selection of some of the noteworthy vulnerabilities that were remediated in March’s Patch Tuesday.
Two Windows Hyper-V flaws offer opportunity for RCE and DoS attacks
One of the critical vulnerabilities patched by Microsoft was a critical remote code execution (RCE) flaw in Windows.
The tech giant said this could allow an authenticated attacker on a guest VM to send specially crafted operation requests from the VM to hardware resources, and eventually remotely execute arbitrary code on the Hyper-V host server.
Adam Barnett, lead software engineer at cyber security software company Rapid7, said while the vulnerability is concerned, it would require an attacker to have an “existing foothold” on a guest VM.
“Attackers hoping to escape from a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work”, he explained.
“Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM. Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.”
Mike Walters, president and co-founder of patch management specialists Action1, said although there is no evidence of active exploitation, Windows Hyper-V users should nonetheless act hastily to limit their exposure.
“As of this announcement, there have been no public disclosures or known exploitations of this vulnerability. Yet, given its critical severity and possible consequences, it is crucial for Windows Hyper-V users to promptly implement the provided updates to mitigate exposure”, Walters noted.
“This vulnerability is applicable to systems running Windows 10 and newer, as well as Windows Server 2012 and newer that are equipped with the Hyper-V role. Users are urged to apply Microsoft’s official patch to safeguard against this issue. “
Walters added that enterprises should ensure they are adhering to best practices for VM and host server security, such as minimizing user privileges, narrowing network access, and vigilantly monitoring unusual activities.
As well as CVE-2024-21407, Microsoft also patched another Hyper-V flaw in the March update, albeit less severe.
Given a 5.5 on the CVSS, compared to CVE-2024-21407’s 8.8 rating, CVE-2024-21408 is a denial of service (DoS) vulnerability that could allow hackers to compromise devices rendering them inaccessible to legitimate users.
Uncertainty about Exchange server RCE vulnerability leaves experts urging caution
Another notable vulnerability was CVE-2024-26198, an RCE vulnerability in Microsoft Exchange Server, that received a score of 8.8 on the CVSS.
Despite its high degree of severity, the flaw was not designated as critical due to the necessity for user interaction in order for the vulnerability to be exploited.
Regardless, the flaw remains a substantial threat to Microsoft Exchange Server Environments, according to Walters, who outlined the potential attack path a hacker could take to exploit the vulnerability and its contingency on user interaction.
“This vulnerability enables an unauthenticated attacker to remotely execute arbitrary code on the affected system. This is achieved by enticing a user to open a specially crafted file placed either online or within a local network location. The necessity for user interaction — convincing a user to engage with the file—plays a pivotal role in the exploitation process.”
Adam Barnett said due to Exchange being a popular target for threat actors, patching on-premises instances of the platform is crucial in order to reduce the risk of falling prey to an attack.
Barnett expressed some confusion, however, around the target context of the remote execution, noting it was not clear what sort of user interaction the attack required and what a hacker could achieve if successful.
“Since the context of the user opening the malicious file is not specified — an Exchange admin? a user running a mail client connecting to Exchange? something else altogether? — it remains unclear what an attacker might be able to achieve”.
He also noted that a previous Exchange flaw affecting the 2016 version – disclosed in February – is yet to be directly addressed, cautioning admins that their Exchange instance may still be vulnerable.
“Exchange 2016 admins who were dismayed by the lack of [a] patch for last month’s CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month’s CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed.”