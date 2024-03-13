



Microsoft issued patches for 60 unique CVEs in March's Patch Tuesday security update, but only two are rated “critical” and require priority attention. Both affect Windows Hyper-V virtualization technology. CVE-2024-21407, Remote Code Execution (RCE) bug. CVE-2024-21408 is a denial of service (DoS) vulnerability.

This update includes fixes for a total of 18 RCE flaws and 20 privilege escalation vulnerabilities, several of which could allow threat actors to gain administrative control of affected systems. I'll make it.

In particular, some vulnerabilities that Microsoft has rated as only important and unlikely to be exploited will still have a CVSS vulnerability severity rating due to their potential impact if exploited. Has a severity score of 9.0 out of 10 or higher on the scale.

“This month's Patch Tuesday saw a total of 60 fewer vulnerabilities fixed from Microsoft, down from 74 updates last month,” Mike Walters, president and co-founder of Action1, said in an email. I wrote it in the comments. Intraday vulnerabilities and proofs of concept (PoCs) highlight moments of relative calm. ”

Critical RCE, DoS Hyper-V Vulnerability

“The Hyper-V RCE bug allows attackers to gain complete control of affected systems and compromise virtual machines on Hyper-V servers,” said Sarah Jones, Cyber ​​Threat Intelligence Research Analyst at Critical Start. There is a possibility that it will.”

On the other hand, DoS vulnerabilities allow an attacker to crash Hyper-V services, rendering them unusable.

“This can prevent users from accessing virtual machines (VMs) hosted on Hyper-V servers and cause significant disruption to critical business operations,” Jones notes. “If you use Hyper-V, it's important to install security updates now to address these critical vulnerabilities and protect your systems.”

Microsoft privilege escalation bugs continue to emerge

Microsoft has identified six of the vulnerabilities disclosed this week as flaws that threat actors are likely to exploit in the future. Most of these were privilege escalation vulnerabilities. These included CVE-2024-26170 in the Windows Composite Image File System. CVE-2024-26182 in the Windows kernel. CVE-2024-21433 in Windows Print Spooler. CVE-2024-21437 in Windows Graphics Component.

Privilege escalation flaws are more interesting in post-exploitation scenarios for advanced persistent threat (APT) attackers than for ransomware groups or other financially motivated attackers, said Satnam Narang, a senior researcher at Tenable. says it is highly likely.

“APT groups' objectives are typically related to espionage,” Narang said in an emailed statement. “While APT groups prefer to be as invisible as possible, ransomware companies are focused on a crushing approach as they are motivated by financial gain.”

Ben McCarthy, principal cybersecurity engineer at Immersive Labs, said in an email comment that an elevation of privilege vulnerability in the Windows kernel (CVE-2024-26182) could be exploited by an attacker with access to an affected system. I pointed out that it could only be exploited if you already have the . . However, a successful exploit of this bug would allow the attacker to gain full system-level privileges.

“These types of vulnerabilities are typically used to completely take over critical machines within a network, such as Active Directory or critical Windows Servers,” McCarthy said.

Microsoft bugs: important but high priority

One high-severity bug that Microsoft only rated as Important was CVE-2024-21334, an Open Management Infrastructure (OMI) RCE rating 9.8 vulnerability. Because of that score, Saeed Abbasi, Vulnerability Research Manager in Qualys' Threat Research Department, identified this bug as one that should be high on the patching priority list.

“This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on an exposed OMI instance over the internet by sending a specially crafted request that exploits a use-after-free error. ,” said Abbasi. “Given OMI's role in managing the IT environment, the potential impact is enormous and could impact numerous systems accessible online.”

Although Microsoft believes the likelihood of exploitation is low, the simplicity of the attack vector, a use-after-free (UAF) bug in a critical component, suggests the threat level should not be underestimated. , he warns. Until now, bugs such as his 2021 OMI vulnerability set OMIGOD have been of high interest to attackers.

According to some security experts, CVE-2024-20671, a security feature bypass vulnerability in Microsoft Defender, and CVE-2024-21421, a spoofing vulnerability in Azure SDK, have an “Important” rating. There are two other flaws that deserve even more attention.

“While there are workarounds and patches for these specific vulnerabilities, it is concerning that attackers are focusing in these directions,” said Tyler Regli, senior manager of security at Fortra. I mentioned it in my comment.

He also pointed out a privilege escalation bug in Microsoft Authenticator (CVE-2024-21390) that administrators should be aware of. “Successful exploitation of this vulnerability could allow an attacker to access multi-factor authentication for users.” [MFA] “Microsoft rated this with a CVSS score of 7.1, indicating that user interaction is required as victims must close and reopen the application,” Regully said.

All in all, the past three months have been anything but normal for administrators accustomed to dealing with large volumes of Microsoft patches. For example, this is the second month in a row that Microsoft does not disclose zero-day bugs in its monthly security updates. So far in the first quarter of this year, Microsoft has issued patches for a total of 181 of his CVEs, which is higher than the average of 237 patches for his first quarter over the past four years. is significantly less, he says Tenable's Narang.

“Over the past four years, the average number of CVEs patched in March was 86,” Narang said. “His only 60 CVEs were patched this month.”

