On this month's Patch Tuesday, security teams welcomed a relatively quiet month when it comes to patching vulnerabilities in software products.
March saw a reduction in the number of vulnerabilities fixed by Microsoft, with only 61 flaws requiring attention, compared to 74 in February.
Notably, only two of these vulnerabilities were critical, down from February, and no proof-of-concepts (PoC) zero-day vulnerabilities were published in the month's fixes.
None of the flaws included in the update were described as publicly known or under active attack at the time of its release, but six were identified as more likely to be exploited.
Here's a selection of some of the notable vulnerabilities that were remediated on March Patch Tuesday.
Two Windows Hyper-V flaws offer opportunities for RCE and DoS attacks
One of the critical vulnerabilities patched by Microsoft was a critical remote code execution (RCE) flaw in Windows.
The tech giant said this could allow an authenticated attacker in a guest VM to send specially crafted operation requests from the VM to hardware resources and eventually remotely execute arbitrary code on the host Hyper-V server.
Adam Barnett, principal software engineer at cybersecurity software company Rapid7, said that while there is concern about the vulnerability, it would require an attacker to have an “existing foothold” in a guest virtual machine.
“Attackers hoping to escape a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes the complexity of the attack as high: an attacker must first gather specific information from the environment and perform unspecified preparatory work,” he explained.
“Exploitation is performed through specially crafted file operation requests in the VM to the VM's hardware resources. Each supported version of Windows receives a patch. The advisory describes that no privileges are required to exploit the Hyper-V host, although an attacker will presumably need an existing foothold in a guest VM.”
Mike Walters, president and co-founder of patch management specialist Action1, said that although there is no evidence of active exploitation, Windows Hyper-V users should act quickly to limit their exposure.
“As of this announcement, there have been no public disclosures or known exploits of this vulnerability. However, given its critical severity and potential consequences, it is crucial that Windows Hyper-V users quickly implement the provided updates to mitigate exposure,” Walters said.
“This vulnerability is applicable to systems running Windows 10 and later, as well as Windows Server 2012 and later that are equipped with the Hyper-V feature. Users are urged to apply the official Microsoft patch to protect against this issue. “
Walters added that companies should ensure they adhere to best practices for securing virtual machines and host servers, such as minimizing user privileges, limiting network access, and closely monitoring unusual activity.
In addition to CVE-2024-21407, Microsoft also fixed another Hyper-V flaw in the March update, albeit a less serious one.
With a CVSS rating of 5.5, compared to CVE-2024-21407's rating of 8.8, CVE-2024-21408 is a denial of service (DoS) vulnerability that could allow hackers to compromise devices. , making them inaccessible to legitimate users.
Uncertainty over Exchange Server RCE vulnerability prompts experts to urge caution
Another notable vulnerability was CVE-2024-26198, an RCE vulnerability in Microsoft Exchange Server, which received a CVSS score of 8.8.
Despite its high severity, the flaw was not designated as critical due to the need for user interaction in order to exploit the vulnerability.
Regardless, the flaw remains a substantial threat to Microsoft Exchange server environments, according to Walters, who described the possible attack path a hacker could take to exploit the vulnerability and its contingency in user interaction.
“This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the affected system. This is achieved by prompting the user to open a specially crafted file placed online or within a local network location. The need for user interaction (convincing the user to interact with the file) plays a fundamental role in the exploitation process.”
Adam Barnett said that because Exchange is a popular target for threat actors, patching on-premises instances of the platform is crucial to reducing the risk of falling victim to an attack.
Barnett expressed some confusion, however, around the target context of remote execution, noting that it was unclear what type of user interaction the attack required and what a hacker could accomplish if successful.
“Since the context in which the user opened the malicious file is not specified, an Exchange administrator? A user running a mail client connecting to Exchange? something completely different? — it is still unclear what an attacker could achieve.”
It also noted that a previous Exchange flaw that affected the 2016 version, revealed in February, has not yet been directly fixed, warning administrators that their Exchange instance may still be vulnerable.
“Exchange 2016 administrators who were dismayed by the lack of [a] patch for last month's CVE-2024-21410 you can take some comfort that Microsoft has issued a patch that aims to fully remediate this month's CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the instructions in that advisory are followed.”