Critical Fixes for March 2024 Patch Tuesday

HawkEye Cyber SOC

Background

Microsoft has issued Patch Tuesday for March 2024, fixing 61 security flaws. Two vulnerabilities are categorized as critical in maximum severity in Microsoft advisories; no zero-day vulnerabilities exist in this month’s release.

A wide range of vulnerabilities are the subject of the March 2024 Patch Tuesday; the number of vulnerabilities in each category is as follows:

Vulnerability CategoryQuantitySeverities
Denial of Service Vulnerability6Critical: 1
Important: 5
Elevation of Privilege Vulnerability24Important: 24
Information Disclosure Vulnerability6Important: 6
Remote Code Execution Vulnerability18Critical: 1
Important: 17
Security Feature Bypass Vulnerability3Important: 3

Details of critical vulnerabilities

CVE-2024-21407 | Windows Hyper-V RCE:

Windows Hyper-V has an RCE vulnerability, CVE-2024-21407. This vulnerability is classified as critical, with a CVSSv3 score of 8.1. An attacker must get authentication and gather knowledge about the target environment to create a successful exploit for this vulnerability. Due to this vulnerability, remote code execution on the host server may occur if an authorized attacker in a guest virtual machine sends specifically crafted file operation requests to the virtual machine’s hardware resources. Despite the high attack complexity, the host server may experience code execution as a result of exploitation.

CVE-2024-21408 | Windows Hyper-V DOS:

The CVSS score of CVE-2024-21408 is lower, at 5.5. Other than the fact that it causes a Denial-of-Service (DoS) in Windows Hyper-V, which significantly affects availability, not much is known about this vulnerability as of the time the Microsoft advisory was released.

CVE-2024-21334 | OMI RCE:

The open-source Open Management Infrastructure (OMI) management server is vulnerable to RCE-2024-21334. It was given a 9.8 CVSSv3 score and is considered important. A remote, unauthenticated attacker might leverage a carefully crafted request to cause a use-after-free vulnerability in order to take advantage of this vulnerability. This month, OMI also received another patch (CVE-2024-21330) to fix an EoP issue.

CVE-2024-21400 | Azure Kubernetes EOP:

According to Microsoft, “An attacker who successfully exploited this vulnerability could steal credentials and affect resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC)” despite the fact that this vulnerability is not yet being actively abused.

Microsoft has advised customers to ensure they are using the most recent versions of Kata Image and az confcom, which are components of the Azure CLI, in order to safeguard themselves against this issue.

CVE-2024-21426 | Sharepoint arbitrary code execution:

A patch for CVE-2024-21426, which Microsoft defines as RCE where an attacker persuades a victim to open a malicious file, is released for SharePoint. The advice doesn’t specify the context of code execution, however exploitation is limited to the user and has the potential to entirely compromise confidentiality, integrity, and availability, as well as cause outages for the impacted environment.

CVE-2024-21433 | Windows Print Spooler EOP:

An EoP vulnerability in Windows Print Spooler is CVE-2024-21433. This vulnerability has a CVSSv3 score of 7.0 and is classified as “Exploitation More Likely.” In order to take advantage of this vulnerability, an attacker would need to prevail in a race situation that may give them access to the system.

CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel EOP:

The Windows Kernel is vulnerable to EoP vulnerabilities CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, and CVE-2024-26182. All of these vulnerabilities have been classified as critical, with the exception of CVE-2024-21443, which received a score of 7.3 on the CVSSv3. The only Windows Kernel EoP with a “Exploitation More Likely” rating was CVE-2024-26182. If these vulnerabilities are successfully exploited, an attacker may be able to obtain SYSTEM privileges.

CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161, and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server RCE:

RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server are CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161, and CVE-2024-26166. These vulnerabilities have an 8.8 CVSSV3 score and are classified as important. An authenticated user must be persuaded to connect to a malicious SQL database in order for exploitation to be successful. Once a connection has been established, the vulnerability can be exploited to permit the execution of arbitrary code by sending the client specifically crafted responses.

Recommendations

According to Microsoft and cyber security researchers’ most recent updates, there haven’t been any widespread reports of CVE-2024-21407, CVE-2024-21400, or CVE-2024-26164 being actively exploited. However, as attackers want to take advantage of unpatched systems, the revelation of these vulnerabilities raises the possibility of exploitation attempts.

As part of its March 2024 Patch Tuesday updates, Microsoft has made patches available for these vulnerabilities. To reduce the risk, make sure your systems are updated as soon as possible.

References

https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2024-Mar
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21407
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21408

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment