March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V

On this March 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, but – welcome news! – none of them are currently publicly known or actively exploited.

Last month, though, several days after Patch Tuesday, the company updated two advisories to say that those particular vulnerabilities were being exploited in the wild.

One of the two – CVE-2024-21338, an elevation of privilege vulnerability affecting the Windows Kernel – had been reported to Microsoft by Avast researchers, who later shared that it had been leveraged by North Korean hackers for months before the patch was released. Microsoft obviously knew that when they first published the associated advisory, but only confirmed in-the-wild exploitation after Avast went public with the information.

Time will tell if Microsoft will repeat the trick this month. In the meantime, admins must begin prioritizing patches based on the information that’s currently available.

Vulnerabilities of particular note

Two critical Windows Hyper-V vulnerabilities have been fixed, one (CVE-2024-21407) allowing remote code execution (RCE) via a so-called guest-to-host escape, and the other denial of service (CVE-2024-21408). Why a DoS vulnerability should be considered “critical”, Microsoft did not explain, but admins are advised to upgrade Windows systems running the hypervisor.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, singled out CVE-2024-26198, an unauthenticated RCE flaw affecting Microsoft Exchange Server, as important.

“This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution,” he explained.

Security updates are available for Microsoft Exchange Server 2016 and 2019 that have the latest cumulative updates installed (Exchange Online customers are already protected, Microsoft’s Exchange Team noted.)

CVE-2024-21400, an elevation of privilege vulnerability affecting Azure Kubernetes Service (AKS) Confidential Containers, may allow unauthenticated attackers to steal credentials and manipulate resources not intended to be accessible.

“The breach essentially opens a backdoor for attackers, compromising the confidentiality and integrity of the confidential system,” Mat Lee, a security engineer at Automox, told Help Net Security.

“The mechanics of this vulnerability involve exploiting the container’s security boundaries using ‘az confcom’, a CLI tool for interacting with confidential resources, leading to unauthorized access to sensitive information. Given the increasing adoption of confidential containers for deploying applications, the potential impact of this vulnerability is substantial. Organizations using Azure Kubernetes Service must prioritize patching the confcom cli tool/plugin to >0.3.3 to protect their systems from possible breaches.”

Satnam Narang, senior staff research engineer at Tenable, notes that only six vulnerabilities patched by Microsoft on this Patch Tuesday are considered “more likely” to be exploited.

“These mostly include elevation of privilege vulnerabilities including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler), which we often see exploited in the wild as zero-days as part of post-exploitation activity, typically by advanced persistent threat (APT) groups,” he pointed out.

He also singled out CVE-2024-21390, an elevation of privilege flaw in Microsoft Authenticator, as interesting – though to exploit it, an attacker must already have an established presence on the mobile device (either via malware or a malicious app.

“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” he explained.

“While exploitation of this flaw is considered less likely, we know that attackers are keen to find ways to bypass multi-factor authentication. Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”