nnattalli - stock.adobe.com

March Patch Tuesday throws up two critical Hyper-V flaws

Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday

Microsoft has fixed a pair of critical vulnerabilities in Windows Hyper-V, one leading to remote code execution (RCE) if exploited, on a remarkably light Patch Tuesday. The fixes come amid a slimline update comprising barely 60 common vulnerabilities and exposures (CVEs), none of them rated as zero-days.

Although the paucity of updates will come as a relief to security teams, the timing of such a small drop has surprised some – as Dustin Childs of Trend Micro’s Zero-Day Initiative (ZDI) observed, with the annual Pwn2Own hacking contest just over a week away, one might have expected Redmond to have been pushing more patches than usual.

“This month’s Patch Tuesday presents a reduction in fixed vulnerabilities from Microsoft, totalling 60, a decrease from last month’s 74 updates,” said Mike Walters, president and co-founder of patch management specialist Action1.

“Remarkably, we’re seeing only two critical vulnerabilities addressed, fewer than in February, highlighting a positive trend. Notably absent this month are any zero-day vulnerabilities or proof of concepts (PoCs), underscoring a moment of relative calm.”

The RCE vulnerability, tracked as CVE-2024-21407, carries a CVSS base score of 8.1. To exploit it, an authenticated attacker on a guest virtual machine (VM) needs to send specially-crafted file operation requests on the VM to hardware resources on the VM, which Microsoft said could lead to RCE on the host.

However, successful exploitation will also require the attacker to have specific information on the target environment at their fingertips, and according to Microsoft there are a number of additional actions they also need to take to soften up the target, so the complexity of the attack is quite high.

“As of this announcement, there have been no public disclosures or known exploitations of this vulnerability. Yet, given its critical severity and possible consequences, it is crucial for Windows Hyper-V users to promptly implement the provided updates to mitigate exposure,” said Walters.

“This vulnerability is applicable to systems running Windows 10 and newer, as well as Windows Server 2012 and newer that are equipped with the Hyper-V role. Users are urged to apply Microsoft’s official patch to safeguard against this issue. Additionally, adhering to best practices for VM and host server security – like minimising user privileges, narrowing network access, and vigilantly monitoring for unusual activities – is strongly advised,” he added.

The second critical flaw in Windows Hyper-V is tracked as CVE-2024-21408, and carries a CVSS base score of 5.5. Left unchecked, it enables a denial of service (DoS) attack, but Microsoft’s update provides no details of how it can be exploited.

Some of the other more notable issues this month include another RCE flaw in Microsoft Exchange Server, tracked as CVE-2024-26198, which falls short of being rated as critical because it requires a user to be tricked into opening a specially crafted file. In addition to patching, defenders may also wish to review their email server security settings, and remind users to exercise caution if they receive unsolicited or unverified files.

For similar reasons, security teams may also wish to prioritise a SharePoint Server RCE vulnerability, tracked as CVE-2024-21426, successful exploitation of which again requires a user to open a malicious file.

Another high-risk vulnerability this month is CVE-2024-21411, in Skype for Consumer. An RCE flaw with a CVSS base score of 8.8, this issue can be exploited if an attacker sends a malicious link or image via instant message, and the fact that it can be found in a widely-used consumer product is of concern, even though there are no known public disclosures or active exploits.

Out with OIT

At the same time as the main Patch Tuesday upload, Redmond has also announced the deprecation of support for Oracle’s Outside In Technology (OIT) libraries in Exchange Server. Detailed in full in a security advisory, the move heralds the replacement of OIT with an “improved, modern, in-house file scanning solution,” which will be used by default, although customers will be able to re-enable OIT for some file types if they absolutely must.

“The deprecation is a three-phase process starting with the March 2024 update. The first phase disables Oracle’s Outside In Technology (OIT) for all file types. The second phase will introduce a replacement scanning solution. The third phase will completely remove OIT code from Exchange Server. The second and third phase time frames were not announced in the advisory as of the initial publishing date on 12 March 2024,” said Chris Goettl, vice-president of product management for security products at Ivanti.

Get set for Secure Boot

Looking to next month’s Patch Tuesday, Goettl highlighted the planned third deployment phase for the changes associated with CVE-2023-24932, a dangerous vulnerability in the Windows Secure Boot security feature that was first tracked as a zero-day in May 2023.

“The CVE addressed a security feature bypass in Secure Boot utilised by the BlackLotus UEFI bootkit,” said Goettl. “The changes were being rolled out in a four- phase process and the third stage was to be implemented in the 9 April 2024 Patch Tuesday or later.

“Expect that next month the new mitigations to block additional vulnerable boot managers will be implemented. This could mean that you have some work to do to prepare media for the update. For more details, see KB5025885.”  

The multi-phased approach was necessary because Secure Boot very precisely controls the boot media that can load when the system OS starts up, so if applied wrong, the update could cause big problems, and even prevent systems from starting up.

Read more about Patch Tuesday

Read more on Web application security