peangdao - stock.adobe.com

Hyper-V zero-day stands out on a busy Patch Tuesday

Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention

Security teams will have a busy few days ahead of them after Microsoft patched close to 140 new common vulnerabilities and exposures (CVEs) in its July Patch Tuesday update, including four zero-day exploits – one of them a third-party update via processor giant ARM.

The four zero-days are listed, in numerical order, as follows:

  • CVE-2024-35264, a remote code execution (RCE) vulnerability in .NET and Visual Studio. This vulnerability carries a CVSS score of 8.1, but in contrast, while a proof-of-concept exploit is circulating, it does not yet seem to have been taken advantage of;
  • CVE-2024-37895, an information disclosure vulnerability affecting ARM. This bug carries a CVSS score of 5.9, but although it has been made public, is also not yet being exploited;
  • CVE-2024-38080, an elevation of privilege (EoP) flaw in Windows Hyper-V. This vulnerability carries a CVSS score of 7.8, and is known to have been exploited in the wild, although no public exploit has been published;
  • CVE-2024-38112, a spoofing vulnerability in Windows MSHTML Platform. This vulnerability carries a CVSS score of 7.5. No public exploit is available, but it is being used by as-yet unknown adversaries.

Zeroing in on the Hyper-V flaw, Mike Walters of patch management specialist Action1 said it posed “significant risk” to systems utilising Hyper-V – it appears relatively simple to exploit, with an attacker being able to gain admin rights with ease if they have obtained initial local access via, for example, a compromised user account in a virtual machine. Ultimately, it takes advantage of an integer overflow issue in Hyper-V.

“CVE-2024-38080 … highlights a clear avenue for attackers to gain elevated privileges, jeopardising the confidentiality, integrity and availability of multiple virtualised systems,” said Walters.

“When combined with other vulnerabilities, such as remote code execution flaws or initial access exploits such as phishing or exploit kits, the attack vector becomes more sophisticated and damaging,” he added.

“Adopting a proactive security approach, including timely patching and strict adherence to robust security practices, is crucial for mitigating these risks effectively.”

System access

Saeed Abbasi, product manager of vulnerability at Qualys’ Threat Research Unit (TRU), added: “The impact is enormous since this vulnerability could grant attackers the highest level of system access that could enable the deployment of ransomware and other malicious attacks.

“While Microsoft has not disclosed the extent of active exploitation, the nature of the vulnerability makes it a prime target for attackers,” he said. “Due to its potential for deep system control, this vulnerability is poised for increased exploitation attempts. The combination of low complexity and no user interaction requirement means it is likely to be rapidly incorporated into exploit kits, leading to widespread exploitation.

“Furthermore, the ability to escalate privileges makes this vulnerability particularly detrimental for ransomware attacks, as it enables attackers to turn off security measures and spread more effectively across networks, thereby significantly amplifying the impact of such attacks.”

Read more about Patch Tuesday

  • June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update.
  • May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention.
  • April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flaw that impacts all Windows users.
  • March 2024: Two critical vulnerabilities in Windows Hyper-V stand out on an otherwise unremarkable Patch Tuesday.
  • February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket, among more than 70 issues.
  • January 2024: Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulns to be alert to, including a number of man-in-the-middle attack vectors.

Meanwhile, Rob Reeves, principal cyber security engineer at Immersive Labs, ran the rule over the Windows MSHTLM platform vuln. “Details from Microsoft are scarce and only described as a ‘spoofing’ vulnerability, which requires social engineering in order to convince a user to execute a delivered file,” he said.

“It is assessed that the vulnerability likely might lead to remote Code execution, because of its linking to CWE-668: Exposure of Resource to Wrong Sphere and in the event of successful exploitation, leads to complete compromise of confidentiality, integrity and availability. The CVSS score of only 7.5, due to the difficulty in exploiting, is possibly only due to the complexity of the attack itself.

Reeves said that without more details from Microsoft or the original reporter – a Check Point researcher – it was hard to give specific guidance on next steps, but that given it affects all hosts from Windows Server 2008 R2 and beyond – including clients – and is seeing active exploitation, it should be prioritised for patching without delay.

In addition to the zero-days, the July 2024 update also lists five critical flaws, all RCE vulnerabilities, carrying CVSS scores of 7.2 to 9.8. Three of these relate to Windows Remote Desktop Licensing Service, one to Microsoft Windows Codecs Library, and the fifth to Microsoft SharePoint Server.

Gamers beware

Finally, another RCE vulnerability in the Xbox Wireless Adapter has also drawn some attention, aptly demonstrating the importance of securing consumer devices and networks, which can be just as useful an element of a threat actor’s attack chain as any cloud server vulnerability affecting an enterprise.

Tracked as CVE-2024-38078, the flaw becomes exploitable if an attacker is in close physical proximity of the target system and has gathered specific information on the target environment.

Although this complexity makes it less likely it will be exploited, if it was to happen, an attacker could send a malicious networking packet to an adjacent system employing the adapter, and from there achieve RCE.

“In a work-from-home setup, securing all devices, including IoT devices like alarm systems and smart TVs, is essential,” said Ryan Braunstein, Automox security operations team lead. “Attackers can exploit this vulnerability to gain unauthorised access and compromise sensitive information. The distance with which Wi-Fi signals can be detected, intercepted, and broadcasted is commonly underestimated, further heightening the risk of this vulnerability.”

“To mitigate these threats, apply regular updates to all devices and adopt strong network security measures like robust passwords and encryption,” he added. “Educating all employees, friends, and family members about the importance of keeping devices patched and updated may not make you popular at parties, but can definitely reduce the 2am phone calls.”

Read more on Application security and coding requirements