Microsoft Discloses Critical Hyper-V Flaws in Low-Volume Patch Update

We Keep you Connected

Microsoft Discloses Critical Hyper-V Flaws in Low-Volume Patch Update

Microsoft has disclosed fewer flaws and zero-days in the first three months of 2024 compared with the first quarter of the prior four years.
March 12, 2024
Microsoft issued patches for 60 unique CVEs in its Patch Tuesday security update for March, only two of which are rated as "critical" and needing priority attention. Both affect the Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution (RCE) bug; and CVE-2024-21408, which is a denial-of-service (DoS) vulnerability. 
The update includes fixes for a total of 18 RCE flaws and two dozen elevation-of-privilege vulnerabilities, some of which allow threat actors to gain administrative control of affected systems.
Notably, several vulnerabilities that Microsoft assesses as being only of "important" severity and less likely to be exploited still have severity scores of more than 9.0 out of 10 on the CVSS vulnerability-severity scale because of their potential impact, if abused.
"This month's Patch Tuesday presents a reduction in fixed vulnerabilities from Microsoft, totaling 60, a decrease from last month's 74 updates," Mike Walters, president and co-founder of Action1, wrote in emailed comments. "Notably absent this month are any zero-day vulnerabilities or proofs of concept (PoCs), underscoring a moment of relative calm."
The RCE bug in Hyper-V gives attackers a way to take complete control of affected systems and potentially compromise virtual machines housed on the Hyper-V server, says Sarah Jones, cyber threat intelligence research analyst at Critical Start.
The DoS vulnerability, meanwhile, allows an adversary to crash the Hyper-V service, rendering it unusable.
"This could prevent users from accessing virtual machines (VMs) hosted on the Hyper-V server, potentially causing significant disruption to critical business operations," Jones notes. "If you use Hyper-V, it is crucial to install the security updates immediately to address these critical vulnerabilities and protect your systems."
Microsoft identified six of the vulnerabilities it disclosed this week as flaws that threat actors are more likely to exploit in future. Most of these were elevation-of-privilege vulnerabilities. They included CVE-2024-26170 in the Windows Composite Image File System; CVE-2024-26182 in Windows Kernel; CVE-2024-21433 in Windows Print Spooler; and CVE-2024-21437 in the Windows Graphics Component.
Satnam Narang, senior staff researcher at Tenable, described the privilege-escalation flaws as likely to be of more interest in a post-exploit scenario to advanced persistent threat (APT) actors, rather than for ransomware groups and other financially motivated actors.
"An APT group's objective is typically espionage related," Narang explained in an emailed statement. "APT groups prefer to stay under the radar as much as possible, while a ransomware affiliate is focused on more of a smash-and-grab approach because their object is financial gain."
In an emailed comment, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, pointed to the Windows Kernel elevation of privilege vulnerability (CVE-2024-26182) as something an attacker would be able to exploit only if they already gained access to an affected system. But once successful, the bug would allow an attacker to gain complete system-level privileges.  
"This sort of vulnerability is normally used to completely take over an important machine in a network, such as an Active Directory or an important Windows Server," McCarthy said.
One high-severity bug that Microsoft only rated as "important" was CVE-2024-21334, a 9.8-rated RCE vulnerability in Open Management Infrastructure (OMI). Saeed Abbasi, manager of vulnerability research at Qualys' threat research unit, identifies the bug as one that should be high on the patch priority list because of that score.
"This vulnerability allows remote, unauthenticated attackers to execute arbitrary code on exposed OMI instances via the Internet by sending specially crafted requests that exploit a use-after-free error," Abbasi says. "Given OMI's role in managing IT environments, the potential impact is vast, affecting potentially numerous systems accessible online."
While Microsoft considers exploitation less likely, the simplicity of the attack vector — a use-after-free (UAF) bug — against a critical component suggests that the threat level should not be underestimated, he cautions. In the past, bugs such as the OMIGOD set of OMI vulnerabilities in 2021 have been of high interest to attackers.
CVE-2024-20671, a Microsoft Defender security feature bypass flaw, and CVE-2024-21421, a spoofing vulnerability in Azure SDK, are two other flaws that merit higher attention than their "important" ratings would suggest, according to some security experts.
"While these specific vulnerabilities have workarounds or patches, the increased focus of threat actors in these directions is concerning," Tyler Reguly, senior manager of security at Fortra, said in prepared comments.
He also pointed to an elevation-of-privilege bug in Microsoft Authenticator (CVE-2024-21390) as something that administrators should pay attention to. "Successful exploitation of the vulnerability could allow the attacker to gain access to the users' multifactor authentication [MFA] codes," Reguly said. "Microsoft has rated this with a CVSS score of 7.1 and indicated that user interaction is required as the victim would need to close and then reopen the application."
Overall, for administrators used to dealing with large Microsoft patch volumes, the past three months have been something of a break from the usual. For instance, this is the second straight month that Microsoft has not disclosed a zero-day bug in its monthly security update. So far, in the first quarter of the year, Microsoft has issued patches for a total of 181 CVEs, which is substantially lower than its first-quarter average of 237 patches in each of the previous four years, Tenable's Narang noted.
"The average number of CVEs patched in March over the last four years was 86," Narang said. "This month, only 60 CVEs were patched."
Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
2021 Digital Transformation Report
Why You’re Wrong About Operationalizing AI
Understanding Today’s Threat Actors
Causes and Consequences of IT and OT Convergence
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
Global Perspectives on Threat Intelligence
The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.