Microsoft Discloses Critical Hyper-V Flaws in Low-Volume Patch Update

Microsoft issued patches for 60 unique CVEs in its Patch Tuesday security update for March, only two of which are rated as "critical" and needing priority attention. Both affect the Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution (RCE) bug; and CVE-2024-21408, which is a denial-of-service (DoS) vulnerability. 

The update includes fixes for a total of 18 RCE flaws and two dozen elevation-of-privilege vulnerabilities, some of which allow threat actors to gain administrative control of affected systems.

Notably, several vulnerabilities that Microsoft assesses as being only of "important" severity and less likely to be exploited still have severity scores of more than 9.0 out of 10 on the CVSS vulnerability-severity scale because of their potential impact, if abused.

"This month's Patch Tuesday presents a reduction in fixed vulnerabilities from Microsoft, totaling 60, a decrease from last month's 74 updates," Mike Walters, president and co-founder of Action1, wrote in emailed comments. "Notably absent this month are any zero-day vulnerabilities or proofs of concept (PoCs), underscoring a moment of relative calm."

Critical RCE, DoS Hyper-V Vulnerabilities

The RCE bug in Hyper-V gives attackers a way to take complete control of affected systems and potentially compromise virtual machines housed on the Hyper-V server, says Sarah Jones, cyber threat intelligence research analyst at Critical Start.

The DoS vulnerability, meanwhile, allows an adversary to crash the Hyper-V service, rendering it unusable.

"This could prevent users from accessing virtual machines (VMs) hosted on the Hyper-V server, potentially causing significant disruption to critical business operations," Jones notes. "If you use Hyper-V, it is crucial to install the security updates immediately to address these critical vulnerabilities and protect your systems."

A Flurry of Microsoft Privilege-Escalation Bugs

Microsoft identified six of the vulnerabilities it disclosed this week as flaws that threat actors are more likely to exploit in future. Most of these were elevation-of-privilege vulnerabilities. They included CVE-2024-26170 in the Windows Composite Image File System; CVE-2024-26182 in Windows Kernel; CVE-2024-21433 in Windows Print Spooler; and CVE-2024-21437 in the Windows Graphics Component.

Satnam Narang, senior staff researcher at Tenable, described the privilege-escalation flaws as likely to be of more interest in a post-exploit scenario to advanced persistent threat (APT) actors, rather than for ransomware groups and other financially motivated actors.

"An APT group's objective is typically espionage related," Narang explained in an emailed statement. "APT groups prefer to stay under the radar as much as possible, while a ransomware affiliate is focused on more of a smash-and-grab approach because their object is financial gain."

In an emailed comment, Ben McCarthy, lead cybersecurity engineer at Immersive Labs, pointed to the Windows Kernel elevation of privilege vulnerability (CVE-2024-26182) as something an attacker would be able to exploit only if they already gained access to an affected system. But once successful, the bug would allow an attacker to gain complete system-level privileges.  

"This sort of vulnerability is normally used to completely take over an important machine in a network, such as an Active Directory or an important Windows Server," McCarthy said.

Microsoft Bugs: Important, but High Priority

One high-severity bug that Microsoft only rated as "important" was CVE-2024-21334, a 9.8-rated RCE vulnerability in Open Management Infrastructure (OMI). Saeed Abbasi, manager of vulnerability research at Qualys' threat research unit, identifies the bug as one that should be high on the patch priority list because of that score.

"This vulnerability allows remote, unauthenticated attackers to execute arbitrary code on exposed OMI instances via the Internet by sending specially crafted requests that exploit a use-after-free error," Abbasi says. "Given OMI's role in managing IT environments, the potential impact is vast, affecting potentially numerous systems accessible online."

While Microsoft considers exploitation less likely, the simplicity of the attack vector — a use-after-free (UAF) bug — against a critical component suggests that the threat level should not be underestimated, he cautions. In the past, bugs such as the OMIGOD set of OMI vulnerabilities in 2021 have been of high interest to attackers.

CVE-2024-20671, a Microsoft Defender security feature bypass flaw, and CVE-2024-21421, a spoofing vulnerability in Azure SDK, are two other flaws that merit higher attention than their "important" ratings would suggest, according to some security experts.

"While these specific vulnerabilities have workarounds or patches, the increased focus of threat actors in these directions is concerning," says John Gallagher, vice president of Viakoo Labs.

Tyler Reguly, senior manager of security at Fortra, pointed to an elevation-of-privilege bug in Microsoft Authenticator (CVE-2024-21390) as something that administrators should pay attention to. "Successful exploitation of the vulnerability could allow the attacker to gain access to the users' multifactor authentication [MFA] codes," Reguly said in prepared comments. "Microsoft has rated this with a CVSS score of 7.1 and indicated that user interaction is required as the victim would need to close and then reopen the application."

Overall, for administrators used to dealing with large Microsoft patch volumes, the past three months have been something of a break from the usual. For instance, this is the second straight month that Microsoft has not disclosed a zero-day bug in its monthly security update. So far, in the first quarter of the year, Microsoft has issued patches for a total of 181 CVEs, which is substantially lower than its first-quarter average of 237 patches in each of the previous four years, Tenable's Narang noted.

"The average number of CVEs patched in March over the last four years was 86," Narang said. "This month, only 60 CVEs were patched."