Lucene search

K
rapid7blogAdam BarnettRAPID7BLOG:F8C4D01E0EB539E66532DD5F4E70C642
HistoryMar 12, 2024 - 7:47 p.m.

Patch Tuesday - March 2024

2024-03-1219:47:44
Adam Barnett
blog.rapid7.com
74
microsoft
patch tuesday
march 2024
vulnerabilities
rce
remote code execution
windows hyper-v
hyper-v guest
exchange
sharepoint
azure kubernetes service
confidentiality impact

AI Score

9.6

Confidence

High

EPSS

0.074

Percentile

94.1%

Patch Tuesday - March 2024

Microsoft is addressing 60 vulnerabilities this March 2024 Patch Tuesday. Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing. Microsoft is patching a single critical remote code execution (RCE) in Windows, which could allow virtual machine escape from a Hyper-V guest. Four browser vulnerabilities were published separately this month, and are not included in the total.

Windows Hyper-V: critical RCE VM escape

Attackers hoping to escape from a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work. Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM. Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.

Exchange: RCE

A single Exchange vulnerability receives a patch this month. Microsoft describes CVE-2024-26198 as a RCE vulnerability for Exchange, where an attacker places a specially-crafted DLL file into a network share or other file-sharing resource, and convinces the user to open it. Although the FAQ on the advisory asks: “What is the target context of the remote code execution?”, the answer boils down to ”[exploitation] results in loading a malicious DLL”. Since the context of the user opening the malicious file is not specified — an Exchange admin? a user running a mail client connecting to Exchange? something else altogether? — it remains unclear what an attacker might be able to achieve.

It remains vitally important to patch any on-premises instances of Exchange, a perennial attacker favourite. Exchange 2016 admins who were dismayed by the lack of patch for last month’s CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month’s CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed.

SharePoint: arbitrary code execution

SharePoint receives a patch for CVE-2024-21426, which Microsoft describes as RCE via the attacker convincing a user to open a malicious file. Although the context of code execution isn’t stated in the advisory, exploitation is local to the user, and could lead to a total loss of confidentiality, integrity, and availability, including downtime for the affected environment.

Azure Kubernetes Service Confidential Containers: confidentiality impact

Azure Kubernetes admins should take note of CVE-2024-21400, which allows an unauthenticated attacker to take over confidential guests and containers, with other outcomes including credential theft and resource impact beyond the scope managed by the Azure Kubernetes Service Confidential Containers (AKSCC). Microsoft describes AKSCC as providing a set of features and capabilities to further secure standard container workloads when working with sensitive data such as PII. The advisory describes additional steps for remediation beyond merely patching AKSCC, including upgrading to the latest version of the az confcom Azure CLI confidential computing extension and Kata Image.

Windows 11: compressed folder tampering

Defenders responsible for Windows 11 assets can protect assets against exploitation of CVE-2024-26185, which Microsoft describes as a compressed folder tampering vulnerability. The advisory is sparse on detail, so while we know that an attacker must convince the user to open a specially crafted file, it’s not clear what the outcome of successful exploitation might be. Since the only impact appears to be to integrity, it’s possible that an attacker could modify a compressed folder but not necessarily read from it. Microsoft expects that exploitation is more likely.

Windows Print Spooler: elevation to SYSTEM

Another site of “exploitation more likely” vulnerabilities this month: the Windows Print Spooler service. A local attacker who successfully exploits CVE-2024-21433 via winning a race condition could elevate themselves to SYSTEM privileges.

Exploitation in the wild: status updates

In the days following February 2024 Patch Tuesday, Microsoft announced several updates where the known exploited status of more than one vulnerability changed, as noted by Rapid7. It remains to be seen if those changes were exceptional or the start of a pattern.

Microsoft products lifecycle review

There are no significant changes to the lifecycle phase of Microsoft products this month.

Summary Charts

Patch Tuesday - March 2024Windows Kernel: get the popcornPatch Tuesday - March 2024A comparatively rare outing for Tampering, and a somewhat unusual second place for RCE.Patch Tuesday - March 2024Similar to last month: a significant round of WDAC patches, but this time current versions of Windows get a patch too.

Summary Tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21411 Skype for Consumer Remote Code Execution Vulnerability No No 8.8
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability No No 7.5
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability No No 7.1
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of Privilege Vulnerability No No 6.6

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21400 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability No No 9
CVE-2024-21418 Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21421 Azure SDK Spoofing Vulnerability No No 7.5
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability No No 7.3

Azure System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21334 Open Management Infrastructure (OMI) Remote Code Execution Vulnerability No No 9.8
CVE-2024-21330 Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability No No 7.8

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26167 Microsoft Edge for Android Spoofing Vulnerability No No 4.3
CVE-2024-2176 Chromium: CVE-2024-2176 Use after free in FedCM No No N/A
CVE-2024-2174 Chromium: CVE-2024-2174 Inappropriate implementation in V8 No No N/A
CVE-2024-2173 Chromium: CVE-2024-2173 Out of bounds memory access in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability No No 8.8
CVE-2024-21392 .NET and Visual Studio Denial of Service Vulnerability No No 7.5

Developer Tools Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26190 Microsoft QUIC Denial of Service Vulnerability No No 7.5

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability No No 8.1
CVE-2024-26173 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26176 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26178 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21436 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21446 NTFS Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability No No 7.5
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability No No 7
CVE-2024-21439 Windows Telephony Server Elevation of Privilege Vulnerability No No 7
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability No No 7
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution Vulnerability No No 6.8
CVE-2024-26197 Windows Standards-Based Storage Management Service Denial of Service Vulnerability No No 6.5
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability No No 5.7
CVE-2024-26174 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2024-26177 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2024-26181 Windows Kernel Denial of Service Vulnerability No No 5.5
CVE-2023-28746 Intel: CVE-2023-28746 Register File Data Sampling (RFDS) No No N/A

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21419 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21426 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.8
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21448 Microsoft Teams for Android Information Disclosure Vulnerability No No 5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability No No 8.8

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability No No 5.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-21435 Windows OLE Remote Code Execution Vulnerability No No 8.8
CVE-2024-21442 Windows USB Print Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21434 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability No No 7.8
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability No No 7.8
CVE-2024-21438 Microsoft AllJoyn API Denial of Service Vulnerability No No 7.5
CVE-2024-21443 Windows Kernel Elevation of Privilege Vulnerability No No 7.3
CVE-2024-21445 Windows USB Print Driver Elevation of Privilege Vulnerability No No 7
CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability No No 6.5
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability No No 5.5
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability No No 5.5