Single RCE Bug Features Among 60 CVEs in March Patch Tuesday

Written by

Microsoft fixed 60 vulnerabilities in this month’s Patch Tuesday security update round, including just two critical bugs.

These both affect Windows Hyper-V. CVE-2024-21407 enables attackers to escape from a Hyper-V guest virtual machine (VM) and achieve remote code execution (RCE) on the Hyper-V host, according to Rapid7 lead software engineer, Adam Barnett.

“Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work. Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM,” he explained.

“Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.”

Read more on Patch Tuesday: Microsoft Fixes Two Zero-Days in February Patch Tuesday

The second critical bug is CVE-2024-21408, a denial of service vulnerability in Windows Hyper-V.

“This vulnerability allows an attacker to crash the Hyper-V service, rendering it unusable,” warned Critical Start cyber threat intelligence research analyst, Sarah Jones. “This could prevent users from accessing virtual machines hosted on the Hyper-V server, potentially causing significant disruption to critical business operations.”

She also drew attention to another Microsoft Defender security feature bypass vulnerability, CVE-2024-20671, which could prevent Defender from starting.

“While this vulnerability can be exploited to disable a critical security component, it’s important to note that Microsoft has already released automatic updates that fix this issue. So, as long as you have automatic updates enabled, your system should be protected,” Jones said.

Rapid7’s Barnett also warned of two CVEs which Microsoft has labelled “exploitation more likely.”

CVE-2024-26185 is described as a compressed folder tampering vulnerability.

“The advisory is sparse on detail, so while we know that an attacker must convince the user to open a specially crafted file, it’s not clear what the outcome of successful exploitation might be,” he said.

“Since the only impact appears to be to integrity, it’s possible that an attacker could modify a compressed folder but not necessarily read from it. Microsoft expects that exploitation is more likely.”

The second, CVE-2024-21433, impacts another popular target – the Windows Print Spooler service. Successful exploitation by winning a race condition could enable an attacker to elevate themselves to system privileges.

What’s hot on Infosecurity Magazine?