Microsoft March Patch: 2 'Critical' Hyper-V Security Holes Fixed

Microsoft's monthly security patch has arrived with just two items rated "critical" out of the total 60 bulletins for March. As there are no zero-day exploit fixes released, IT should prioritize the two critical items, which fix flaws in Hyper-V, first.

CVE-2024-21407 addresses a remote code execution flaw in Microsoft's hypervisor. If gone unpatched, it could allow authenticated users to execute arbitrary code on the associated host server from a virtual machine. This exploitation process requires attackers to send specially crafted file operation requests to the server's hardware, a technique demanding significant preparatory work, including gathering detailed environmental information and setting the stage for the attack.

The impact of an attack could include severely compromising the confidentiality, integrity and availability of the system and potentially providing attackers with heightened privileges, including the ability to alter or erase data.

The second critical Hyper-V flaw (CVE-2024-21408) deals with a denial of service vulnerability.  Microsoft is staying tight-lipped about the nature of this flaw, and very few details, outside of acknowledging HongZhenhao with TianGong Team of Legendsec at Qi'anxin Group for the discovery, are known.

While that's it for this month's smaller-than-usual list of critical items, there are a few additional bulletins that would be beneficial for organizations to get patched as soon as possible. CVE-2024-21390, while rated "important," is one of those.

This bulletin addresses an elevation of privilege flaw in the Microsoft Authenticator that could lead to attackers obtaining "multi-factor authentication codes for the victim's accounts, as well as modify or delete accounts in the authenticator app but not prevent the app from launching or running," according to Microsoft.

While the flaw would take some complexity to exploit, the damage could be fatal, according to Mike Walters, president and co-founder of security firm Action1. "Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to log in to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts," said Walters.

One other item to pay attention to this month is CVE-2024-26198, which handles a remote code execution vulnerability in Microsoft Exchange. How an attacker would exploit this one is by placing a malicious file in an online directory and tricking a user to open it.

Even though Microsoft has stated that exploitation would be difficult, it's very likely that an active exploit could be developed shortly, according to security expert Dustin Childs.

"This bug is a classic DLL loading vulnerability," wrote Childs in his Zero Day Initiative blog. "An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I'll update this blog should Microsoft change its mind (again)."

The full list of March's bulletins can be found here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube