Fixes for two critical-severity Hyper-V bugs and an open Management Infrastructure (OMI) flaw with a CVSS v3 rating of 9.8 were among 60 vulnerabilities Microsoft addressed in this month’s Patch Tuesday releases.
While March’s total patch count was relatively low and, according to Microsoft, did not include any actively exploited vulnerabilities, researchers still found several of the newly disclosed flaws “interesting”.
Tenable research engineer Satnam Narang said this month’s patching of 60 CVEs compared to an average of 86 patches Microsoft had issued in March over the last four years. Numbers for the first quarter of the year were also down, with 181 CVEs patched so far in 2024 compared to an average of 237 during the first quarter between 2020 and 2023.
“It’s unclear why there have been less CVEs patched this year. These numbers are more akin to the figures we saw in the first quarter of 2018 and 2019,” he said.
Hyper-V and OMI flaws require urgent patching
The software giant urged users to prioritize patching the two critical Hyper-V vulnerabilities. The first (tracked as CVE-2024-21407) allowed an attacker to remotely execute malicious code on a system running Hyper-V, opening the door for them to take complete control of the system.
“This vulnerability stands out this month, and is uniquely alarming due to its direct enablement of code execution,” said Saeed Abbasi, vulnerability research manager at Qualys.
Abbasi said while an attack exploiting the flaw was complex, requiring an attacker to gather environment-specific information, “this should not be a reason to delay patching, as the potential consequences of a successful exploit are severe”.
The second Hyper-V bug (CVE-2024-21408) was a denial of service (Dos) vulnerability that could allow an attacker to crash the service, preventing access to virtual machine.
“Microsoft does not indicate how extensive the DoS is or if the system automatically recovers, but considering its rating, the bug likely shuts down the entire system,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.
The OMI vulnerability (CVE-2024-21334), with a near-maximum CVSS rating of 9.8 out of 10, allowed attackers to execute arbitrary code on exposed OMI instances by sending specially crafted requests that exploit a use-after-free error.
“Given OMI's role in managing IT environments, the potential impact is vast, affecting potentially numerous systems accessible online,” Abbasi said.
Childs added that while Microsoft considered it one of the vulnerabilities less likely to be exploited “it’s a very juicy target. It’s on TCP port 5986 by default, so I expect to see a lot of scanning on that port in the very near future”.
Authenticator bug has MFA bypass potential
Among the other bugs patched this month was a Microsoft Authenticator app vulnerability Childs and Narang both described as “interesting” because it could enable attackers to bypass multi-factor authentication (MFA) protections.
To exploit the elevation of privilege flaw (CVE-2024-21390), an attacker needed to already have a presence on the device, either through malware or a malicious application. They also needed to convince the victim to close and reopen the app, something that would require “a significant level of social engineering,” Childs said.
While the Authenticator flaw was also on the list of those Microsoft considered less likely to be exploited, Narang said that given the complexity involved, the “less likely” classification needed to be weighed against the strong interest threat groups had in finding ways to bypass MFA.
“Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites,” he said.
“But if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”