Cart

Your Cart is Empty

Back To Shop

Cart

Your Cart is Empty

Back To Shop

The March 2024 Security Update Review

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for March 2024

For March, Adobe released six patches addressing 56 vulnerabilities in Adobe Experience Manager, Premiere Pro, ColdFusion, Adobe Bridge, Lightroom, and Adobe Animate. Two of these bugs were submitted through the ZDI Program. The largest is the update for Experience Manager, which addresses 44 CVEs. However, all but two of these are simple cross-site scripting (XSS) bugs. The fix for Adobe Animate corrects four CVEs. Only one of these CVEs is rated Critical and could lead to arbitrary code execution if a user opens a specially crafted file on an affected system. The other three bugs are all memory leaks resulting from Out-of-Bounds (OOB) Read bugs. The patch for Premiere Pro fixes two Critical-rated bugs that also require user interaction to gain code execution.

For those still running ColdFusion, there’s a single Critical-rated arbitrary file system read bug getting fixed. Adobe also recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. The fix for Adobe Bridge addresses three Critical rated and one Important severity bug. The worst could lead to code execution when opening a specially crafted file. The final patch fixes a single code execution bug in Lightroom. Adobe also made the odd decision to stop tweeting when its patches become available and limiting communication to just email subscriptions. Let’s hope they reverse that decision as many people (myself included) rely on the twitter feed for notifications.

And with this release, anyone targeting Adobe Reader at next week’s Pwn2Own Vancouver event can breathe a sigh of relief. It seems your exploits won’t be patched before the event.  

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2024

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; Skype; Microsoft Components for Android; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 64. One of these bugs was reported through the ZDI program.

Of the new patches released today, two are rated Critical, and 57 are rated Important in severity. This is a relatively low volume for March, especially considering this is the last patch cycle before the Pwn2Own contest next week. Vendors usually try to patch as much as possible knowing we update all targets to the latest release. Considering Microsoft has several targets in the contest, it’s interesting to see such a small release.

None of the CVEs released today are listed as publicly known or under active attack, but that could change. After the February release, Microsoft revised multiple updates to indicate they were being actively exploited. For now, nothing is listed as in the wild. I’ll update this blog should that change.

Let’s take a closer look at some of the more interesting updates for this month, starting with a Critical-rated Hyper-V bug:

–       CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability
This is one of the two Critical-rated bugs for this month, and this is the only one that could result in code execution. This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS. This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server. It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000. Maybe next year.

–       CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability
It seems there are Exchange patches almost every month now, and March is no different. This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I’ll update this blog should Microsoft change its mind (again).

–       CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
This bug rates the highest CVSS rating for this release with a 9.8. It would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet. It’s not clear how many of these systems are reachable through the Internet, but it’s likely a significant number. Microsoft gives this an “Exploitation less likely” rating, but considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon.

–       CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
This bug allows an unauthenticated attacker to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers. Successful exploitation would allow the attacker to steal credentials and affect other resources. While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of “az confcom” and Kata Image. The bulletin contains additional information on the commands needed. Be sure to check it out.

Here’s the full list of CVEs released by Microsoft for March 2024:



CVE Title Severity CVSS Public Exploited Type
CVE-2024-21408 Windows Hyper-V Denial of Service
Vulnerability
Critical 5.5 No No DoS
CVE-2024-21407 Windows Hyper-V Remote Code Execution
Vulnerability
Critical 8.1 No No RCE
CVE-2024-21392 .NET and Visual Studio Denial of Service
Vulnerability
Important 7.5 No No DoS
CVE-2024-26203 Azure Data Studio Elevation of Privilege
Vulnerability
Important 7.3 No No EoP
CVE-2024-21421 † Azure SDK Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI)
Security Feature Bypass Vulnerability
Important 7.8 No No SFB
CVE-2023-28746 * Intel: CVE-2023-28746 Register File Data
Sampling (RFDS)
Important N/A No No Info
CVE-2024-21438 Microsoft AllJoyn API Denial of Service
Vulnerability
Important 7.5 No No DoS
CVE-2024-21390 Microsoft Authenticator Elevation of
Privilege Vulnerability
Important 7.1 No No EoP
CVE-2024-21400 † Microsoft Azure Kubernetes Service
Confidential Container Elevation of Privilege Vulnerability
Important 9 No No EoP
CVE-2024-20671 Microsoft Defender Security Feature Bypass
Vulnerability
Important 5.5 No No SFB
CVE-2024-26164 Microsoft Django Backend for SQL Server
Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-21419 Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important 7.6 No No XSS
CVE-2024-26198 Microsoft Exchange Server Remote Code
Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of
Privilege Vulnerability
Important 6.6 No No EoP
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2024-26199 Microsoft Office Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-26190 Microsoft QUIC Denial of Service
Vulnerability
Important 7.5 No No DoS
CVE-2024-21426 Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important 7.8 No No RCE
CVE-2024-21448 † Microsoft Teams for Android Information
Disclosure Vulnerability
Important 5 No No Info
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2024-21434 Microsoft Windows SCSI Class System File
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-21446 NTFS Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-21330 Open Management Infrastructure (OMI)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-21334 Open Management Infrastructure (OMI) Remote
Code Execution Vulnerability
Important 9.8 No No RCE
CVE-2024-26204 Outlook for Android Information Disclosure
Vulnerability
Important 7.5 No No Info
CVE-2024-21411 † Skype for Consumer Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2024-21418 Software for Open Networking in the Cloud
(SONiC) Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-26165 Visual Studio Code Elevation of Privilege
Vulnerability
Important 8.8 No No EoP
CVE-2024-26160 Windows Cloud Files Mini Filter Driver
Information Disclosure Vulnerability
Important 5.5 No No Info
CVE-2024-26170 Windows Composite Image File System (CimFS)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-26185 Windows Compressed Folder Tampering
Vulnerability
Important 6.5 No No Tampering
CVE-2024-26169 Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-21437 Windows Graphics Component Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-21436 Windows Installer Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-21427 Windows Kerberos Security Feature Bypass
Vulnerability
Important 7.5 No No SFB
CVE-2024-26181 Windows Kernel Denial of Service
Vulnerability
Important 5.5 No No DoS
CVE-2024-26182 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-26173 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-26176 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-26178 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2024-21443 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.3 No No EoP
CVE-2024-26174 Windows Kernel Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2024-26177 Windows Kernel Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2024-21435 Windows OLE Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2024-21433 Windows Print Spooler Elevation of Privilege
Vulnerability
Important 7 No No EoP
CVE-2024-26197 Windows Standards-Based Storage Management
Service Denial of Service Vulnerability
Important 6.5 No No DoS
CVE-2024-21439 Windows Telephony Server Elevation of
Privilege Vulnerability
Important 7 No No EoP
CVE-2024-21432 Windows Update Stack Elevation of Privilege
Vulnerability
Important 7 No No EoP
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol
Remote Code Execution Vulnerability
Important 5.7 No No RCE
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution
Vulnerability
Important 6.8 No No RCE
CVE-2024-21442 Windows USB Print Driver Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2024-21445 Windows USB Print Driver Elevation of
Privilege Vulnerability
Important 7 No No EoP
CVE-2024-26167 Microsoft Edge for Android Spoofing
Vulnerability
Unknown 4.3 No No Spoofing
CVE-2024-2173 * Chromium: CVE-2024-2173 Out of bounds memory
access in V8
High N/A No No RCE
CVE-2024-2174 * Chromium: CVE-2024-2174 Inappropriate
implementation in V8
High N/A No No RCE
CVE-2024-2176 * Chromium: CVE-2024-2176 Use after free in
FedCM
High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

The only other Critical-rated bug is a Denial-of-Service (DoS) vulnerability in Hyper-V Server. Microsoft does not indicate how extensive the DoS is or if the system automatically recovers, but considering its rating, the bug likely shuts down the entire system.

Moving on to the other remote code execution bugs, as we saw last month, there are many impacting SQL clients that would require connecting to a malicious SQL server. Practical exploitation is unlikely without significant social engineering. That’s not the case for the bug in Django Backend for SQL Server. This vulnerability is a classic SQL injection via unsanitized parameters. There’s also a DLL loading bug for Windows OLE. The RCE bug in SharePoint requires user interaction in that the threat actor needs to convince the user to open a specially crafted file. Social engineering will also be required for the Skype for Consumer vulnerability. You’ll also need to manually download the latest version of Skype here as there doesn’t seem to be an automated upgrade option. The final two RCE bugs are a bit rare in that they require physical access to the target system. Both vulnerabilities rely on the attacker plugging a device into an open USB port. It’s uncommon to see patches for bugs with this physical attack vector, but it’s good to see Microsoft is willing to make updates for these types of issues.

Speaking of rarities, there is a single patch for a Tampering bug in the Windows compressed folder component. Microsoft doesn’t give any indication of how the vulnerability would manifest other than to say it requires a user to open a specially crafted file. After that, it’s not clear what is actually being tampered with, although the inclination is to believe an attacker could change file contents with this bug.

There are more than 20 elevation of privilege (EoP) patches in this month’s release. In most cases, a local attacker would need to run specially crafted code to elevate to SYSTEM. The bug in the telephony component would lead to the similar (but distinctly different) “NT AUTHORITYNetwork Service” privilege. The bug in the Azure Data Studio would only elevate to the permission level of the user running the application. Another reminder to not do daily tasks with administrative privileged accounts. The bug in the Microsoft Intune Linux Agent bypasses compliance checks when using custom compliance scripts, thus altering the results. The bug in the Authenticator app sounds quite bad as it could bypass 2FA, but it requires a fair bit of user interaction to succeed. An attacker needs to be already executing code on the target and have the user close and re-open the Authenticator application. The vulnerability in the Windows Installer would allow an attacker to delete files. We recently blogged about a similar bug in the .NET framework. The bug in OMI is interesting in that an attacker could exploit it to communicate as Root with an OMI server. The final EoP patch for March affects the Software for Open Networking in the Cloud (SONiC) component. Successful exploitation would allow an attacker to escalate to Root in the Border Gateway Protocol (BGP) container and perform specific actions that enable them to escape the container.

There are three separate Security Feature Bypass (SFB) patches in this month’s release with the most impactful affecting Windows Defender. The good news is that you’ll likely need to take no action as the Defender engine automatically updates itself. The bad news is that if you’re in an isolated environment or have Defender disabled, you’ll likely need to manually verify the Defender version. Given that this bug allows attackers to prevent Defender from starting, it’s best to make sure you have that patch applied. The bug in the hypervisor-protected code integrity (HVCI) could allow an attacker to bypass code integrity protections, but it requires administrator-level permissions. Another rarity, as exploits that begin with admin permissions rarely get fixed. The final SFB update fixes a bug in Kerberos that could lead to impersonating other users.  

The March release includes five information disclosure bugs, but unusually, only one leaks unspecified memory contents. The two bugs in the kernel could allow an attacker to view registry keys they would otherwise not be able to access. The bug in Teams for Android would allow the reading of files from the private directory of the app. You’ll also need to manually get this update from the Google Play Store. That’s also the case for Outlook for Android. That bug allows attackers to view the ineffable “file contents”. In addition to the one already documented, the March release includes fixes for five different denial-of-service (DoS) bugs in various. However, Microsoft provides no real information or details for them.

There are two spoofing bugs receiving patches this month, and the Microsoft Edge for Android is a strange one. It was actually published earlier this month but without an actual fix. Instead, it notes, “The security update for Edge for Android is not immediately available.” It seems odd that Microsoft would choose to publish information about the bug without also pushing a fix for the bug. Perhaps it will be updated soon. The other spoofing bug is in the Azure SDK, and you may or may not need to take extra steps to be fully protected. If you are running a deployment created before October 19, 2023, you will need to manually upgrade Azure-core to Azure Core Build 1.29.5 or higher. If you have a deployment from after October 19, you should receive the patch automatically.

There is one new advisory for this month as Microsoft announces the deprecation of Oracle’s libraries within Exchange. This is a long time coming and a welcome change, as Exchange was essentially 0-day’ed every time Oracle updated their libraries.

Finally, there is a single cross-site scripting (XSS) bug in Microsoft Dynamics fixed this month.

Looking Ahead

Be sure to look out for updates from Pwn2Own Vancouver, and if you’re at the CanSecWest conference, please stop by to say hello. I like it when people say hello. The next Patch Tuesday of 2024 will be on April 9, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!