March Patch Tuesday throws up two critical Hyper-V flaws

Microsoft has fixed a pair of critical vulnerabilities in Windows Hyper-V, one leading to remote code execution (RCE) if exploited, on a remarkably light Patch Tuesday. The fixes come amid a slimline update comprising barely 60 common vulnerabilities and exposures (CVEs), none of them rated as zero-days.

Although the paucity of updates will come as a relief to security teams, the timing of such a small drop has surprised some – as Dustin Childs of Trend Micro’s Zero-Day Initiative (ZDI) observed, with the annual Pwn2Own hacking contest just over a week away, one might have expected Redmond to have been pushing more patches than usual.

“This month’s Patch Tuesday presents a reduction in fixed vulnerabilities from Microsoft, totalling 60, a decrease from last month’s 74 updates,” said Mike Walters, president and co-founder of patch management specialist Action1.

“Remarkably, we’re seeing only two critical vulnerabilities addressed, fewer than in February, highlighting a positive trend. Notably absent this month are any zero-day vulnerabilities or proof of concepts (PoCs), underscoring a moment of relative calm.”

The RCE vulnerability, tracked as CVE-2024-21407, carries a CVSS base score of 8.1. To exploit it, an authenticated attacker on a guest virtual machine (VM) needs to send specially-crafted file operation requests on the VM to hardware resources on the VM, which Microsoft said could lead to RCE on the host.

However, successful exploitation will also require the attacker to have specific information on the target environment at their fingertips, and according to Microsoft there are a number of additional actions they also need to take to soften up the target, so the complexity of the attack is quite high.

“As of this announcement, there have been no public disclosures or known exploitations of this vulnerability. Yet, given its critical severity and possible consequences, it is crucial for Windows Hyper-V users to promptly implement the provided updates to mitigate exposure,” said Walters.

“This vulnerability is applicable to systems running Windows 10 and newer, as well as Windows Server 2012 and newer that are equipped with the Hyper-V role. Users are urged to apply Microsoft’s official patch to safeguard against this issue. Additionally, adhering to best practices for VM and host server security – like minimising user privileges, narrowing network access, and vigilantly monitoring for unusual activities – is strongly advised,” he added.

The second critical flaw in Windows Hyper-V is tracked as CVE-2024-21408, and carries a CVSS base score of 5.5. Left unchecked, it enables a denial of service (DoS) attack, but Microsoft’s update provides no details of how it can be exploited.

Some of the other more notable issues this month include another RCE flaw in Microsoft Exchange Server, tracked as CVE-2024-26198, which falls short of being rated as critical because it requires a user to be tricked into opening a specially crafted file. In addition to patching, defenders may also wish to review their email server security settings, and remind users to exercise caution if they receive unsolicited or unverified files.

For similar reasons, security teams may also wish to prioritise a SharePoint Server RCE vulnerability, tracked as CVE-2024-21426, successful exploitation of which again requires a user to open a malicious file.

Another high-risk vulnerability this month is CVE-2024-21411, in Skype for Consumer. An RCE flaw with a CVSS base score of 8.8, this issue can be exploited if an attacker sends a malicious link or image via instant message, and the fact that it can be found in a widely-used consumer product is of concern, even though there are no known public disclosures or active exploits.