March Patch Tuesday sees Hyper-V join the guest-host escape club – Source: go.theregister.com

Patch Tuesday Microsoft’s monthly patch drop has arrived, delivering a mere 61 CVE-tagged vulnerabilities – none listed as under active attack or already known to the public.

We’ll hold our judgement until tomorrow to see if Exploit Wednesday lives up to its name. But in the meantime, here’s a look at Redmond’s security bugs.

Two of the latest patches are listed as critical and both affect Windows Hyper-V hypervisor. Oddly, the two critical bugs didn’t receive the highest CVSS ratings – but more on that in a bit.

CVE-2024-21407, a critical remote code execution (RCE) vulnerability in Hyper-V with an 8.1 CVSS severity rating, is listed as “exploitation less likely” by Redmond.

“This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server,” according to the security update.

The Zero Day Initiative’s Dustin Childs noted that this type of flaw – often called a “guest-to-host escape” – could be used to manipulate other guest OSes on the server. “It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000,” Childs lamented. “Maybe next year.” Or maybe on VMware, which last week revealed its own sandbox escape flaw.

The second critical vulnerability, CVE-2024-21408, is a denial of service (DOS) flaw in Hyper-V that earned a 5.5 CVSS rating as it means an attacker could send a specially crafted packet to a Hyper-V server and induce a denial-of-service attack. Since it’s not classified as an RCE or elevation-of-privilege flaw, we’re assuming that the denial of service wouldn’t allow either. Microsoft hasn’t published an FAQ about this one as it’s rated it less likely to be exploited than the other Hyper-V hole.

Not critical, but 9+ CVSS ratings

The most severe flaw this month in terms of CVSS scores is CVE-2024-21334, a 9.8-rated Open Management Infrastructure (OMI) RCE vulnerability. It would allow a remote, unauthenticated attacker to access the OMI instance from the internet, send a specially crated request, and trigger a user-after-free vulnerability.

If you’re not able to update now, Microsoft suggests disabling ports that OMI uses for incoming traffic as long as Linux machines do not need network listening.

“Considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon,” the Zero Day Initiative’s Dustin Childs warned.

• Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability
• JetBrains is still mad at Rapid7 for the ransomware attacks on its customers
• Cybercrime crew Magnet Goblin bursts onto the scene exploiting Ivanti holes
• Apple’s trademark tight lips extend to new iPhone, iPad zero-days

Another bug with a high CVSS rating that didn’t earn a critical label from Microsoft is CVE-2024-21400, a 9.0-rated elevation or privilege flaw in Microsoft Azure Kubernetes Service Confidential Containers that could be used to bypass security and steal credentials.

“The breach essentially opens a backdoor for attackers, compromising the confidentiality and integrity of the confidential system,” Automox security engineer Mat Lee noted.

“The mechanics of this vulnerability involve exploiting the container’s security boundaries using ‘az confcom’, a command line tool for interacting with confidential resources, leading to unauthorized access to sensitive information,” Lee explained. “Given the increasing adoption of confidential containers for deploying applications, the potential impact of this vulnerability is substantial.”

Microsoft’s bulletin details the commands needed to shore up this flaw, so be sure to check it out and patch ASAP.

Adobe addresses 56 bugs

Adobe’s monthly patch-a-thon saw the outfit release six fixes addressing 56 vulnerabilities in Experience Manager, Premiere Pro, ColdFusion, Bridge, Lightroom and Animate. None of these are listed as being under active exploitation.

A whopping 46 of the 56 flaws are in Adobe Experience Manager, and all but two of the 46 are cross-site scripting (XSS) bugs that could lead to arbitrary code execution. The other two are improper input validation vulnerabilities that could be exploited to bypass security features. All 46 are deemed important or moderate severity.

The patch for Premiere Pro fixes two critical-severity bugs, and the ColdFusion update also addresses a critical vulnerability that could be abused for code execution.

Both Adobe Bridge and Adobe Animate shore up four critical and important CVEs, while the Lightroom patch fixes one critical vulnerability.

Intel, AMD join in the fun

Intel pushed eight patches to address 11 CVEs across its hardware, firmware and software products. None are critical, but there are a couple of high-severity, 7.2-rated bugs.

CVE-2023-32666 could allow escalation of privilege or information disclosure in some 4th Generation Intel Xeon processors that use Intel Software Guard Extensions (SGX) or Intel Trust Domain Extensions (TDX).

CVE-2023-32282 is a race-condition vulnerability in BIOS firmware for some Intel processors that could allow a privileged user to escalate privilege if they enjoy local access.

The other six Intel advisories all address medium-severity flaws.

AMD’s pair of advisories include a race-condition bug tracked as CVE-2024-2193. This flaw was spotted by researchers Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam, and Andrea Mambretti and Anil Kurmus from IBM Research Europe, Zurich. The team disclosed the issue to AMD, and published a paper titled “Generic and Automated Drive-by GPU Cache Attacks from the Browser“.

AMD recommends customers follow its earlier guidance [PDF] on mitigating Spectre-type attacks to address this vulnerability.

The second vulnerability, which could lead to a side-channel attack, hasn’t been assigned a CVE.

“AMD is aware of a paper titled ‘Generic and Automated Drive-by GPU Cache Attacks from the Browser’ being published by researchers from Graz University of Technology and The University of Rennes,” the security advisory notes, adding, “AMD does not believe that any exploit against AMD products is demonstrated by the researchers.”

SAP and Cisco smash (and update) security flaws

SAP contributed to Patch Tuesday with a dozen new and updated Security Notes. Three are HotNews Notes – SAP’s highest-severity security warnings – one of which describes a recurring update for SAP Business Client including the latest supported Chromium patches.

Hot News Note #3425274 fixes a 9.4-rated code injection vulnerability in applications built with SAP Build Apps. And Hot News Note #3433192 addresses a 9.1-rated code injection vulnerability in SAP NetWeaver AS Java.

Cisco today updated an earlier, 9.1-rated critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software.

First disclosed last year, CVE-2023-20214 “could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance.”

We’re told this is the last update to address this flaw.

The networking vendor also today updated a Mach 6 advisory about CVE-2024-20337, a flaw in the SAML authentication process of Cisco Secure Client. It could allow an unauthenticated, remote attacker to perform a carriage return line feed injection attack against a user.

Plus, there’s a handful of other Cisco advisories published this month, so be sure to check those out too.

Android fixes two critical bugs

Google earlier this month addressed 38 flaws in its March Android security bulletin. The most severe is CVE-2024-0039, a critical RCE bug in the System component that requires no additional execution privileges, we’re told.

There’s another critical-rated System vulnerability tracked as CVE-2024-23717 that could allow elevation of privilege.

Fortinet joins the patch party

Fortinet also released five security updates today to fix flaws in several of its products.

This includes a critical out-of-bounds write vulnerability (CVE-2023-42789) and stack-based buffer overflow (CVE-2023-42790) in multiple versions of both FortiOS and FortiProxy that could “allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests,” according to the vendor’s security advisory. The two bugs received a 9.3 CVSS rating.

CVE-2023-48788, another 9.3-rated SQL-injection flaw in FortiClient Enterprise Management Server (FortiClientEMS) could allow an unauthenticated attacker to send specially crafted requests and then execute unauthorized code.

A high-severity, 8.7-rated bug tracked as CVE-2023-47534 also exists in FortiClientEMS. It’s due to an improper neutralization of formula elements in a CSV File in several versions of this software. If exploited it could allow a remote, unauthenticated attacker “to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server,” Fortinet noted.

A 7.7-rated improper access control vulnerability tracked as CVE-2023-36554 means FortiWLM MEA for FortiManager could also be exploited by an unauthenticated, remote attacker to execute arbitrary commands.

Then there’s a high-severity authorization bypass flaw in multiple versions of FortiOS and FortiProxy SSLVPN bookmarks, which could allow an authenticated attacker to gain access to another user’s bookmarks via URL manipulation. It’s tracked as CVE-2024-23112 and earned a 7.2 CVSS rating.

Finally, CVE-2023-46717 is a 6.7-rated improper authentication vulnerability in multiple versions of FortiOS that can allow escalation of privilege. “FortiOS when configured with FortiAuthenticator in HA may allow an authenticated attacker with at least read-only permission to gain read-write access via successive login attempts,” the vendor explained. ®