David Pearson
Cyber Security Assessor
David Pearson Linked In
Microsoft
In their March Patch Tuesday release, Microsoft has addressed 61 vulnerabilities, two of which are critical vulnerabilities that could result in denial of service or remote code execution. Included in the total count are including eighteen remote code execution flaws.
The patches cover a broad array of applications and services, including Windows, Outlook, Visual Studio Pro, Office, Azure, Hyper-V and more.
Critical Vulnerabilities
CVE-2024-21407: This is a Remote Code Execution vulnerability in Windows Hyper-V that can allow an attacker to execute arbitrary code on the host server from a guest VM. This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests to hardware resources, resulting in remote code execution. According to the CVSS metrics, it carries a high impact on confidentiality, integrity, and availability, with a complexity rating of high, indicating that an attacker would need to perform significant reconnaissance and preparation to exploit it. It has a CVSS score of 8.1/7.1. Acknowledged by @australeo (chief banana), this vulnerability highlights the crucial need for stringent access controls and monitoring within virtualised environments. While the exploit code maturity is listed as unproven, meaning an exploit is less likely, the severity of this vulnerability is critical.
CVE-2024-21408: This is a Denial of Service vulnerability in Windows Hyper-V that can allow an attacker to disrupt service operations, rendering them unavailable to legitimate users. This vulnerability is identified by its local attack vector, meaning it requires local access to the system to be exploited, and it has a relatively low attack complexity with low privileges required. Despite its potential to significantly impact availability, it does not affect confidentiality or integrity, as indicated by its CVSS scores of 5.5/4.8. Acknowledged by HongZhenhao with the TianGong Team of Legendsec at Qi'anxin Group, this critical severity issue underscores the importance of controlling access to virtualisation environments and applying the official fix released by Microsoft. Given its exploit code maturity is labelled as unproven and exploitation is assessed as less likely, the risk is mitigated somewhat; however, the acknowledgment of this vulnerability in critical systems highlights the need for vigilance and prompt application of available security updates to ensure service continuity and protect against potential disruptions.
Vulnerabilities more likely to be exploited
These are vulnerabilities that Microsoft have deemed more likely to be exploited using the exploitability index - microsoft.com/en-us/msrc/exploitability-index
CVE-2024-21437: This is an Elevation of Privilege vulnerability in the Windows Graphics Component that could allow an attacker to gain SYSTEM privileges, essentially granting them full control over the affected system. The vulnerability requires local access with low privileges and no user interaction, indicating that an attacker would need to have an established presence on the system to exploit this flaw. Despite the low barrier to exploitation (low attack complexity), the vulnerability has been rated as Important, with a CVSS score of 7.8/6.8, reflecting its potential to significantly impact confidentiality, integrity, and availability.
CVE-2024-26170: This vulnerability represents an Elevation of Privilege within the Windows Composite Image File System (CimFS), which could allow attackers to gain specific, limited SYSTEM privileges. Essential for understanding the risk, this flaw necessitates local access, low privileges, and no user interaction to exploit, highlighting its relatively straightforward exploitation path (low attack complexity). Rated as Important, with a CVSS score of 7.8/6.8, the vulnerability underscores a significant threat to system confidentiality, integrity, and availability. Although exploit code maturity is unproven, the likelihood of exploitation is deemed more likely, emphasising the importance of promptly applying Microsoft's provided official fixes.
CVE-2024-26182: This vulnerability in the Windows Kernel allows for an Elevation of Privilege, marked as Important due to its significant potential impact. The vulnerability, discovered by Mateusz Jurczyk with Google Project Zero, exposes systems to attacks where, with local access and low privileges required, an attacker could escalate their privileges to SYSTEM level without any user interaction. The CVSS scores, 7.8/6.8, underline the serious risk it poses to confidentiality, integrity, and availability of affected systems. Given its low attack complexity and the requirement for low privileges, coupled with no need for user interaction, the exploitation of this flaw is considered more likely, despite the exploit code maturity being labeled as unproven.
Fortinet
Fortinet recently navigated tough headlines, particularly with the disclosure of two top-tier severity flaws in FortiSIEM and a critical vulnerability in FortiOS. They're urging users to quickly implement available security patches to safeguard their networks. Highlighted vulnerabilities include two critical out-of-bounds write issues in FortiOS & FortiProxy's captive portal, alongside a high-severity authorisation bypass in SSLVPN bookmarks:
CVE-2023-42789 & CVE-2023-42790: FortiOS & FortiProxy - Out-of-bounds Write in captive portal | CVSS 9.3 – Critical
CVE-2024-23112: FortiOS & FortiProxy – Authorisation bypass in SSLVPN bookmarks| CVSS 7.2 – High
Apple
Apple has released security updates for iOS, iPadOS, Safari, macOS, watchOS, tvOS, and visionOS to address various vulnerabilities. These updates are crucial to prevent potential data breaches and system hijacking by cyber threat actors. Users and administrators are urged to review and apply these updates, specifically for Safari 17.4, macOS Sonoma 14.4, macOS Ventura 13.6.5, macOS Monterey 12.7.4, watchOS 10.4, tvOS 17.4, and visionOS 1.1, immediately to ensure their systems are protected.
Apple Released Security Updates for Multiple Products
Apple Releases Security Updates for iOS and iPadOS
Cisco
In March 2024, Cisco addressed multiple security vulnerabilities across their product range, highlighting critical to medium-severity issues. These included unauthenticated REST API access in SD-WAN vManage, injection and privilege escalation vulnerabilities in Cisco Secure Client, and a range of issues in Duo Authentication, Small Business Wireless Access Points, and AppDynamics Controller. Updates and fixes were released to mitigate these vulnerabilities, emphasising the importance of applying the latest security patches to maintain network and system integrity.
CVE-2023-20214: Cisco SD-WAN vManage Unauthenticated REST API Access | Critical | 9.1
CVE-2024-20337: Cisco Secure Client Carriage Return Line Feed Injection High | High | 8.2
CVE-2024-20338: Cisco Secure Client for Linux with ISE Posture Module Privilege Escalation Vulnerability | High |7.3
CVE-2023-38545: cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 | High | 7.5
VMware
VMware released several security advisories in early 2024, addressing vulnerabilities ranging from moderate to critical severity across products like Cloud Director, ESXi, Workstation, Fusion, and Aria Operations. These updates target issues including partial information disclosure, multiple security vulnerabilities in core virtualisation products, an out-of-bounds read vulnerability, arbitrary authentication relay, session hijack vulnerabilities in the Enhanced Authentication Plug-in, and a local privilege escalation vulnerability. Users of the affected VMware products are advised to apply the updates promptly to ensure security and protect against potential exploits.
Adobe
In March 2024, Adobe issued six updates to rectify 56 vulnerabilities across various applications, including Adobe Experience Manager, Premiere Pro, and others. A significant update for Experience Manager resolves 46 CVEs, primarily XSS vulnerabilities, while Adobe Animate receives a fix for four CVEs, with one posing a critical threat of arbitrary code execution. Premiere Pro and ColdFusion patches address critical vulnerabilities requiring user interaction and an arbitrary file system read issue, respectively. Updates for Adobe Bridge and Lightroom also tackle critical bugs. Adobe has moved to email-only patch notifications, a change from their usual Twitter announcements.
Adobe Experience Manager – 43 Important, 3 Moderate
Adobe Premier Pro – 2 Critical
Adobe ColdFusion – 1 Critical
Adobe Bridge – 4 Critical
Adobe Lightroom – 1 Critical
Adobe Animate - 1 Critical, 3 Important
For the latest protections, users are encouraged to update to the recommended versions. All of the above vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers.
SAP
SAP has released 10 new security notes and 2 updates to previous security notes. Six of these CVEs are rated “High” or “Hot News” (Very High). The products affected by the high to very high rated CVEs are:
- SAP Business Client, Versions 6.5, 7.0, 7.70: CVSS 10.0
- SAP Build Apps, Versions < 4.9.145: CVSS 9.4
- SAP NetWeaver AS Java (Administrator Log Viewer plug-in), Version 7.50: CVSS 9.1
- SAP Commerce, Versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211: CVSS 8.8
- SAP HANA Database, Version 2.0 and SAP HANA Extended Application Services Advanced (XS Advanced), Version 1.0: CVSS 7.5
- SAP BusinessObjects Business Intelligence Platform (Central Management Console), Versions 4.3: CVSS 7.2
As always, users are recommended to install the latest security updates, when possible, to protect their systems from potential threats.