Report Name: Microsoft Patch Tuesday, March 2024
Generated: 2024-03-12 23:06:21

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9				8		8	Windows Kernel
Chromium	0.8				13		13	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Defender	0.8				1		1	Anti-malware component of Microsoft Windows
Microsoft Edge	0.8			1	3		4	Web browser
Microsoft Office	0.8				1		1	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Windows SCSI Class System File	0.8				1		1	Windows component
Windows Cloud Files Mini Filter Driver	0.8				1		1	Windows component
Windows Composite Image File System (CimFS)	0.8				1		1	Windows component
Windows Compressed Folder	0.8				1		1	Windows component
Windows Error Reporting Service	0.8				1		1	Windows component
Windows Graphics Component	0.8				1		1	Windows component
Windows Installer	0.8				1		1	Windows component
Windows Kerberos	0.8				1		1	Windows component
Windows NTFS	0.8				1		1	The default file system of the Windows NT family
Windows OLE	0.8			1			1	Windows component
Windows Print Spooler	0.8				1		1	Windows component
Windows Standards-Based Storage Management Service	0.8				1		1	Windows component
Windows Telephony Server	0.8				1		1	Windows component
Windows USB Attached SCSI (UAS) Protocol	0.8			1			1	Windows component
Windows USB Hub Driver	0.8				1		1	Windows component
Windows USB Print Driver	0.8				2		2	Windows component
Windows Update Stack	0.8				1		1	Windows component
.NET and Visual Studio	0.7			1			1	.NET and Visual Studio
Windows Hyper-V	0.6				2		2	Hardware virtualization component of the client editions of Windows NT
Azure Data Studio	0.5			1			1	Azure Data Studio
Azure SDK	0.5				1		1	Azure SDK
Hypervisor-Protected Code Integrity (HVCI)	0.5				1		1	Hypervisor-Protected Code Integrity (HVCI)
Microsoft AllJoyn API	0.5				1		1	Microsoft AllJoyn API
Microsoft Authenticator	0.5				1		1	Microsoft Authenticator
Microsoft Azure Kubernetes Service Confidential Container	0.5			1			1	Microsoft Azure Kubernetes Service Confidential Container
Microsoft Defender for Endpoint Protection	0.5				1		1	Microsoft Defender for Endpoint Protection
Microsoft Django Backend for SQL Server	0.5				1		1	Microsoft Django Backend for SQL Server
Microsoft Dynamics 365 (on-premises)	0.5				1		1	Microsoft Dynamics 365 (on-premises)
Microsoft Edge for Android (Chromium-based)	0.5				1		1	Microsoft Edge for Android (Chromium-based)
Microsoft Exchange	0.5				1		1	Microsoft Exchange
Microsoft Intune Linux Agent	0.5				1		1	Microsoft Intune Linux Agent
Microsoft ODBC Driver	0.5				4		4	Microsoft ODBC Driver
Microsoft QUIC	0.5				1		1	Microsoft QUIC
Microsoft SharePoint Server	0.5				1		1	Microsoft SharePoint Server
Microsoft Teams for Android	0.5				1		1	Microsoft Teams for Android
Microsoft WDAC OLE DB provider for SQL Server	0.5				5		5	Microsoft WDAC OLE DB provider for SQL Server
Open Management Infrastructure (OMI)	0.5			1	1		2	Open Management Infrastructure (OMI)
Outlook for Android	0.5				1		1	Outlook for Android
Skype for Consumer	0.5				1		1	Skype for Consumer
Software for Open Networking in the Cloud (SONiC)	0.5				1		1	Software for Open Networking in the Cloud (SONiC)
runc	0.5		1				1	Product detected by a:linuxfoundation:runc (exists in CPE dict)
Visual Studio Code	0.3				1		1	Integrated development environment
Unknown Product	0					1	1	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0			2	16		18
Security Feature Bypass	0.9				7		7
Elevation of Privilege	0.85			3	22		25
Information Disclosure	0.83		1	1	7		9
Cross Site Scripting	0.8				1		1
Denial of Service	0.7			1	5		6
Memory Corruption	0.5				8		8
Spoofing	0.4				4		4
Tampering	0.3				1		1
Unknown Vulnerability Type	0					1	1

Source	U	C	H	M	L	A
MS PT Extended		1	1	18		20
Qualys				8		8
Tenable			1	13		14
Rapid7			1	5		6
ZDI			1	3		4

Urgent (0)

Critical (1)

1. Information Disclosure - runc (CVE-2024-21626) - Critical [648]

Description: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

MS PT Extended: CVE-2024-21626 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

High (7)

2. Elevation of Privilege - Azure Data Studio (CVE-2024-26203) - High [480]

Description: Azure Data Studio Elevation of Privilege Vulnerability

3. Remote Code Execution - Windows USB Attached SCSI (UAS) Protocol (CVE-2024-21430) - High [464]

Description: Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability

4. Information Disclosure - Microsoft Edge (CVE-2024-26192) - High [424]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2024-26192 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

5. Elevation of Privilege - Microsoft Azure Kubernetes Service Confidential Container (CVE-2024-21400) - High [423]

Description: Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

Rapid7: Azure Kubernetes admins should take note of CVE-2024-21400, which allows an unauthenticated attacker to take over confidential guests and containers, with other outcomes including credential theft and resource impact beyond the scope managed by the Azure Kubernetes Service Confidential Containers (AKSCC). Microsoft describes AKSCC as providing a set of features and capabilities to further secure standard container workloads when working with sensitive data such as PII. The advisory describes additional steps for remediation beyond merely patching AKSCC, including upgrading to the latest version of the az confcom Azure CLI confidential computing extension and Kata Image.

ZDI: CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability. This bug allows an unauthenticated attacker to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers. Successful exploitation would allow the attacker to steal credentials and affect other resources. While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of “az confcom” and Kata Image. The bulletin contains additional information on the commands needed. Be sure to check it out.

6. Remote Code Execution - Windows OLE (CVE-2024-21435) - High [419]

Description: Windows OLE Remote Code Execution Vulnerability

7. Denial of Service - .NET and Visual Studio (CVE-2024-21392) - High [417]

Description: .NET and Visual Studio Denial of Service Vulnerability

8. Elevation of Privilege - Open Management Infrastructure (OMI) (CVE-2024-21330) - High [411]

Description: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability

Tenable: CVE-2024-21334 is a RCE affecting the open-source Open Management Infrastructure (OMI) management server. It was assigned a CVSSv3 score of 9.8 and is rated important. To exploit this vulnerability, a remote unauthenticated attacker could use a specially crafted request to trigger a use-after-free vulnerability. In addition, OMI received another patch this month, CVE-2024-21330 to address an EoP vulnerability.

Medium (71)

9. Elevation of Privilege - Microsoft Intune Linux Agent (CVE-2024-26201) - Medium [399]

Description: Microsoft Intune Linux Agent Elevation of Privilege Vulnerability

10. Elevation of Privilege - Windows Kernel (CVE-2024-26173) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

11. Elevation of Privilege - Windows Kernel (CVE-2024-26176) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

12. Elevation of Privilege - Windows Kernel (CVE-2024-26178) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

13. Elevation of Privilege - Windows Kernel (CVE-2024-26182) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

14. Remote Code Execution - Windows USB Hub Driver (CVE-2024-21429) - Medium [395]

Description: Windows USB Hub Driver Remote Code Execution Vulnerability

15. Security Feature Bypass - Windows Kerberos (CVE-2024-21427) - Medium [389]

Description: Windows Kerberos Security Feature Bypass Vulnerability

16. Elevation of Privilege - Windows Kernel (CVE-2024-21443) - Medium [385]

Description: Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

17. Elevation of Privilege - Microsoft Office (CVE-2024-26199) - Medium [380]

Description: Microsoft Office Elevation of Privilege Vulnerability

18. Elevation of Privilege - Microsoft Windows SCSI Class System File (CVE-2024-21434) - Medium [380]

Description: Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability

19. Elevation of Privilege - Windows Composite Image File System (CimFS) (CVE-2024-26170) - Medium [380]

Description: Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

20. Elevation of Privilege - Windows Error Reporting Service (CVE-2024-26169) - Medium [380]

Description: Windows Error Reporting Service Elevation of Privilege Vulnerability

21. Elevation of Privilege - Windows Graphics Component (CVE-2024-21437) - Medium [380]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

22. Elevation of Privilege - Windows Installer (CVE-2024-21436) - Medium [380]

Description: Windows Installer Elevation of Privilege Vulnerability

23. Elevation of Privilege - Windows NTFS (CVE-2024-21446) - Medium [380]

Description: NTFS Elevation of Privilege Vulnerability

24. Elevation of Privilege - Windows USB Print Driver (CVE-2024-21442) - Medium [380]

Description: Windows USB Print Driver Elevation of Privilege Vulnerability

25. Remote Code Execution - Open Management Infrastructure (OMI) (CVE-2024-21334) - Medium [380]

Description: Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

Tenable: CVE-2024-21334 | Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

Tenable: CVE-2024-21334 is a RCE affecting the open-source Open Management Infrastructure (OMI) management server. It was assigned a CVSSv3 score of 9.8 and is rated important. To exploit this vulnerability, a remote unauthenticated attacker could use a specially crafted request to trigger a use-after-free vulnerability. In addition, OMI received another patch this month, CVE-2024-21330 to address an EoP vulnerability.

ZDI: CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability. This bug rates the highest CVSS rating for this release with a 9.8. It would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet. It’s not clear how many of these systems are reachable through the Internet, but it’s likely a significant number. Microsoft gives this an “Exploitation less likely” rating, but considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon.

26. Remote Code Execution - Windows Hyper-V (CVE-2024-21407) - Medium [373]

Description: Windows Hyper-V Remote Code Execution Vulnerability

Qualys: CVE-2024-21407: Windows Hyper-V Remote Code Execution Vulnerability An authenticated attacker on a guest VM must send specially crafted file operation requests to hardware resources to perform remote code execution on the host server. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions before exploitation to prepare the target environment.

Tenable: Microsoft’s March 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-21407)

Tenable: CVE-2024-21407 | Windows Hyper-V Remote Code Execution Vulnerability

Tenable: CVE-2024-21407 is a RCE vulnerability in Windows Hyper-V. This vulnerability was assigned a CVSSv3 score of 8.1 and is rated critical. Successful exploitation of this vulnerability requires that an attacker be authenticated and gather information about the target environment in order to craft their exploit. While the attack complexity is high, exploitation could result in code execution on the host server.

Rapid7: Attackers hoping to escape from a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work. Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM. Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.

ZDI: CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability. This is one of the two Critical-rated bugs for this month, and this is the only one that could result in code execution. This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS. This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server. It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000. Maybe next year.

27. Information Disclosure - Windows Kernel (CVE-2024-26174) - Medium [369]

Description: Windows Kernel Information Disclosure Vulnerability

28. Information Disclosure - Windows Kernel (CVE-2024-26177) - Medium [369]

Description: Windows Kernel Information Disclosure Vulnerability

29. Remote Code Execution - Microsoft Django Backend for SQL Server (CVE-2024-26164) - Medium [369]

Description: Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability

30. Remote Code Execution - Microsoft Exchange (CVE-2024-26198) - Medium [369]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability

Rapid7: A single Exchange vulnerability receives a patch this month. Microsoft describes CVE-2024-26198 as a RCE vulnerability for Exchange, where an attacker places a specially-crafted DLL file into a network share or other file-sharing resource, and convinces the user to open it. Although the FAQ on the advisory asks: “What is the target context of the remote code execution?”, the answer boils down to ”[exploitation] results in loading a malicious DLL”. Since the context of the user opening the malicious file is not specified — an Exchange admin? a user running a mail client connecting to Exchange? something else altogether? — it remains unclear what an attacker might be able to achieve.

Rapid7: It remains vitally important to patch any on-premises instances of Exchange, a perennial attacker favourite. Exchange 2016 admins who were dismayed by the lack of patch for last month’s CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month’s CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed.

ZDI: CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability. It seems there are Exchange patches almost every month now, and March is no different. This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I’ll update this blog should Microsoft change its mind (again).

31. Remote Code Execution - Microsoft ODBC Driver (CVE-2024-21440) - Medium [369]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability

32. Remote Code Execution - Microsoft ODBC Driver (CVE-2024-21451) - Medium [369]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability

33. Remote Code Execution - Microsoft ODBC Driver (CVE-2024-26159) - Medium [369]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability

34. Remote Code Execution - Microsoft ODBC Driver (CVE-2024-26162) - Medium [369]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability

35. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-21441) - Medium [369]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

36. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-21444) - Medium [369]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

37. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-21450) - Medium [369]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

38. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-26161) - Medium [369]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

39. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-26166) - Medium [369]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

40. Remote Code Execution - Skype for Consumer (CVE-2024-21411) - Medium [369]

Description: Skype for Consumer Remote Code Execution Vulnerability

41. Elevation of Privilege - Windows Print Spooler (CVE-2024-21433) - Medium [368]

Description: Windows Print Spooler Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

Tenable: CVE-2024-21433 | Windows Print Spooler Elevation of Privilege Vulnerability

Tenable: CVE-2024-21433 is an EoP vulnerability in Windows Print Spooler. This vulnerability is rated as ”Exploitation More Likely,” and was assigned a CVSSv3 score of 7.0. Exploitation of this vulnerability would require an attacker to win a race condition which could grant the attacker SYSTEM privileges.

Rapid7: Another site of “exploitation more likely” vulnerabilities this month: the Windows Print Spooler service. A local attacker who successfully exploits CVE-2024-21433 via winning a race condition could elevate themselves to SYSTEM privileges.

42. Elevation of Privilege - Windows Telephony Server (CVE-2024-21439) - Medium [368]

Description: Windows Telephony Server Elevation of Privilege Vulnerability

43. Elevation of Privilege - Windows USB Print Driver (CVE-2024-21445) - Medium [368]

Description: Windows USB Print Driver Elevation of Privilege Vulnerability

44. Elevation of Privilege - Windows Update Stack (CVE-2024-21432) - Medium [368]

Description: Windows Update Stack Elevation of Privilege Vulnerability

45. Security Feature Bypass - Microsoft Defender (CVE-2024-20671) - Medium [365]

Description: Microsoft Defender Security Feature Bypass Vulnerability

46. Remote Code Execution - Microsoft SharePoint Server (CVE-2024-21426) - Medium [357]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Rapid7: SharePoint receives a patch for CVE-2024-21426, which Microsoft describes as RCE via the attacker convincing a user to open a malicious file. Although the context of code execution isn’t stated in the advisory, exploitation is local to the user, and could lead to a total loss of confidentiality, integrity, and availability, including downtime for the affected environment.

47. Information Disclosure - Microsoft Edge (CVE-2024-21423) - Medium [352]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2024-21423 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

48. Information Disclosure - Windows Cloud Files Mini Filter Driver (CVE-2024-26160) - Medium [352]

Description: Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

49. Denial of Service - Windows Kernel (CVE-2024-26181) - Medium [346]

Description: Windows Kernel Denial of Service Vulnerability

50. Elevation of Privilege - Microsoft Defender for Endpoint Protection (CVE-2024-21315) - Medium [342]

Description: Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability

MS PT Extended: CVE-2024-21315 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

51. Denial of Service - Windows Standards-Based Storage Management Service (CVE-2024-26197) - Medium [341]

Description: Windows Standards-Based Storage Management Service Denial of Service Vulnerability

52. Security Feature Bypass - Hypervisor-Protected Code Integrity (HVCI) (CVE-2024-21431) - Medium [339]

Description: Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability

53. Elevation of Privilege - Software for Open Networking in the Cloud (SONiC) (CVE-2024-21418) - Medium [330]

Description: Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability

54. Information Disclosure - Outlook for Android (CVE-2024-26204) - Medium [326]

Description: Outlook for Android Information Disclosure Vulnerability

55. Cross Site Scripting - Microsoft Dynamics 365 (on-premises) (CVE-2024-21419) - Medium [321]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

56. Elevation of Privilege - Microsoft Authenticator (CVE-2024-21390) - Medium [318]

Description: Microsoft Authenticator Elevation of Privilege Vulnerability

57. Elevation of Privilege - Visual Studio Code (CVE-2024-26165) - Medium [308]

Description: Visual Studio Code Elevation of Privilege Vulnerability

58. Security Feature Bypass - Chromium (CVE-2024-1671) - Medium [305]

Description: Inappropriate implementation in Site Isolation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2024-1671 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

59. Security Feature Bypass - Chromium (CVE-2024-1672) - Medium [305]

Description: Inappropriate implementation in Content Security Policy in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2024-1672 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

60. Security Feature Bypass - Chromium (CVE-2024-1674) - Medium [305]

Description: Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2024-1674 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

61. Security Feature Bypass - Chromium (CVE-2024-1675) - Medium [305]

Description: Chromium: CVE-2024-1675 Insufficient policy enforcement in Download. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-1675 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

62. Denial of Service - Microsoft AllJoyn API (CVE-2024-21438) - Medium [303]

Description: Microsoft AllJoyn API Denial of Service Vulnerability

63. Denial of Service - Microsoft QUIC (CVE-2024-26190) - Medium [303]

Description: Microsoft QUIC Denial of Service Vulnerability

64. Denial of Service - Windows Hyper-V (CVE-2024-21408) - Medium [296]

Description: Windows Hyper-V Denial of Service Vulnerability

Qualys: CVE-2024-21408: Windows Hyper-V Denial of Service Vulnerability Windows Hyper-V allows hardware virtualization. IT professionals and software developers use virtualization to test software on multiple operating systems. Hyper-V enables working professionals to perform these tasks smoothly. With the help of Hyper-V, one can create virtual hard drives, virtual switches, and numerous different virtual devices, all of which can be added to virtual machines. Microsoft has not published any information about the vulnerability.

65. Information Disclosure - Microsoft Edge for Android (Chromium-based) (CVE-2024-26196) - Medium [291]

Description: Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2024-26196 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

66. Information Disclosure - Microsoft Teams for Android (CVE-2024-21448) - Medium [291]

Description: Microsoft Teams for Android Information Disclosure Vulnerability

67. Tampering - Windows Compressed Folder (CVE-2024-26185) - Medium [270]

Description: Windows Compressed Folder Tampering Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

Rapid7: Defenders responsible for Windows 11 assets can protect assets against exploitation of CVE-2024-26185, which Microsoft describes as a compressed folder tampering vulnerability. The advisory is sparse on detail, so while we know that an attacker must convince the user to open a specially crafted file, it’s not clear what the outcome of successful exploitation might be. Since the only impact appears to be to integrity, it’s possible that an attacker could modify a compressed folder but not necessarily read from it. Microsoft expects that exploitation is more likely.

68. Spoofing - Microsoft Edge (CVE-2024-26167) - Medium [264]

Description: Microsoft Edge for Android Spoofing Vulnerability

MS PT Extended: CVE-2024-26167 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

69. Spoofing - Microsoft Edge (CVE-2024-26188) - Medium [264]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2024-26188 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

70. Spoofing - Azure SDK (CVE-2024-21421) - Medium [250]

Description: Azure SDK Spoofing Vulnerability

71. Memory Corruption - Chromium (CVE-2024-1669) - Medium [234]

Description: Chromium: CVE-2024-1669 Out of bounds memory access in Blink. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-1669 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

72. Memory Corruption - Chromium (CVE-2024-1670) - Medium [234]

Description: Chromium: CVE-2024-1670 Use after free in Mojo. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-1670 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

73. Memory Corruption - Chromium (CVE-2024-1673) - Medium [234]

Description: Chromium: CVE-2024-1673 Use after free in Accessibility. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-1673 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

74. Memory Corruption - Chromium (CVE-2024-1938) - Medium [234]

Description: Chromium: CVE-2024-1938 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-1938 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

75. Memory Corruption - Chromium (CVE-2024-1939) - Medium [234]

Description: Chromium: CVE-2024-1939 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-1939 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

76. Memory Corruption - Chromium (CVE-2024-2173) - Medium [234]

Description: Chromium: CVE-2024-2173 Out of bounds memory access in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-2173 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

77. Memory Corruption - Chromium (CVE-2024-2174) - Medium [234]

Description: Inappropriate implementation in V8 in Google Chrome prior to 122.0.6261.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

MS PT Extended: CVE-2024-2174 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

78. Memory Corruption - Chromium (CVE-2024-2176) - Medium [234]

Description: Chromium: CVE-2024-2176 Use after free in FedCM. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-2176 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

79. Spoofing - Chromium (CVE-2024-1676) - Medium [216]

Description: Inappropriate implementation in Navigation in Google Chrome prior to 122.0.6261.57 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2024-1676 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

Low (1)

80. Unknown Vulnerability Type - Unknown Product (CVE-2023-28746) - Low [0]

Description: {'ms_cve_data_all': 'Intel: CVE-2023-28746 Register File Data Sampling (RFDS). This CVE was assigned by Intel. Please see CVE-2023-28746 on CVE.org for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

Exploitation in the wild detected (0)

Public exploit exists, but exploitation in the wild is NOT detected (1)

Information Disclosure (1)

• runc (CVE-2024-21626)

MS PT Extended: CVE-2024-21626 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

Other Vulnerabilities (79)

Elevation of Privilege (25)

• Azure Data Studio (CVE-2024-26203)
• Microsoft Azure Kubernetes Service Confidential Container (CVE-2024-21400)

Rapid7: Azure Kubernetes admins should take note of CVE-2024-21400, which allows an unauthenticated attacker to take over confidential guests and containers, with other outcomes including credential theft and resource impact beyond the scope managed by the Azure Kubernetes Service Confidential Containers (AKSCC). Microsoft describes AKSCC as providing a set of features and capabilities to further secure standard container workloads when working with sensitive data such as PII. The advisory describes additional steps for remediation beyond merely patching AKSCC, including upgrading to the latest version of the az confcom Azure CLI confidential computing extension and Kata Image.

ZDI: CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability. This bug allows an unauthenticated attacker to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers. Successful exploitation would allow the attacker to steal credentials and affect other resources. While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of “az confcom” and Kata Image. The bulletin contains additional information on the commands needed. Be sure to check it out.

• Open Management Infrastructure (OMI) (CVE-2024-21330)

Tenable: CVE-2024-21334 is a RCE affecting the open-source Open Management Infrastructure (OMI) management server. It was assigned a CVSSv3 score of 9.8 and is rated important. To exploit this vulnerability, a remote unauthenticated attacker could use a specially crafted request to trigger a use-after-free vulnerability. In addition, OMI received another patch this month, CVE-2024-21330 to address an EoP vulnerability.

• Microsoft Intune Linux Agent (CVE-2024-26201)
• Windows Kernel (CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, CVE-2024-26182)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 | Windows Kernel Elevation of Privilege Vulnerability

Tenable: CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178 and CVE-2024-26182 are EoP vulnerabilities affecting the Windows Kernel. These vulnerabilities are all rated as important, and each was assigned a CVSSv3 score of 7.8 with the exception of CVE-2024-21443 which was scored as 7.3. CVE-2024-26182 was the only Windows Kernel EoP rated as “Exploitation More Likely.” Successful exploitation of these vulnerabilities could lead to an attacker gaining SYSTEM privileges.

• Microsoft Office (CVE-2024-26199)
• Microsoft Windows SCSI Class System File (CVE-2024-21434)
• Windows Composite Image File System (CimFS) (CVE-2024-26170)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

• Windows Error Reporting Service (CVE-2024-26169)
• Windows Graphics Component (CVE-2024-21437)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

• Windows Installer (CVE-2024-21436)
• Windows NTFS (CVE-2024-21446)
• Windows USB Print Driver (CVE-2024-21442, CVE-2024-21445)
• Windows Print Spooler (CVE-2024-21433)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

Tenable: CVE-2024-21433 | Windows Print Spooler Elevation of Privilege Vulnerability

Tenable: CVE-2024-21433 is an EoP vulnerability in Windows Print Spooler. This vulnerability is rated as ”Exploitation More Likely,” and was assigned a CVSSv3 score of 7.0. Exploitation of this vulnerability would require an attacker to win a race condition which could grant the attacker SYSTEM privileges.

Rapid7: Another site of “exploitation more likely” vulnerabilities this month: the Windows Print Spooler service. A local attacker who successfully exploits CVE-2024-21433 via winning a race condition could elevate themselves to SYSTEM privileges.

• Windows Telephony Server (CVE-2024-21439)
• Windows Update Stack (CVE-2024-21432)
• Microsoft Defender for Endpoint Protection (CVE-2024-21315)

MS PT Extended: CVE-2024-21315 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

• Software for Open Networking in the Cloud (SONiC) (CVE-2024-21418)
• Microsoft Authenticator (CVE-2024-21390)
• Visual Studio Code (CVE-2024-26165)

Remote Code Execution (18)

• Windows USB Attached SCSI (UAS) Protocol (CVE-2024-21430)
• Windows OLE (CVE-2024-21435)
• Windows USB Hub Driver (CVE-2024-21429)
• Open Management Infrastructure (OMI) (CVE-2024-21334)

Tenable: CVE-2024-21334 | Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

Tenable: CVE-2024-21334 is a RCE affecting the open-source Open Management Infrastructure (OMI) management server. It was assigned a CVSSv3 score of 9.8 and is rated important. To exploit this vulnerability, a remote unauthenticated attacker could use a specially crafted request to trigger a use-after-free vulnerability. In addition, OMI received another patch this month, CVE-2024-21330 to address an EoP vulnerability.

ZDI: CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability. This bug rates the highest CVSS rating for this release with a 9.8. It would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet. It’s not clear how many of these systems are reachable through the Internet, but it’s likely a significant number. Microsoft gives this an “Exploitation less likely” rating, but considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon.

• Windows Hyper-V (CVE-2024-21407)

Qualys: CVE-2024-21407: Windows Hyper-V Remote Code Execution Vulnerability An authenticated attacker on a guest VM must send specially crafted file operation requests to hardware resources to perform remote code execution on the host server. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions before exploitation to prepare the target environment.

Tenable: Microsoft’s March 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-21407)

Tenable: CVE-2024-21407 | Windows Hyper-V Remote Code Execution Vulnerability

Tenable: CVE-2024-21407 is a RCE vulnerability in Windows Hyper-V. This vulnerability was assigned a CVSSv3 score of 8.1 and is rated critical. Successful exploitation of this vulnerability requires that an attacker be authenticated and gather information about the target environment in order to craft their exploit. While the attack complexity is high, exploitation could result in code execution on the host server.

Rapid7: Attackers hoping to escape from a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work. Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM. Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.

ZDI: CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability. This is one of the two Critical-rated bugs for this month, and this is the only one that could result in code execution. This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS. This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server. It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000. Maybe next year.

• Microsoft Django Backend for SQL Server (CVE-2024-26164)
• Microsoft Exchange (CVE-2024-26198)

Rapid7: A single Exchange vulnerability receives a patch this month. Microsoft describes CVE-2024-26198 as a RCE vulnerability for Exchange, where an attacker places a specially-crafted DLL file into a network share or other file-sharing resource, and convinces the user to open it. Although the FAQ on the advisory asks: “What is the target context of the remote code execution?”, the answer boils down to ”[exploitation] results in loading a malicious DLL”. Since the context of the user opening the malicious file is not specified — an Exchange admin? a user running a mail client connecting to Exchange? something else altogether? — it remains unclear what an attacker might be able to achieve.

Rapid7: It remains vitally important to patch any on-premises instances of Exchange, a perennial attacker favourite. Exchange 2016 admins who were dismayed by the lack of patch for last month’s CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month’s CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed.

ZDI: CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability. It seems there are Exchange patches almost every month now, and March is no different. This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I’ll update this blog should Microsoft change its mind (again).

• Microsoft ODBC Driver (CVE-2024-21440, CVE-2024-21451, CVE-2024-26159, CVE-2024-26162)
• Microsoft WDAC OLE DB provider for SQL Server (CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161, CVE-2024-26166)

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

Tenable: CVE-2024-21441, CVE-2024-21444, CVE-2024-21450, CVE-2024-26161 and CVE-2024-26166 are RCE vulnerabilities affecting the Microsoft WDAC OLE DB provider for SQL Server. These vulnerabilities are rated as important, and were assigned CVSSV3 scores of 8.8. Successful exploitation requires an authenticated user to be enticed to connect to a malicious SQL database. Once a connection is made, specially crafted replies can be sent to the client in order to exploit the vulnerability and allow the execution of arbitrary code.

• Skype for Consumer (CVE-2024-21411)
• Microsoft SharePoint Server (CVE-2024-21426)

Rapid7: SharePoint receives a patch for CVE-2024-21426, which Microsoft describes as RCE via the attacker convincing a user to open a malicious file. Although the context of code execution isn’t stated in the advisory, exploitation is local to the user, and could lead to a total loss of confidentiality, integrity, and availability, including downtime for the affected environment.

Information Disclosure (8)

• Microsoft Edge (CVE-2024-21423, CVE-2024-26192)

MS PT Extended: CVE-2024-21423 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-26192 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

• Windows Kernel (CVE-2024-26174, CVE-2024-26177)
• Windows Cloud Files Mini Filter Driver (CVE-2024-26160)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

• Outlook for Android (CVE-2024-26204)
• Microsoft Edge for Android (Chromium-based) (CVE-2024-26196)

MS PT Extended: CVE-2024-26196 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

• Microsoft Teams for Android (CVE-2024-21448)

Denial of Service (6)

• .NET and Visual Studio (CVE-2024-21392)
• Windows Kernel (CVE-2024-26181)
• Windows Standards-Based Storage Management Service (CVE-2024-26197)
• Microsoft AllJoyn API (CVE-2024-21438)
• Microsoft QUIC (CVE-2024-26190)
• Windows Hyper-V (CVE-2024-21408)

Qualys: CVE-2024-21408: Windows Hyper-V Denial of Service Vulnerability Windows Hyper-V allows hardware virtualization. IT professionals and software developers use virtualization to test software on multiple operating systems. Hyper-V enables working professionals to perform these tasks smoothly. With the help of Hyper-V, one can create virtual hard drives, virtual switches, and numerous different virtual devices, all of which can be added to virtual machines. Microsoft has not published any information about the vulnerability.

Security Feature Bypass (7)

• Windows Kerberos (CVE-2024-21427)
• Microsoft Defender (CVE-2024-20671)
• Hypervisor-Protected Code Integrity (HVCI) (CVE-2024-21431)
• Chromium (CVE-2024-1671, CVE-2024-1672, CVE-2024-1674, CVE-2024-1675)

MS PT Extended: CVE-2024-1675 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1674 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1671 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1672 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

Cross Site Scripting (1)

• Microsoft Dynamics 365 (on-premises) (CVE-2024-21419)

Tampering (1)

• Windows Compressed Folder (CVE-2024-26185)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-21433 is an elevation of privilege vulnerability in Windows Print Spooler. To exploit the vulnerability, an attacker is required to win a race condition. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-21437 is an elevation of privilege vulnerability in the Windows Graphics Component. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26160 is an information disclosure vulnerability in Windows Cloud Files Mini Filter Driver. An attacker may disclose the contents of Kernel memory after successfully exploiting the vulnerability. CVE-2024-26170 is an elevation of privilege vulnerability in the Windows Composite Image File System (CimFS). Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26182 is an elevation of privilege vulnerability in the Windows Kernel. Upon successful exploitation, an attacker could gain SYSTEM privilege. CVE-2024-26185 is a tempering vulnerability in the Windows Compressed Folder. An attacker would have to convince users to click a link, typically through an enticement in an email or instant message, and then convince them to open the specially crafted file.

Rapid7: Defenders responsible for Windows 11 assets can protect assets against exploitation of CVE-2024-26185, which Microsoft describes as a compressed folder tampering vulnerability. The advisory is sparse on detail, so while we know that an attacker must convince the user to open a specially crafted file, it’s not clear what the outcome of successful exploitation might be. Since the only impact appears to be to integrity, it’s possible that an attacker could modify a compressed folder but not necessarily read from it. Microsoft expects that exploitation is more likely.

Spoofing (4)

• Microsoft Edge (CVE-2024-26167, CVE-2024-26188)

MS PT Extended: CVE-2024-26188 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-26167 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

• Azure SDK (CVE-2024-21421)
• Chromium (CVE-2024-1676)

MS PT Extended: CVE-2024-1676 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

Memory Corruption (8)

• Chromium (CVE-2024-1669, CVE-2024-1670, CVE-2024-1673, CVE-2024-1938, CVE-2024-1939, CVE-2024-2173, CVE-2024-2174, CVE-2024-2176)

MS PT Extended: CVE-2024-2176 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1673 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-2174 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1939 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-2173 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1938 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1669 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

MS PT Extended: CVE-2024-1670 was published before March 2024 Patch Tuesday from 2024-02-14 to 2024-03-11

Unknown Vulnerability Type (1)

• Unknown Product (CVE-2023-28746)