Microsoft has patched two critical-severity flaws as part of its regularly scheduled updates, which both exist in Windows Hyper-V. While Microsoft issued fixes for 60 vulnerabilities on Tuesday, there were no zero-day flaws in this month’s security updates.
One of the critical flaws in Microsoft's virtualization platform (CVE-2024-21407) has a CVSS severity score of 8.1 out of 10. The vulnerability could allow attackers to remotely execute code on the host server, but they would need to be authenticated on a guest VM. In order the exploit the flaw, attackers would need to send specially crafted file operation requests on the VM to hardware resources on the VM, so successful exploitation of the flaw would require them to gather data about the environment and "take additional actions prior to exploitation to prepare the target environment," according to Microsoft.
“This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS,” according to Dustin Childs with Trend Micro’s Zero Day Initiative. “This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server.”
The second critical flaw is a denial-of-service bug in Windows Hyper-V (CVE-2024-21408); however, while Microsoft categorized the flaw as critical-severity, it only scored 5.5 out of 10 on the CVSS severity scale. Microsoft did not provide any further details about the flaw.
Neither critical-severity flaw is being exploited in the wild, and Microsoft said exploitation for both bugs is “less likely.”
Microsoft also fixed dozens of important-severity flaws, including a remote code execution flaw in Open Management Infrastructure, which is an open source project. The flaw (CVE-2024-21334), which has a CVSS score of 9.8 out of 10, could allow a remote, unauthenticated attacker to access the Open Management Infrastructure instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability.
“Customers running affected versions of SCOM (System Center Operations Manager) should update to OMI version 1.8.1-0,” according to Microsoft’s advisory.
Microsoft also issued patches for a remote code execution flaw in Microsoft Exchange Server (CVE-2024-26198), which stems from a DLL loading issue. The flaw can be exploited by an attacker placing a specially crafted file in an attacker-controlled location and then convincing a user to open that file, which would then load the DLL and enable code execution. Another notable Microsoft flaw this month is an elevation of privilege bug (CVE-2024-21400) in Microsoft’s Azure Kubernetes Service Confidential Containers product.
The attack for this flaw is complex, as successful exploitation requires an attacker to “prepare the target environment to improve exploit reliability,” said Microsoft. However, if exploited the flaw could enable unauthenticated attackers to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers.
“Successful exploitation would allow the attacker to steal credentials and affect other resources,” said Childs. “While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of ‘az confcom’ and Kata Image.”