March Patch Tuesday fixes critical Hyper-V vulnerabilities

Microsoft also corrects a remote code execution flaw on Exchange Server and issues an advisory related to changes with an outdated file-scanning feature on the messaging platform.

Admins have no zero-days or public disclosures to stress over this month, but organizations that work with Hyper-V or use Exchange Server will want to avoid delays with patch deployment.

On March Patch Tuesday, Microsoft issued security updates to correct 60 new vulnerabilities and revised two Microsoft Visio flaws from August with updated information.

Microsoft virtualization platform hit with critical bugs

The only two critical vulnerabilities for March Patch Tuesday were both in Hyper-V, Microsoft's hypervisor.

A Hyper-V remote code execution vulnerability (CVE-2024-21407) has a CVSS score of 8.1. The attacker needs to be authenticated on a guest VM to send a malicious file operation request to hardware resources to attempt remote code execution on the host. Microsoft gave this flaw an assessment of "exploitation less likely."

The other critical flaw is CVE-2024-21408, a Hyper-V denial-of-service vulnerability with a CVSS rating of 5.5. Microsoft assessed this CVE with "exploitation less likely." Microsoft did not release additional details in its vulnerability notes, but the attacker does not require user interaction and only needs basic privileges to disrupt the system, potentially causing a crash.

Microsoft delivers fix and issues advisory for Exchange Server

Microsoft released a security update for Exchange Server that corrects a remote code execution vulnerability (CVE-2024-26198) rated important with an 8.8 CVSS rating. The attacker needs to place a malicious file either in an online directory or on the local network, then convince a user to open the file to trigger the exploit.

Chris Goettl, vice president of product management for security products, IvantiChris Goettl

Chris Goettl, vice president of product management for security products at Ivanti, stressed that any patching delays only benefit threat actors who are in a race to develop tools and techniques to exploit vulnerabilities on unpatched systems, particularly Exchange Server. He cited two February Patch Tuesday vulnerabilities -- a Windows kernel elevation-of-privilege vulnerability (CVE-2024-21338) and an Exchange Server elevation-of-privilege vulnerability (CVE-2024-21410) -- that initially did not show as exploited, but were updated with exploitation flags within two weeks of publication.

"Exchange is still targeted by sophisticated groups who know it extremely well. I've seen articles that count 97,000 Exchange Servers still out in the wild. When you have that big of an audience, then it's still worth it for these groups to go and poke at it," Goettl said.

Microsoft also published an advisory for Exchange Server (ADV24199947) to warn admins that applying the March security updates for Exchange Server will disable an Oracle library.

Oracle's Outside In Technology (OIT), also called the OutsideInModule, is used to extract text from email attachments for security checks in the Exchange Transport Rule and Data Loss Prevention features. Applying the security update will patch the OIT libraries to mitigate multiple vulnerabilities, then disable the OIT module and finally configure Exchange to use an alternative file scanner. While not recommended, admins can reenable the OIT module with a script included with the security update.

This is the initial step in a three-part rollout. The second phase will replace the OutsideInModule with a Microsoft-based file scanner, and the last phase will remove the OIT module code. As of publication, Microsoft did not release a timeline for the upcoming stages.

2 corrections delivered for Open Management Infrastructure

Enterprises that use Microsoft's Azure cloud platform have two security updates in the Open Management Infrastructure (OMI) platform, an open source project designed for Linux and Unix management.

An OMI remote code execution vulnerability (CVE-2024-21334) rated important has March Patch Tuesday's highest CVSS rating with 9.8. This bug also affects System Center Operations Manager (SCOM) 2019 and 2022 systems. SCOM uses OMI to collect logs and automate configuration for Linux VMs.

"A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability," Microsoft wrote in the CVE notes.

Admins need to update to OMI version 1.8.1-0 to mitigate the vulnerability, or they can disable OMI incoming ports on Linux VMs that do not require network listening.

The other OMI flaw is an elevation-of-privilege vulnerability (CVE-2024-21330) rated important with a CVSS score of 7.8. An attacker who exploits the flaw can gain full administrative privileges to control the OMI server. This flaw affects a wide range of Microsoft products listed in the CVE notes.

Next step to mitigate Secure Boot vulnerability coming in April

In addition to their usual patching duties, admins will have to pay close attention to prevent issues during another staged rollout, this time to protect the boot state of Windows systems. Over the next several months, all bootable media will require an update, otherwise Windows systems will not start with outdated recovery media.

A Microsoft Knowledge Base article (KB5025885) gives the timeline and steps admins need to take to protect Windows systems affected by CVE-2023-24932, a Secure Boot security feature bypass vulnerability first reported in May 2023. This flaw is not limited to on-premises physical devices, but also affects some VMs and cloud-based devices.

The Microsoft security update from May Patch Tuesday addressed the vulnerability that allowed an attacker with physical access or administrative privileges to exploit a system with the BlackLotus UEFI bootkit and alter the system's boot policy. The threat actor could then lower the system's defenses, opening the way to further damage.

However, the protections from the security update are not enabled by default because it removes the existing boot manager, which could cause problems with system boot configurations.

July Patch Tuesday added revocation files to update the Code Integrity Boot Policy and the Secure Boot UEFI Forbidden List, which add full protection from CVE-2023-24932. Following the deployment of this security update, admins need to follow several steps to complete the process. Admins should be aware that any bootable media that does not have the July Patch Tuesday updates will not work after the revocations have been implemented on the system.

"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device. Even reformatting of the disk will not remove the revocations if they have already been applied," Microsoft wrote.

In Microsoft's third deployment phase, the security updates for April Patch Tuesday will add more boot manager mitigations. Admins will have until October Patch Tuesday to prepare for the final step, the enforcement phase, which will apply the Code Integrity Boot Policy and Secure Boot disallow list revocations.

Goettl said admins need to redo all bootable media to avoid future issues. The other hurdle is to check systems for problems with the firmware update.

"The final stage coming in October is when mandatory enforcement begins and mitigations become revocations," he said. "The update will no longer allow anything that is vulnerable to the Secure Boot bypass. The biggest challenge will be checking the Windows event error logs."

Goettl said it will take some work for admins to examine all the system event logs for codes that tell if the patch did or did not install properly. Microsoft released a list of relevant event IDs to help with this process.

"When the updated [Forbidden Signature Database] DBX revocation list is installed on a device, Windows checks to determine whether the system is in a state where the DBX update can be successfully applied to the firmware and will report event log errors if an issue is detected," Microsoft wrote.

Tom Walat is the site editor for TechTarget Editorial's Windows Server site, where he manages all site content. Walat previously worked for a newspaper in the Greater Boston area.

Next Steps

Microsoft corks Windows zero-day on April Patch Tuesday

Dig Deeper on IT operations and infrastructure management