Hyper-V zero-day stands out on a busy Patch Tuesday


Security teams will have a busy few days ahead of them after Microsoft patched close to 140 new common vulnerabilities and exposures (CVEs) in its July Patch Tuesday update, including four zero-day exploits – one of them a third-party update via processor giant ARM.

The four zero-days are listed, in numerical order, as follows:

  • CVE-2024-35264, a remote code execution (RCE) vulnerability in .NET and Visual Studio. This vulnerability carries a CVSS score of 8.1, but in contrast, while a proof-of-concept exploit is circulating it does not yet seem to have been taken advantage of;
  • CVE-2024-37895, an information disclosure vulnerability affecting ARM. This bug carries a CVSS score of 5.9, but although it has been made public is also not yet being exploited;
  • CVE-2024-38080, an elevation of privilege (EoP) flaw in Windows Hyper-V. This vulnerability carries a CVSS score of 7.8, and is known to have been exploited in the wild, although no public exploit has been published;
  • CVE-2024-38112, a spoofing vulnerability in Windows MSHTML Platform. This vulnerability carries a CVSS score of 7.5. No public exploit is available but it is being used by as-yet unknown adversaries.

Zeroing in on the Hyper-V flaw, Mike Walters of patch management specialist Action1 said it posed “significant risk” to systems utilising Hyper-V – it appears relatively simple to exploit, with an attacker being able to gain admin rights with ease if they have obtained initial local access via, for example, a compromised user account within a virtual machine. Ultimately, it takes advantage of an integer overflow issue within Hyper-V.

“CVE-2024-38080 …  highlights a clear avenue for attackers to gain elevated privileges, jeopardising the confidentiality, integrity, and availability of multiple virtualised systems,” said Walters.

“When combined with other vulnerabilities such as remote code execution flaws or initial access exploits such as phishing or exploit kits, the attack vector becomes more sophisticated and damaging.

“Adopting a proactive security approach, including timely patching and strict adherence to robust security practices, is crucial for mitigating these risks effectively,” he added.

Saeed Abbasi, product manager, vulnerability at Qualys’ Threat Research Unit (TRU) added: “The impact is enormous since this vulnerability could grant attackers the highest level of system access that could enable the deployment of ransomware and other malicious attacks.

“While Microsoft has not disclosed the extent of active exploitation, the nature of the vulnerability makes it a prime target for attackers. Due to its potential for deep system control, this vulnerability is poised for increased exploitation attempts. The combination of low complexity and no user interaction requirement means it is likely to be rapidly incorporated into exploit kits, leading to widespread exploitation.

Abbasi added: “Furthermore, the ability to escalate privileges makes this vulnerability particularly detrimental for ransomware attacks, as it enables attackers to turn off security measures and spread more effectively across networks, thereby significantly amplifying the impact of such attacks.”

Meanwhile, Rob Reeves, principal cyber security engineer at Immersive Labs, ran the rule over the Windows MSHTLM platform vuln. “Details from Microsoft are scarce and only described as a ‘spoofing’ vulnerability, which requires social engineering in order to convince a user to execute a delivered file,” he said.

“It is assessed that the vulnerability likely might lead to remote Code execution, because of its linking to CWE-668: Exposure of Resource to Wrong Sphere and in the event of successful exploitation, leads to complete compromise of confidentiality, integrity and availability. The CVSS score of only 7.5, due to the difficulty in exploiting, is possibly only due to the complexity of the attack itself.

Reeves said that without more details from Microsoft or the original reporter – a Check Point researcher – it was hard to give specific guidance on next steps, but that given it affects all hosts from Windows Server 2008 R2 and beyond – including clients – and is seeing active exploitation, it should be prioritised for patching without delay.

In addition to the zero-days, the July 2024 update also lists five critical flaws, all RCE vulnerabilities, carrying CVSS scores of 7.2 to 9.8. Three of these relate to Windows Remote Desktop Licensing Service, one to Microsoft Windows Codecs Library, and the fifth to Microsoft SharePoint Server.

Gamers beware

Finally, another RCE vulnerability in the Xbox Wireless Adapter has also drawn some attention, aptly demonstrating the importance of securing consumer devices and networks, which can be just as useful an element of a threat actor’s attack chain as any cloud server vulnerability affecting an enterprise.

Tracked as CVE-2024-38078, the flaw becomes exploitable if an attacker is in close physical proximity of the target system and has gathered specific information on the target environment.

Although this complexity makes it less likely it will be exploited, if it was to happen, an attacker could send a malicious networking packet to an adjacent system employing the adapter, and from there achieve RCE.

“In a work-from-home setup, securing all devices, including IoT devices like alarm systems and smart TVs, is essential. Attackers can exploit this vulnerability to gain unauthorised access and compromise sensitive information. The distance with which Wi-Fi signals can be detected, intercepted, and broadcasted is commonly underestimated, further heightening the risk of this vulnerability,” said Ryan Braunstein, Automox security operations team lead.

“To mitigate these threats, apply regular updates to all devices and adopt strong network security measures like robust passwords and encryption.

“Educating all employees, friends, and family members about the importance of keeping devices patched and updated may not make you popular at parties, but can definitely reduce the 2am phone calls,” added Braunstein.



Source link