Microsoft’s patch cycle this month has a handful of notable vulnerabilities – apparently none of them zero-days – in a total crop of 60 Windows patches.
CVE-2024-21334 is a vulnerability in open management infrastructure (OMI) and carries a CVSS score of 9.8.
The vulnerability exists in System Centre Operations Manager versions prior to 1.8.1-0 and allows an unauthenticated remote attacker to trigger a use-after-free bug in an OMI instance.
CVE-2024-21400 is a privilege escalation vulnerability that rates a CVSS score of 9.0.
The bug in Microsoft’s Azure Kubernetes Service Confidential Container could allow an unauthenticated attacker to steal credentials to take over “confidential guests and containers beyond the network stack it might be bound to”.
CVE-2024-21407 is a Hyper-V remote code execution vulnerability that has a CVSS score of 8.1.
Finally, Microsoft attributed critical severity to CVE-2024-21408, a denial-of-service bug in Hyper-V with a CVSS score of 5.5. No further detail is provided.
The Patch Tuesday crop also included five Chromium bugs and one Android bug, affecting only Microsoft Edge.
Language warning
For reasons unclear to iTnews, in all of the above vulnerabilities, there are discrepancies in Microsoft’s description of them.
Microsoft describes the two Hyper-V vulnerabilities, CVE-2024-21407 and CVE-2024-21408, as having “Max severity: Critical”, even though neither carry a CVSS score of 9.0 or greater.
Meanwhile, CVE-2024-21334 (CVSS score 9.8) and CVE-2024-21400 (CVSS score 9.0) are described as “Max severity: Important”, in spite of their elevated scores.
The SANS Institute observed the apparent discrepancy, noting about one: “Oddly, Microsoft considers a DoS vulnerability ‘critical’.”
iTnews has asked Microsoft to comment.