April’s Patch Tuesday is a behemoth, with patches for 147 new CVEs in Microsoft’s portfolio – including one that Microsoft marks as not exploited, but which Zero Day Initiative researchers have seen in the wild – and over 70 remote code execution (RCE) vulnerabilities.
Just three are marked critical however (all in Microsoft Defender for IoT) and none are listed as under active attack.
The Zero Day initiative believes it to be Microsoft’s largest ever Patch Tuesday. Why so many CVEs suddenly? Intense scrutiny internally on product security amid massive external pressure may be one cause, rather than some ongoing failure of QA. See it as a good thing! It’s a purge…
(Spare a thought for admins pushing fixes out to large fleets of machines; patches are known to regularly cause unintended side effects… )
See also: VMware pulls flawed update that triggered purple death crashes
The bug seen in the wild, if not explicitly spotted in incident response, is CVE-2024-29988, which the ZDI notes acts like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. The find was credited to the ZDI’s Peter Girnus, as well as Dmitrij Lenz and Vlad Stolyarov of Google's TAG.
The ZDI said: “Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW,” – Microsoft marks exploitation of this as “more likely.”
CVE-2024-20678, a Remote Procedure Call (RPC) RCE vulnerability also deserves close attention. As the ZDI puts it: “There is a long history of RPC exploits being seen in the wild, so any RPC bug that could lead to code execution turns heads. This bug does require authentication, but it doesn’t require any elevated permission” – “Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges” Microsoft’s increasingly threadbare security notes say.
(It’s not CVE-2022-26809, a zero-click bug in RPC which required no interaction to be exploited, but still seems worth prioritising. There’s over 1.3 million systems with TCP port 135 exposed to the internet.)
Microsoft says exploitation involves sending “a specially crafted RPC call to an RPC host. This could result in RCE on the server side with the same permissions as the RPC service.” Despite this, it sees exploitation as “less likely”. Microsoft Offensive Research & Security Engineering found the bug.
A series of critical RCE vulnerabilities in the Microsoft OLE DB Driver for SQL Server also stand out. This is facilitates rapid SQL Server data access across diverse applications. These vulnerabilities span several driver versions and are collectively deemed “Important” in terms of severity.
The bugs, allocated CVE-2024-28906, CVE-2024-28908-15, CVE-2024-28926 through CVE-2024-28927, CVE-2024-28939 through CVE-2024-28945, and CVE-2024-29044-48, extending to CVE-2024-29982-85 are the result of improper input handling.
Satnam Narang, a,senior staff research engineer at Tenable, notes that this month’s release also addresses 24 vulnerabilities in Windows Secure Boot, the majority of which are considered “Exploitation Less Likely.”
He noted: “The last time Microsoft patched a flaw in Windows Secure Boot (CVE-2023-24932) in May 2023 had a notable impact as it was exploited in the wild and linked to the BlackLotus UEFI bootkit, which was sold on dark web forums for $5,000… While none of these Secure Boot vulnerabilities addressed this month were exploited in the wild, they serve as a reminder that flaws in Secure Boot persist, and we could see more malicious activity related to Secure Boot in the future.”
See also: NSA warns over “false sense of security” on Black Lotus UEFI bootkit risk
Seth Hoyt, Senior Security Engineer at Automox highlighted Windows DNS Server RCE bug CVE 2024-26224 as one of seven vulnerabilities released in this month's Patch Tuesday that address Windows DNS Server remote code execution vulnerabilities. Each of these is rated with a CVE score of 7.2/10.
Windows DNS Server Remote Code Execution Vulnerabilities:
- CVE-2024-26221
- CVE-2024-26222
- CVE-2024-26223
- CVE-2024-26224
- CVE-2024-26227
- CVE-2024-26231
- CVE-2024-26233
These permit attackers with network access to the DNS server to execute arbitrary code or privileged commands. He said: "Such vulnerabilities raise concerns, especially for Windows Server environments, as they can pave the way for lateral movement attacks..."