www.belgium.be Logo of the federal government

WARNING: MICROSOFT PATCH TUESDAY APRIL 2024 PATCHES 147 VULNERABILITIES, INCLUDING 2 ACTIVELY EXPLOITED ZERO DAY VULNERABILITIES, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-51
Version: 
1.0
Affected software: 
For a detailed overview of affected products & technologies please consult https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr
Type: 
Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS: 

Microsoft patched 147 vulnerabilities in its April 2024 Patch Tuesday release, 3 rated as critical, 142 rated important, and 2 Moderate. including two actively exploited zero-day flaws for malware delivery.

Number of CVEs by type:

  • 67 Remote Code Execution vulnerabilities
  • 31  Elevation of Privilege vulnerabilities
  • 12 Information Disclosure vulnerabilities
  • 3 Spoofing vulnerability
  • 7 Denial of Service vulnerabilities
  • 27  Security Feature Bypass vulnerabilities

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2024-Apr

Risks

Microsoft’s April 2024 Patch Tuesday includes 147 vulnerabilities (3 critical, 142 important, 2 moderate and 0 low), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes two actively exploited zero-day flaws related to malware delivery.

In total, there are 3 critical-rated vulnerabilities patched this month by Microsoft: CVE-2024-29053, CVE-2024-21322 and CVE-2024-21323. All mentioned vulnerabilities are Microsoft Defender for IoT remote code execution vulnerabilities.

Other notable CVEs include CVE-2024-29988, a SmartScreen Prompt security feature bypass, and CVE-2024-26234, a Proxy Driver spoofing vulnerability. Both are actively exploited in the wild according to Sophos and TrendMicro.

The substantial number of vulnerabilities patched in April are related to several Remote Code Execution vulnerabilities in the OLE DB driver for SQL Server (41) and Security Feature Bypass vulnerabilities in Secure Boot (24).

Exploitation of most vulnerabilities requires local access or administrator privileges.

Microsoft has released updates to mitigate these vulnerabilities, including adding the relevant files to its driver revocation list.

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.

The CCB would like to point your attention to the following vulnerabilities:

CVE-2024-29988: SmartScreen prompt (Actively exploited)

Security Feature Bypass Vulnerability

CVE-2024-29988, a SmartScreen prompt security feature bypass, has been observed as exploited in the wild and can be used to bypass the Mark of the Web security feature. The flaw was found during research into a campaign conducted by the threat group Water Hydra a.k.a. DarkCasino.

CVE-2024-26234: Proxy Driver (Actively exploited)

Driver Spoofing Vulnerability

CVE-2024-26234, a proxy driver spoofing vulnerability, was linked to malicious attacks involving a backdoor file associated with an Android screen mirroring app called LaiXi.

Sophos X-Ops investigated a suspicious-looking executable that claimed to be signed by a valid Microsoft Hardware Publisher Certificate. Microsoft has added the relevant files to its rolling revocation list to mitigate the threat.

CVE-2024-29990: Microsoft Azure Kubernetes(Critical)

Elevation of privilege vulnerability

CVE-2024-29990 an elevation of privilege flaw impacting Microsoft Azure Kubernetes Service Confidential Container that could be exploited by unauthenticated attackers to steal credentials.

SQL server related ODBC/OLEDB related issues (Exploitation less likely)

Remote Code Execution Vulnerabilities

These 41 patches are all important-severity issues. Microsoft claims that none of the vulnerabilities are currently under active exploitation and believes exploitation is less likely to occur in the 30 days after release. Due to the criticality and the nature of the issues, it is recommended to address these vulnerabilities with high priority.

Detail

  • Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability – 13 patches
  • Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability – 24 patches
  • Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability – 3 patches
  • Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability – 1 patch

 

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

 

References

https://news.sophos.com/en-us/2024/04/10/a-tumultuous-titanic-patch-tuesday-as-microsoft-makes-some-changes
https://thehackernews.com/2024/04/microsoft-fixes-149-flaws-in-huge-april.html
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2024-patch-tuesday-fixes-150-security-flaws-67-rces
https://www.tenable.com/blog/microsofts-april-2024-patch-tuesday-addresses-147-cves-cve-2024-29988