Understanding April's Patch Tuesday 2024: A Comprehensive Overview

Welcome to our technical support and cybersecurity blog, where we delve into the intricacies of Microsoft’s April Patch Tuesday. This month’s release was significant, addressing a plethora of vulnerabilities and strengthening the security posture of numerous products. Let’s break down the top vulnerabilities and the details of the patches released.

Patch Details

The April Patch Tuesday included updates for a total of 150 security flaws. Here’s a summary of the categories and their counts¹:

• 31 Elevation of Privilege Vulnerabilities
• 29 Security Feature Bypass Vulnerabilities
• 67 Remote Code Execution Vulnerabilities
• 13 Information Disclosure Vulnerabilities
• 7 Denial of Service Vulnerabilities
• 3 Spoofing Vulnerabilities

More than half of the RCE flaws were found within Microsoft SQL drivers. Additionally, patches for 26 Secure Boot bypasses were released, highlighting the importance of firmware security.

Top Vulnerabilities Addressed

Remote Code Execution (RCE) Flaws

A staggering 67 RCE vulnerabilities were patched, with a notable concentration within Microsoft SQL drivers, hinting at a shared underlying issue. These vulnerabilities are particularly concerning as they could allow attackers to execute arbitrary code remotely, potentially taking control of affected systems.

Out of these 67 patches, here are the three critical patches that should be updated on your systems

1. CVE-2024-21322:
   • Description: This vulnerability is an authenticated attacker’s dream. If an attacker has file upload privileges, they can exploit a path traversal vulnerability to achieve arbitrary code execution.
   • Attack Vector: The attacker must upload specially crafted files to sensitive locations on the target system.
   • Severity: Given the potential impact, even though the likelihood of exploitation is unclear, any vulnerability targeting defensive tools like Microsoft Defender for IoT should be taken seriously.
2. CVE-2024-21323:
   • Description: Similar to CVE-2024-21322, this vulnerability allows an authenticated attacker with file upload privileges to execute arbitrary code through a path traversal vulnerability.
   • Severity: The severity lies in the fact that it could lead to unauthorized code execution on the affected device.
3. CVE-2024-29054:
   • Description: Once again, an authenticated attacker with file upload privileges could exploit a path traversal vulnerability to achieve arbitrary code execution.
   • Impact: The ability to execute arbitrary code without user interaction is a significant concern, especially in IoT devices where security is paramount.

For further details, refer to cybersecurity experts' dedicated articles and reports.

Zero-Day Exploits

Two zero-day vulnerabilities, previously unmarked as exploited, were patched this month:

CVE-2024-26234 The Water Hydra hacking group actively exploited a security feature bypass in Microsoft Defender SmartScreen in spearphishing attacks. The vulnerability was a spoofing vulnerability related to a malicious driver signed with a valid Microsoft Hardware Publisher Certificate.

Vulnerability Details: CVE-2024-26234 is a Proxy Driver Spoofing Vulnerability. It allows attackers to bypass security features and gain privileges by exploiting improper access control within the proxy driver.

Impact: The vulnerability could let an attacker sign a malicious executable with a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate, potentially leading to a breach of trust and unauthorized code execution1.

Severity: It has a CVSS v3 score 6.7, rated as medium severity. The attack vector is local, requiring high privileges and no user interaction, which means an attacker would need access to the local system to exploit this vulnerability1.

CVE-2024-29988: The Water Hydra hacking group actively exploited a security feature bypass in Microsoft Defender SmartScreen in spearphishing attacks.

Vulnerability Details: CVE-2024-29988 is a SmartScreen Prompt Security Feature Bypass Vulnerability2. It involves a failure in the protection mechanism of Microsoft Defender SmartScreen.

Impact: An attacker could exploit this vulnerability by convincing a target to open a specially crafted file, potentially leading to remote code execution2.

Severity: This vulnerability is rated with a high severity score of 8.8 on the CVSS v3 scale. It requires no privileges but does require user interaction, meaning a user must be tricked into executing a malicious file2.

Both vulnerabilities are serious security concerns and were addressed in the April 2024 Patch Tuesday updates. Users and administrators are strongly advised to apply these patches to mitigate the risks associated with these vulnerabilities. Staying updated with the latest security patches is vital to maintaining a strong cybersecurity posture.

Secure Boot Bypasses

Twenty-six Secure Boot bypass vulnerabilities were addressed, including two from Lenovo. Secure Boot is a critical security feature that ensures only trusted software is loaded during the system’s boot process.

One of the vulnerabilities, tracked as CVE-2023-24932, was leveraged by the BlackLotus UEFI bootkit. This malware requires physical or administrative access to the device, and fixing the bypass requires revoking boot managers, which could cause issues for some device boot configurations.

Nature of Vulnerabilities: Secure Boot bypass vulnerabilities are particularly concerning because they allow an attacker to circumvent the Secure Boot process, which ensures that only trusted software is loaded during the system's boot process.

Impact on Security: By exploiting these vulnerabilities, an attacker could potentially load unauthorized or malicious software before the operating system starts, which could compromise the entire system.

Patches from Lenovo: Among the twenty-six vulnerabilities, two were related explicitly to Lenovo hardware. This indicates that hardware manufacturers provided the vulnerabilities in software and firmware components.

Mitigation Measures: The patches released as part of the April update include fixes for these vulnerabilities. Users and administrators must apply these patches to maintain the integrity of the Secure Boot process.

It's recommended that organizations begin evaluating these changes within their environment and apply the necessary updates to protect against these vulnerabilities. To fully understand the impact and mitigation strategies, it's advisable to review the detailed reports and analyses of cybersecurity experts.

This month’s Patch Tuesday was a clear reminder of the ever-evolving threat landscape and the continuous need for vigilance and prompt patch management. As technical specialists, we must ensure these patches are deployed swiftly to protect our networks and data from potential exploits.

Stay tuned for more updates and insights on cybersecurity matters. Stay informed is the first step in maintaining a robust defence against cyber threats.