Get in Touch
Microsoft Patch Tuesday – April 2024
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Microsoft April 2024 Patch Tuesday: Sixty-seven remote code execution (RCE) flaws were addressed as a part of 149 total security vulnerabilities addressed by Microsoft, three of which have been classified as critical. A summary of the highlighted vulnerabilities has been outlined below:
First up is CVE-2024-26234 (CVSSv3,1 score: 6.7), a proxy spoofing vulnerability affecting Windows proxy drivers, which is being actively exploited in the wild. The Microsoft advisory provides almost no detail about the nature of the exploit itself.
Patches were released for three critical RCE vulnerabilities impacting Microsoft Defender for IoT (Internet of Things), Microsoft’s Azure-deployable agentless monitoring solution for IoT and Operational Technology (OT) devices. Firstly, CVE-2024-21322 (CVSS v3.1 score:7.2) requires threat actors to have existing administrative access to the Defender for IoT web application; CVE-2024-21323 (CVSS v3,1 score:8.8) describes an update-based attack granting threat actors with the ability to control how a Defender for IoT sensor receives updates, overwriting arbitrary files on the sensor file system via a path traversal weakness; whereas exploitation of CVE-2024-29053 (CVSS v3,1 score:8.8) allows arbitrary file upload for any authenticated user via a path traversal weakness.
SharePoint received a patch this month regarding CVE-2024-26251 (CVSSv3.1 score: 6.8), a spoofing vulnerability which abuses cross-site scripting (XSS) and affects SharePoint Server 2016, 2019, and Subscription Edition. Exploitation requires multiple conditions to be met, including a specific application configuration.
Microsoft patched a single Office vulnerability this month. Tracked as CVE-2024-26257 (CVSSv3.1 score: 7.8), the issue relates to a RCE vulnerability in Excel, exploitation of which requires threat actors to lure a victim to open a specially crafted malicious file.
Impact
We have assessed that successful exploitation of the vulnerabilities outlined within the April 2024 Microsoft Patch Tuesday disclosure will result in the total loss of confidentiality, integrity, and availability of data within target systems.
Vulnerability Detection
Security patches for these vulnerabilities have been released by Microsoft. Previous product versions therefore remain vulnerable to potential exploitation.
Affected Products
A full list of the affected products pertaining to the April 2024 Patch Tuesday can be found on the Microsoft April 2024 Security Update page.
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday April 2024 Security Guide.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Threat Landscape
Last month, Microsoft published remediations for 60 security flaws within the March 2024 Patch Tuesday release, including one critical RCE vulnerability and four browser flaws. Moving into the April disclosure, RCE and privilege escalation vulnerabilities continue to be leading attack vectors accounting for 44.6% and 20.6% of disclosed issues respectively, although security feature bypass vulnerabilities have surged to the same level, accounting for 19.3% of issues. Overall, the April 2024 Patch Tuesday disclosure resulted in the release of a significantly higher number of vulnerabilities this month, a stark contrast to the low number of flaw disclosure in recent months.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Tactics:
TA0002 – Execution
TA0004 – Privilege Escalation
Common Weakness Enumeration (CWE)
CVE-2024-26234: CWE-284 – Improper Access Control
CVE-2024-21322: CWE-77 – Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CVE-2024-21323, CVE-2024-29053: CWE-36 – Absolute Path Traversal
CVE-2024-26251: CWE-79 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVE-2024-26257: CWE-415 – Double Free