Black Arrow Cyber Advisory 13 March 2024 – Microsoft Patch Tuesday, Adobe, Fortinet and SAP Security Updates Summary

Executive summary

Microsoft’s March Patch Tuesday provides updates to address 60 security issues across its product range. Among the updates provided by Microsoft were 2 critical vulnerabilities allowing remote code execution and denial of service; both of these vulnerabilities relate to Windows Hyper-V. Microsoft’s March 2024 Patch Tuesday has not identified any zero-day vulnerabilities.

In addition to the Microsoft updates this week also saw Adobe, FortiGuard and SAP all provide updates for vulnerabilities in a variety of their products, with multiple rated as critical.

What’s the risk to me or my business?

Successful exploitation of the vulnerabilities could allow an attacker to gain remote code execution, cause a denial of service and impact the confidentiality, integrity and availability of information.

What can I do?

Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

Microsoft

CVE-2024-21407- This vulnerability if actively exploited, allows a threat actor to gain remote code execution on the host server of a guest virtual machine. It requires an authenticated attacker to send specially crafted file operation requests.

CVE-2024-21408- This vulnerability if actively exploited, allows a threat actor to perform a denial of service. Microsoft have not disclosed how this could be exploited.

Adobe

Adobe have addressed multiple vulnerabilities in its products, including at least 46 in Adobe Experience Manager, 2 critical vulnerabilities in Adobe Premier Pro, a critical vulnerability in Adobe ColdFusion, and 4 vulnerabilities, of which 3 are critical in Adobe Bridge.

Fortinet

Fortinet have released three updates, of which 1 is critical impacting FortiOS and FortiProxy, 1 vulnerability impacting FortiClientEMS, 1 vulnerability impacting FortiWLM MEA for Fortimanager and 1 critical vulnerability in the DAS component.

SAP

This month, SAP has released 12 patches, which include 10 new releases and 2 updates from previous releases. 1 patch and 1 update have been given the “hot news” priority in SAP, the highest severity.. The vulnerabilities encompass a range of issues, including Privilege Escalation, Code Injection, Denial of Service, Information Disclosure, and Improper Authorisation.

further details on other specific updates within this patch Tuesday can be found here:

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2024-patch-tuesday-fixes-60-flaws-18-rce-bugs/

Further details of the vulnerabilities in Adobe Experience Manager can be found here:

https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html

Further details of the vulnerabilities in Adobe Premier Pro can be found here:

https://helpx.adobe.com/security/products/premiere_pro/apsb24-12.html

Further details of the vulnerabilities in Adobe ColdFusion can be found here:

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Further details of the vulnerabilities in Adobe Bridge can be found here:

https://helpx.adobe.com/security/products/bridge/apsb24-15.html

Further details of the vulnerabilities in FortiOS and FortiProxy can be found here:

https://www.fortiguard.com/psirt/FG-IR-23-328