CyberSecurityBoard
Sponsor Register Login

March Patch Tuesday fixes Hyper-V guest-host escape The Register

Patch Tuesday Microsoft's monthly patch drop has arrived, delivering a mere 61 CVE-tagged vulnerabilities - none listed as under active attack or already known to the public.
The second critical vulnerability, CVE-2024-21408, is a denial of service flaw in Hyper-V that earned a 5.5 CVSS rating as it means an attacker could send a specially crafted packet to a Hyper-V server and induce a denial-of-service attack.
The most severe flaw this month in terms of CVSS scores is CVE-2024-21334, a 9.8-rated Open Management Infrastructure RCE vulnerability.
It would allow a remote, unauthenticated attacker to access the OMI instance from the internet, send a specially crated request, and trigger a user-after-free vulnerability.
Microsoft's bulletin details the commands needed to shore up this flaw, so be sure to check it out and patch ASAP. Adobe addresses 56 bugs.
Adobe's monthly patch-a-thon saw the outfit release six fixes addressing 56 vulnerabilities in Experience Manager, Premiere Pro, ColdFusion, Bridge, Lightroom and Animate.
The other two are improper input validation vulnerabilities that could be exploited to bypass security features.
The patch for Premiere Pro fixes two critical-severity bugs, and the ColdFusion update also addresses a critical vulnerability that could be abused for code execution.
Both Adobe Bridge and Adobe Animate shore up four critical and important CVEs, while the Lightroom patch fixes one critical vulnerability.
CVE-2023-32282 is a race-condition vulnerability in BIOS firmware for some Intel processors that could allow a privileged user to escalate privilege if they enjoy local access.
AMD recommends customers follow its earlier guidance [PDF] on mitigating Spectre-type attacks to address this vulnerability.
Hot News Note #3425274 fixes a 9.4-rated code injection vulnerability in applications built with SAP Build Apps.
Hot News Note #3433192 addresses a 9.1-rated code injection vulnerability in SAP NetWeaver AS Java.
Cisco today updated an earlier, 9.1-rated critical vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software.
It could allow an unauthenticated, remote attacker to perform a carriage return line feed injection attack against a user.
There's another critical-rated System vulnerability tracked as CVE-2024-23717 that could allow elevation of privilege.
CVE-2023-48788, another 9.3-rated SQL-injection flaw in FortiClient Enterprise Management Server could allow an unauthenticated attacker to send specially crafted requests and then execute unauthorized code.
A 7.7-rated improper access control vulnerability tracked as CVE-2023-36554 means FortiWLM MEA for FortiManager could also be exploited by an unauthenticated, remote attacker to execute arbitrary commands.
Then there's a high-severity authorization bypass flaw in multiple versions of FortiOS and FortiProxy SSLVPN bookmarks, which could allow an authenticated attacker to gain access to another user's bookmarks via URL manipulation.
Finally, CVE-2023-46717 is a 6.7-rated improper authentication vulnerability in multiple versions of FortiOS that can allow escalation of privilege.


This Cyber News was published on go.theregister.com. Publication date: Wed, 13 Mar 2024 00:43:08 +0000


Cyber News related to March Patch Tuesday fixes Hyper-V guest-host escape The Register

Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs - Today is Microsoft's March 2024 Patch Tuesday, and security updates have been released for 60 vulnerabilities, including eighteen remote code execution flaws. This Patch Tuesday fixes only two critical vulnerabilities: Hyper-V remote code execution ...
8 months ago Bleepingcomputer.com
Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws - The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V. Hyper-V is a hardware virtualization product that allows you to ...
8 months ago Malwarebytes.com
March Patch Tuesday fixes Hyper-V guest-host escape The Register - Patch Tuesday Microsoft's monthly patch drop has arrived, delivering a mere 61 CVE-tagged vulnerabilities - none listed as under active attack or already known to the public. The second critical vulnerability, CVE-2024-21408, is a denial of service ...
8 months ago Go.theregister.com
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
8 months ago Cisa.gov
Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws - Today is Microsoft's May 2024 Patch Tuesday, which includes security updates for 61 flaws and three actively exploited or publicly disclosed zero days. The total count of 61 flaws does not include 2 Microsoft Edge flaws fixed on May 2nd and four ...
6 months ago Bleepingcomputer.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
8 months ago Cisa.gov
How Patch Management Software Solves the Update Problem - I've never met an IT leader who doesn't know how important patch management is. At Heimdal, we believe patch management software provides the solution to this problem. Patch management software is a technology that allows businesses to automate the ...
4 months ago Heimdalsecurity.com
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day - Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. While eight remote code execution bugs were fixed, Microsoft only rated three ...
11 months ago Bleepingcomputer.com
CVE-2022-39294 - conduit-hyper integrates a conduit application with the hyper server. Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's length before calling ...
1 year ago
March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V - Last month several days after Patch Tuesday, the company updated two advisories to say that those particular vulnerabilities were being exploited in the wild. One of the two - CVE-2024-21338, an elevation of privilege vulnerability affecting the ...
8 months ago Helpnetsecurity.com
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
6 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
1 month ago Tenable.com
January Patch Tuesday: New year, more Windows bugs The Register - Patch Tuesday Microsoft rang in the New Year with a relatively calm Patch Tuesday: Just 49 Windows security updates including fixes for two critical-rated bugs, plus four high-severity Chrome flaws in Microsoft Edge. None of the January CVEs are ...
10 months ago Go.theregister.com
January 2024 Patch Tuesday forecast: A Focus on Printing - This article aims to provide a quick summary of some of the latest trends, announcements, and changes associated with IT patch operations while looking at the upcoming Patch Tuesday and what software updates to expect. December 2023 Patch Tuesday ...
10 months ago Helpnetsecurity.com
Intel out-of-band patch addresses privilege escalation flaw The Register - Intel on Tuesday issued an out-of-band security update to address a privilege escalation vulnerability in recent server and personal computer chips. The flaw, designated INTEL-SA-00950 and given a CVSS 3.0 score of 8.8 out of 10, affects Intel ...
11 months ago Theregister.com
Microsoft Discloses Critical Hyper-V Flaws in Low-Volume Patch Update - Both affect the Windows Hyper-V virtualization technology: CVE-2024-21407, a remote code execution bug; and CVE-2024-21408, which is a denial-of-service vulnerability. The update includes fixes for a total of 18 RCE flaws and two dozen ...
8 months ago Darkreading.com
December 2023 Patch Tuesday forecast: 'Tis the season for vigilance - Many in the retail industry have placed our systems in 'lockdown' since before Thanksgiving to ensure we don't interrupt ongoing sales. They won't be able to update them until after the holidays, but that doesn't mean they can't respond to threats. ...
11 months ago Helpnetsecurity.com
Key software patch testing best practices - To ensure a predictable rollout when a patch is deployed across your network, it is important to test it first in a nonproduction environment. Companies install software and firmware patches to fix bugs, remove vulnerabilities and add new features, ...
7 months ago Techtarget.com
How to conduct security patch validation and verification - Validation and verification are important steps in the security patch management lifecycle. They help to determine the impact of a patch on the security and efficiency of an organization's IT assets. Patch validation is the process of examining newly ...
7 months ago Techtarget.com
Windows 10 KB5037849 update released with 9 changes or fixes - Microsoft has released the optional KB5037849 Preview cumulative update for Windows 10 22H2 with nine fixes or changes. This release is primarily a maintenance release, fixing numerous bugs causing crashes or network connection issues. Microsoft ...
5 months ago Bleepingcomputer.com
CVE-2024-46828 - In the Linux kernel, the following vulnerability has been resolved: ...
1 month ago
CVE-2020-29483 - An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by ...
3 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)