March 2024 Patch Tuesday: Critical Fixes for Windows and SharePoint

March 2024’s Patch Tuesday was significant due to Microsoft’s disclosure and patching of several critical vulnerabilities, prominently including CVE-2024-21407, CVE-2024-21400, and CVE-2024-26164. These vulnerabilities span across different Microsoft products and services, underlining the importance of maintaining a robust security posture.

This blog aims to delve into the details of these vulnerabilities, their potential impact on users, and the steps required for remediation. 

What are CVE-2024-21407, CVE-2024-21400, and CVE-2024-26164?

CVE-2024-21407 is a critical remote code execution vulnerability found in the Windows Print Spooler service. This flaw allows attackers to execute arbitrary code with SYSTEM privileges by sending maliciously crafted requests to the affected service. Given the widespread use of Windows, this vulnerability poses a significant risk to systems worldwide. 

CVE-2024-21400 pertains to an elevation of privilege vulnerability in the Windows Kernel. It allows attackers to gain higher privileges on the affected system by exploiting a flaw in how the Windows Kernel handles objects in memory. Successful exploitation could lead to complete system compromise. 

CVE-2024-26164 is a cross-site scripting (XSS) vulnerability in Microsoft SharePoint. This vulnerability could allow an attacker to inject a client-side script into the web pages viewed by other users. This script could then be used to impersonate users, steal data from web sessions, or perform actions on behalf of users without their consent.

Do they affect me?

If you’re using Microsoft Windows, especially the services and applications prone to CVE-2024-21407 and CVE-2024-21400, or if your organization utilizes Microsoft SharePoint, affected by CVE-2024-26164, these vulnerabilities are relevant to you. 

• Windows Users: Given the nature of CVE-2024-21407 and CVE-2024-21400, anyone running susceptible versions of Windows could be at risk, especially if the Print Spooler service is enabled or if the system hasn’t been updated recently. 
• SharePoint Users: Organizations using Microsoft SharePoint should be wary of CVE-2024-26164, as it could compromise the security of their SharePoint deployments and potentially lead to data breaches or unauthorized actions. 

Have CVE-2024-21407, CVE-2024-21400, or CVE-2024-26164 been exploited in the wild?

As of the latest updates from Microsoft and cyber security researchers, there have been no widespread reports of active exploitation of CVE-2024-21407, CVE-2024-21400, or CVE-2024-26164.

However, the disclosure of these vulnerabilities increases the likelihood of exploitation attempts as attackers seek to leverage unpatched systems. 

How to Fix CVE-2024-21407, CVE-2024-21400, and CVE-2024-26164

CVE-2024-21407 and CVE-2024-21400 (Windows): 

• Patch Immediately: Microsoft has released patches for these vulnerabilities as part of its March 2024 Patch Tuesday updates. Ensure your systems are updated promptly to mitigate the risk. 
• Disable Unnecessary Services: For CVE-2024-21407, consider disabling the Print Spooler service if it is not needed, until patches can be applied. 

CVE-2024-26164 (SharePoint): 

• Update SharePoint: Apply the latest security updates provided by Microsoft for SharePoint to protect against this XSS vulnerability. 
• Sanitize Input: As a best practice, ensure that input is properly sanitized to prevent XSS attacks in web applications. 

Next steps 

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. 2023 Vulnerability watch reports 
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Multi-cloud security challenges – a best practice guide
5. How to properly tackle zero-day threats