Adam Barnett – Page 3 – CyberSecurity Confabulation

Patch Tuesday – May 2023

Posted 2 years ago by Adam Barnett

A less crowded Patch Tuesday for May 2023: Microsoft is offering fixes for just 49 vulnerabilities this month. There are no fixes this month for printer drivers, DNS, or .NET, three components which have featured heavily in recent months. Three zero-day vulnerabilities are patched, alongside a further five critical Remote Code Execution (RCE) vulnerabilities. None of the three zero-day vulnerabilities have a particularly high CVSSv3 base score, but timely patching is always indicated.

Zero-day vulnerability: BlackLotus malware Secure Boot bypass

First up: a zero-day Secure Boot Security Feature Bypass vulnerability which is actively exploited by the BlackLotus bootkit malware. Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access. The relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.

Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.

Administrators should be aware that additional actions are required for remediation of CVE-2023-24932 beyond simply applying the patches. The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. Attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.

Zero-day vulnerability: RTF OLE RCE

The second of this month’s zero-day trio is an RCE vulnerability targeting Outlook users, as well as Windows Explorer. The vulnerability is in the proprietary Microsoft Object Linking and Embedding (OLE) layer, which allows embedding and linking to documents and other objects, and the Microsoft bulletin for CVE-2023-29336 suggests that the attack is likely conducted via a specially-crafted Rich Text File (RTF). All current versions of Windows are vulnerable, and viewing the malicious file via the Preview pane is one route to exploitation; however, successful exploitation requires an attacker to win a race condition and to otherwise prepare the target environment. This should significantly reduce the real-world impact of this vulnerability. Mitigations include disabling the Preview Pane, as well as configuring Outlook to read all emails in plain text mode. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation.

Zero-day vulnerability: Win32k LPE to SYSTEM

Rounding out this month’s trio of zero-day vulnerabilities is a Win32k Local Privilege Escalation (LPE) vulnerability. Successful exploitation will result in SYSTEM privileges. Win32k is a kernel-space driver responsible for aspects of the Windows GUI. As Rapid7 has noted in the past, the Win32k sub-system offers reliable attack surface that is not configuration-dependent. Although LPE vulnerabilities may seem less immediately concerning than a remote exploit, attackers frequently chain them together with other vulnerabilities to achieve full control over remote resources. Microsoft assesses attack complexity as low, and is aware of in-the-wild exploitation.

Critical RCE: NFS, MSQS, SharePoint Server, SSTP, LDAP

The remaining five RCE vulnerabilities this month include two with high CVSSv3 base scores of 9.8.

Although Microsoft is not aware of public disclosure or in-the-wild exploitation, Network File System (NFS) RCE vulnerability CVE-2023-24941 is a network attack with low complexity affecting Windows assets running NFS v4.1. As a mitigation prior to patching, Microsoft recommends disabling NFSv4.1 and then re-enabling it once the patch is applied, although this may impact functionality. OIder versions of NFS (NFSv3 and NFSv2) are not affected by this vulnerability. Microsoft warns that assets which haven’t been patched for over a year would be vulnerable to CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. In other words: applying today’s mitigation to an asset missing the May 2022 patches would effectively cause a downgrade attack.

CVE-2023-24943 describes a vulnerability in Windows Pragmatic General Multicast (PGM), and is a concern only for assets running Windows Message Queuing Service (MSQS) in a PGM environment. Microsoft recommends newer alternatives to PGM in the advisory. A further two critical RCE for MSQS were patched last month, and the continued flow of vulnerabilities suggests that MSQS will continue to be an area of interest for security researchers. Although MSQS is not installed by default, some software, including some versions of Microsoft Exchange Server, will helpfully enable it as part of their own installation routine.

Another candidate for inclusion in an exploit chain is SharePoint RCE CVE-2023-24955, which requires the attacker to authenticate as Site Owner to run code on the SharePoint Server host. Microsoft assesses this one as Exploitation More Likely, due in part to the low attack complexity. SharePoint Server 2016, 2019, and Subscription Edition are all vulnerable until patched. Anyone still running SharePoint Server 2013 should upgrade immediately, as May 2023 is the first Patch Tuesday after the end of ESU; absence of evidence of vulnerability is by no means evidence of absence.

Long-standing Patch Tuesday entrant Windows Secure Socket Tunneling Protocol (SSTP) provides CVE-2023-24903 this month, which is a critical RCE involving sending a specially crafted SSTP packet to an SSTP server and winning a race condition. This qualifies as high attack complexity, and Microsoft considers exploitation less likely.

The final Critical RCE this month is CVE-2023-28283, which is also a high-complexity network-vector attack involving a race condition. In this case, the attack is conducted via a specially-crafted set of LDAP calls.

Summary Charts

Summary Tables

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29350	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	No	No	7.5
CVE-2023-29354	Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	No	No	4.7
CVE-2023-2468	Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture	No	No	N/A
CVE-2023-2467	Chromium: CVE-2023-2467 Inappropriate implementation in Prompts	No	No	N/A
CVE-2023-2466	Chromium: CVE-2023-2466 Inappropriate implementation in Prompts	No	No	N/A
CVE-2023-2465	Chromium: CVE-2023-2465 Inappropriate implementation in CORS	No	No	N/A
CVE-2023-2464	Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture	No	No	N/A
CVE-2023-2463	Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode	No	No	N/A
CVE-2023-2462	Chromium: CVE-2023-2462 Inappropriate implementation in Prompts	No	No	N/A
CVE-2023-2460	Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions	No	No	N/A
CVE-2023-2459	Chromium: CVE-2023-2459 Inappropriate implementation in Prompts	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29343	SysInternals Sysmon for Windows Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-29338	Visual Studio Code Information Disclosure Vulnerability	No	No	5

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24904	Windows Installer Elevation of Privilege Vulnerability	No	No	7.1

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24943	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-24903	Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-29325	Windows OLE Remote Code Execution Vulnerability	No	Yes	8.1
CVE-2023-28283	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-24946	Windows Backup Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-29336	Win32k Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2023-24940	Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability	No	No	7.5
CVE-2023-24942	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	7.5
CVE-2023-24932	Secure Boot Security Feature Bypass Vulnerability	Yes	Yes	6.7
CVE-2023-29324	Windows MSHTML Platform Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-24900	Windows NTLM Security Support Provider Information Disclosure Vulnerability	No	No	5.9
CVE-2023-24945	Windows iSCSI Target Service Information Disclosure Vulnerability	No	No	5.5
CVE-2023-28251	Windows Driver Revocation List Security Feature Bypass Vulnerability	No	No	5.5

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29344	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-24953	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29335	Microsoft Word Security Feature Bypass Vulnerability	No	No	7.5
CVE-2023-24955	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-24881	Microsoft Teams Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24950	Microsoft SharePoint Server Spoofing Vulnerability	No	No	6.5
CVE-2023-24954	Microsoft SharePoint Server Information Disclosure Vulnerability	No	No	6.5
CVE-2023-29333	Microsoft Access Denial of Service Vulnerability	No	No	3.3

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24941	Windows Network File System Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-24947	Windows Bluetooth Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24949	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-24902	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-24905	Remote Desktop Client Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29340	AV1 Video Extension Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29341	AV1 Video Extension Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-24898	Windows SMB Denial of Service Vulnerability	No	No	7.5
CVE-2023-24901	Windows NFS Portmapper Information Disclosure Vulnerability	No	No	7.5
CVE-2023-24939	Server for NFS Denial of Service Vulnerability	No	No	7.5
CVE-2023-24948	Windows Bluetooth Driver Elevation of Privilege Vulnerability	No	No	7.4
CVE-2023-24899	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7
CVE-2023-24944	Windows Bluetooth Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-28290	Microsoft Remote Desktop app for Windows Information Disclosure Vulnerability	No	No	5.3

Patch Tuesday – April 2023

Posted 2 years ago by Adam Barnett

Microsoft is offering fixes for 114 vulnerabilities for in April 2023. This month’s haul includes a single zero-day vulnerability, as well as seven critical Remote Code Execution (RCE) vulnerabilities. There is a strong focus on fixes for Windows OS this month.

Over the last 18 months or so, Rapid7 has written several times about the prevalence of driver-based attacks. This month's sole zero-day vulnerability – a driver-based elevation of privilege – will only reinforce the popularity of the vector among threat actors. Successful exploitation of CVE-2023-28252 allows an attacker to obtain SYSTEM privileges via a vulnerability in the Windows Common Log File System (CLFS) driver. Microsoft has patched more than one similar CLFS driver vulnerability over the past year, including CVE-2023-23376 in February 2023 and CVE-2022-37969 in September 2022.

Microsoft has released patches for the zero-day vulnerability CVE-2023-28252 for all current versions of Windows. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation and is aware of functional exploit code. The assigned base CVSSv3 score of 7.8 lands this vulnerability near the top of the High severity range, which is expected since it gives complete control of an asset, but a remote attacker must first find some other method to access the target.

April 2023 also sees 45 separate Remote Code Execution (RCE) vulnerabilities patched, which is a significant uptick from the average of 33 per month over the past three months. Microsoft rates seven of this month’s RCE vulnerabilities as Critical, including two related vulnerabilities with a CVSSv3 base score of 9.8. CVE-2023-28250 describes a vulnerability in Windows Pragmatic General Multicast (PGM) which allows an attacker to achieve RCE by sending a specially crafted file over the network. CVE-2023-21554 allows an attacker to achieve RCE by sending a specially crafted Microsoft Messaging Queue packet. In both cases, the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable. The Message Queueing Service is not installed by default. Even so, Microsoft considers exploitation of CVE-2023-21554 more likely.

The other five Critical RCE this month are spread across various Windows components: Windows Raw Image Extension, Windows DHCP Protocol, and two frequent fliers: Windows Point-to-Point Tunneling Protocol and the Windows Layer 2 Tunneling Protocol.

The RAW Image Extension vulnerability CVE-2023-28921 is another example of what Microsoft refers to as an Arbitrary Code Execution (ACE), explaining “The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.” For some defenders, this may stretch the definition of the word Remote in Remote Code Execution, but there are many ways to deliver a file to a user, and an unpatched system remains vulnerable regardless.

DHCP server vulnerability CVE-2023-28231 requires an attacker to be on the same network as the target, but offers RCE via a specially crafted RPC call. Microsoft considers that exploitation is more likely.

The hunter becomes the hunted as Microsoft patches a Denial of Service vulnerability in Defender. The advisory for CVE-2023-24860 includes some unusual guidance: “Systems that have disabled Microsoft Defender are not in an exploitable state.” In practice this vulnerability is less likely to be exploited, and the default update cadence for Defender should mean that most assets are automatically patched in a short timeframe.

Windows Server administrators should take note of CVE-2023-28247. Successful exploitation allows an attacker to view contents of kernel memory remotely from the context of a user process. Microsoft lists Windows Server 2012, 2016, 2019, and 2022 as vulnerable. Although Microsoft assesses that exploitation is less likely, Windows stores many secrets in kernel memory, including cryptographic keys.

Machine learning is everywhere these days, and this month’s Patch Tuesday is no exception: CVE-2023-28312 describes a vulnerability in Azure Machine Learning which allows an attacker to access system logs, although any attack would need to be launched from within the same secure network. The advisory contains links to Microsoft detection and remediation guidance.

The other Azure vulnerability this month is a Azure Service Connector Security Feature Bypass. Microsoft rates Attack Complexity for CVE-2023-28300 as High, since this vulnerability is only useful when chained with other exploits to defeat other security measures. However, the Azure Service Connector only updates when the Azure Command-Line Interface is updated, and automatic updates are not enabled by default.

Final curtain call tonight for a raft of familiar names, since April 2023 Patch Tuesday includes the very last round of Extended Security Updates (ESU) for a number of Microsoft products. These include:

Exchange Server 2013
Lync Server 2013
Office 2013 and individual component applications such as Excel 2013, PowerPoint 2013 etc.
Project 2013 and Project Server 2013
SharePoint Server 2013 and SharePoint Foundation 2013
Skype for Business 2015

As always, the end of ESU means that Microsoft does not expect to patch or even disclose any future vulnerabilities which might emerge in these venerable software products, so it is no longer possible to secure them; these dates have been well-publicized far in advance under the fixed lifecycle policy. No vendor can feasibly support ancient software indefinitely, and some administrators may be glad that they will never have to install another Exchange Server 2013 patch.

Summary Charts

Summary tables