Today’s Patch Tuesday brings us 97 new CVEs which contain 1 zero-day and 7 criticals. Not that bad, so let’s briefly review them!
CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
The first CVE is exploited in the wild and a similar one was announced in February – CVE-2023-23376. Again we don’t have detailed information about the vulnerability, only we know that the attacker can elevate to the SYSTEM privileges, which would allow to completely take over a target system. Patch ASAP.
CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-28250 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Both these CVEs are rated as Critical (9.8) and they allow a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled.
The good information is the service is disabled by default. The bad one is that is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter might be a mitigation. The best option is to deploy the update ASAP.
CVE-2023-28231 – DHCP Server Service Remote Code Execution Vulnerability
The next CVE is related to the DHCP service. An authenticated attacker could leverage a specially crafted RPC call to the DHCP service to exploit this vulnerability, but at first, the attacker will need to gain access to the restricted network.
CVE-2023-28291 – Raw Image Extension Remote Code Execution Vulnerability
This one should be automatically updated by Microsoft Store. If you disabled the automatic updates, then you have to update that manually.
The secure version for operating systems running Windows 11 Build 22621 operating systems, is v2.1.60611.0 and later.
The secure version for operating systems running Windows 10 and Windows 11 Build 18362 is v2.0.60612.0 and later.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
CVE-2023-28219 & CVE-2023-28220 – Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Same rating for both CVEs – Critical (8.1). An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.
If you are using RAS in your environment, patch ASAP.
CVE-2023-28232 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
A month without a bug in PPTP, it’s a wasted month. If you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon, as an unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.
KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023
Please be aware that updates released on or after 11 April 2023, will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
Before installing patches it’s a good idea to review the System log on DCs and events that come from NETLOGON (events ID 5838-5841):
Event ID | Description | Action |
---|---|---|
5838 | The Netlogon service encountered a client using RPC signing instead of RPC sealing. | Confirm that the device is running a supported version of Windows. Check to make sure all devices are up to date. Check to make sure that Domain member: Domain member Digitally encrypt or sign secure channel data (always) is set to Enabled. |
5839 | The Netlogon service encountered a trust using RPC signing instead of RPC sealing. | Confirm that the device is running a supported version of Windows. Check to make sure all devices are up to date. Check to make sure that Domain member: Domain member Digitally encrypt or sign secure channel data (always) is set to Enabled. |
5840 | The Netlogon service created a secure channel with a client with RC4. | Check if you can enforce stronger cryptography than RC4 |
5841 | The Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting. | Check if your device can use stronger cryptography like AES, the connection was rejected due to usage RC4. |
Summary
Below you can see the most important CVEs released by Microsoft in April 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in PostScript and PCL6 Class Printer Driver, WDAC OLE DB, Remote Procedure Call Runtime, Network Load Balancing, Remote Procedure Call Service, Visual Studio, Kerberos, Netlogon.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2023-28252 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Exploited | Windows 10+ Windows Server 2008+ |
CVE-2023-21554 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-28231 | DHCP Server Service Remote Code Execution Vulnerability | Critical (8.8) | Adjacent | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-28291 | Raw Image Extension Remote Code Execution Vulnerability | Critical (8.4) | Local | Low | None | None | Unproven | Windows 10+ |
CVE-2023-28219 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-28220 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-28232 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (7.5) | Network | High | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-24884 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24885 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24886 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24887 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24924 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24925 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24926 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24927 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24928 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24929 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-28243 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-28275 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-21727 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-28240 | Windows Network Load Balancing Remote Code Execution Vulnerability | Important (8.8) | Adjacent | Low | None | None | Unproven | Windows Server 2008+ |
CVE-2023-28297 | Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-28296 | Visual Studio Remote Code Execution Vulnerability | Important (8.4) | Local | Low | None | None | PoC | Visual Studio 2017 version 15.9- Visual Studio 2019 version 16.11- Visual Studio 2022 version 17.5- |
CVE-2023-28244 | Windows Kerberos Elevation of Privilege Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows Server 2008+ |
CVE-2023-28268 | Netlogon RPC Elevation of Privilege Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows Server 2008+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023