Microsoft Patch Tuesday – April 2023

Today’s Patch Tuesday brings us 97 new CVEs which contain 1 zero-day and 7 criticals. Not that bad, so let’s briefly review them!

CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

The first CVE is exploited in the wild and a similar one was announced in FebruaryCVE-2023-23376. Again we don’t have detailed information about the vulnerability, only we know that the attacker can elevate to the SYSTEM privileges, which would allow to completely take over a target system. Patch ASAP.

CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-28250 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Both these CVEs are rated as Critical (9.8) and they allow a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled.
The good information is the service is disabled by default. The bad one is that is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter might be a mitigation. The best option is to deploy the update ASAP.

CVE-2023-28231 – DHCP Server Service Remote Code Execution Vulnerability

The next CVE is related to the DHCP service. An authenticated attacker could leverage a specially crafted RPC call to the DHCP service to exploit this vulnerability, but at first, the attacker will need to gain access to the restricted network.

CVE-2023-28291 – Raw Image Extension Remote Code Execution Vulnerability

This one should be automatically updated by Microsoft Store. If you disabled the automatic updates, then you have to update that manually.
The secure version for operating systems running Windows 11 Build 22621 operating systems, is v2.1.60611.0 and later.
The secure version for operating systems running Windows 10 and Windows 11 Build 18362 is v2.0.60612.0 and later.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

CVE-2023-28219 & CVE-2023-28220 – Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

Same rating for both CVEs – Critical (8.1). An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.
If you are using RAS in your environment, patch ASAP.

CVE-2023-28232 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

A month without a bug in PPTP, it’s a wasted month. If you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon, as an unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.

Please be aware that updates released on or after 11 April 2023, will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
Before installing patches it’s a good idea to review the System log on DCs and events that come from NETLOGON (events ID 5838-5841):

Event IDDescriptionAction
5838The Netlogon service encountered a client using RPC signing instead of RPC sealing.Confirm that the device is running a supported version of Windows.
Check to make sure all devices are up to date.
Check to make sure that Domain member: Domain member Digitally encrypt or sign secure channel data (always) is set to Enabled.
5839The Netlogon service encountered a trust using RPC signing instead of RPC sealing.Confirm that the device is running a supported version of Windows.
Check to make sure all devices are up to date.
Check to make sure that Domain member: Domain member Digitally encrypt or sign secure channel data (always) is set to Enabled.
5840The Netlogon service created a secure channel with a client with RC4.  Check if you can enforce stronger cryptography than RC4
5841The Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting.Check if your device can use stronger cryptography like AES, the connection was rejected due to usage RC4.

Summary

Below you can see the most important CVEs released by Microsoft in April 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in PostScript and PCL6 Class Printer Driver, WDAC OLE DB, Remote Procedure Call Runtime, Network Load Balancing, Remote Procedure Call Service, Visual Studio, Kerberos, Netlogon.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2023-28252Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 10+
Windows Server 2008+
CVE-2023-21554Microsoft Message Queuing Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28250Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28231DHCP Server Service Remote Code Execution VulnerabilityCritical (8.8)AdjacentLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28291Raw Image Extension Remote Code Execution VulnerabilityCritical (8.4)LocalLowNoneNoneUnprovenWindows 10+
CVE-2023-28219Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28220Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28232Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (7.5)NetworkHighNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-24884Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24885Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24886Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24887Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24924Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24925Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24926Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24927Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24928Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24929Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-28243Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-28275Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21727Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28240Windows Network Load Balancing Remote Code Execution VulnerabilityImportant (8.8)AdjacentLowNoneNoneUnprovenWindows Server 2008+
CVE-2023-28297Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-28296Visual Studio Remote Code Execution VulnerabilityImportant (8.4)LocalLowNoneNonePoCVisual Studio 2017 version 15.9-
Visual Studio 2019 version 16.11-
Visual Studio 2022 version 17.5-
CVE-2023-28244Windows Kerberos Elevation of Privilege VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenWindows Server 2008+
CVE-2023-28268Netlogon RPC Elevation of Privilege VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenWindows Server 2008+

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top