This valentines Patch Tuesday brings us 75 new CVEs which contain 3 zero-days and 9 criticals. Let’s take a look at them!
CVE-2023-21823 – Windows Graphics Component Elevation of Privilege Vulnerability
The first zero-day is an EoP to SYSTEM privileges, which can lead to remote code execution and, with consequences, a total takeover of a system.
Microsoft states that Microsoft Store will automatically update affected customers, but please be aware of systems where Microsoft Store is disabled or not present. As this one was exploited in the wild, patch ASAP.
CVE-2023-23376 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
Another zero-day, and also without detailed information about the vulnerability. Again, the attacker can elevate to the SYSTEM privileges, which would allow to completely take over a target system. Patch ASAP.
CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability
The last zero-day requires a local, authenticated user to download and open a specially crafted file on a vulnerable system. An attacker would need to entice the user to download and execute the file in order to successfully exploit this flaw.
CVE-2023-21689 / CVE-2023-21690 / CVE-2023-21692 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
These 3 bugs are quite similar. The vulnerable system must be running Network Policy Server and configured with a network policy that allows PEAP.
All three vulnerabilities were rated as “Exploitation More Likely” according to their advisories. If you are using PEAP on NPS servers, you can switch to EAP as a workaround, but the ultimate solution is to install the patch.
CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability
The attack vector for this one is Preview Pane. An attacker has to send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.
As a workaround, you can prevent Word from loading RTF files using MS08-026.
CVE-2023-21803 – Windows iSCSI Discovery Service Remote Code Execution Vulnerability
This one is quite interesting because is important only for 32-bit systems which run the iSCSI Discovery Service.
An attacker can send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service to gain the ability to execute code on the target system.
CVE-2023-21808 / CVE-2023-21815 / CVE-2023-23381 – .NET and Visual Studio Remote Code Execution Vulnerability
The first one of these three is related to .NET and Visual Studio, and two others are just with Visual Studio. All of them were rated as Critical with a score of 8.4.
A .NET vulnerability, in the MSDIA SDK, exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in a crash or remote code execution.
CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
An attacker could exploit the vulnerability by tricking an unauthenticated user into attempting to connect to a malicious SQL server database via ODBC. This could result in the database returning malicious data that might cause arbitrary code execution on the client.
Summary
Below you can see the most important CVEs released by Microsoft for February 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in Azure App Service, Dynamics, Exchange, PostScript Printer driver, SharePoint, WDAC OLE DB, or Power BI.
| CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-21823 | Windows Graphics Component Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Exploited | Windows 10+ Windows Server 2008+ Microsoft Office for Android Microsoft Office for iOS Microsoft Office for Universal |
| CVE-2023-23376 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Exploited | Windows 10+ Windows Server 2008+ |
| CVE-2023-21715 | Microsoft Office Security Feature Bypass Vulnerability | Important (7.3) | Local | Low | Low | Required | Exploited | Microsoft 365 Apps for Enterprise |
| CVE-2023-21689 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008 R2+ |
| CVE-2023-21690 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008 R2+ |
| CVE-2023-21692 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008 R2+ |
| CVE-2023-21716 | Microsoft Word Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Word 2013 Word 2016 Microsoft 365 Apps for Enterprise Office LTSC 2021 Office 2019 for Mac Office LTSC for Mac 2021 Office Online Server Office Web Apps Server 2013 SharePoint Foundation 2013 SharePoint Enterprise Server 2013 SharePoint Enterprise Server 2016 SharePoint Server 2019 SharePoint Server Subscription Edition SharePoint Server Subscription Edition Language Pack |
| CVE-2023-21803 | Windows iSCSI Discovery Service Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10 32-bit only Windows Server 2008 32-bit only |
| CVE-2023-21808 | .NET and Visual Studio Remote Code Execution Vulnerability | Critical (8.4) | Local | Low | None | None | Unproven | .NET 6.0, 7.0 .NET Core 3.1 Visual Studio 2022 17.0, 17.2, 17.4 Visual Studio 2019 16.11- Visual Studio 2017 15.9- .NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11 .NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2016 / 2019 .NET Framework 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2 / 2012 / 2012 R2 .NET Framework 4.6.2 on Windows Server 2008 .NET Framework 3.5 / 4.6.2 / 4.7.2 / 4.8 / 4.8.1 on Windows 10 |
| CVE-2023-21815 | Visual Studio Code Remote Code Execution Vulnerability | Critical (8.4) | Local | Low | None | None | Unproven | Visual Studio 2022 17.0, 17.2, 17.4 Visual Studio 2019 16.11- Visual Studio 2017 15.9- |
| CVE-2023-23381 | Visual Studio Code Remote Code Execution Vulnerability | Critical (8.4) | Local | Low | None | None | Unproven | Visual Studio 2022 17.0, 17.2, 17.4 Visual Studio 2019 16.11- Visual Studio 2017 15.9- |
| CVE-2023-21718 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability | Critical (7.8) | Local | Low | None | Required | Unproven | SQL Server 2022 GDR SQL Server 2019 GDR/CU18 SQL Server 2017 GDR/CU31 SQL Server 2016 SP3 GDR/Azure Connectivity Pack SQL Server 2014 SP3 GDR/CU4 |
| CVE-2023-21777 | Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability | Important (8.7) | Local | Low | Low | None | Unproven | Azure App Service on Azure Stack Hub |
| CVE-2023-21778 | Microsoft Dynamics Unified Service Desk Remote Code Execution | Important (8.3) | Network | High | None | Required | Unproven | Microsoft Dynamics 365 Unified Service Desk |
| CVE-2023-21706 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Exchange 2013 CU23 Exchange 2016 CU23 Exchange 2019 CU11, CU12 |
| CVE-2023-21707 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Exchange 2013 CU23 Exchange 2016 CU23 Exchange 2019 CU11, CU12 |
| CVE-2023-21529 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Exchange 2013 CU23 Exchange 2016 CU23 Exchange 2019 CU11, CU12 |
| CVE-2023-21797 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
| CVE-2023-21798 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
| CVE-2023-21684 | Microsoft PostScript Printer Driver Remote Code Execution | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2008+ |
| CVE-2023-21717 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint Foundation 2013 SP1 SharePoint Enterprise Server 2013 SP1 SharePoint Enterprise Server 2016, SharePoint Server 2019, SharePoint Server Subscription Edition |
| CVE-2023-21705 | Microsoft SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SQL Server 2022 GDR SQL Server 2019 GDR/CU18 SQL Server 2017 GDR/CU31 SQL Server 2016 SP3 GDR/Azure Connectivity Pack SQL Server 2014 SP3 GDR/CU4 |
| CVE-2023-21713 | Microsoft SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SQL Server 2022 GDR SQL Server 2019 GDR/CU18 SQL Server 2017 GDR/CU31 SQL Server 2016 SP3 GDR/Azure Connectivity Pack SQL Server 2014 SP3 GDR/CU4 |
| CVE-2023-21799 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
| CVE-2023-21685 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
| CVE-2023-21686 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
| CVE-2023-21806 | Power BI Report Server Spoofing Vulnerability | Important (8.2) | Network | Low | Low | Required | Unproven | Power BI Report Server – January 2023 |
Enforcing number matching for MFA
As a bonus, I would like to mention that Microsoft will remove the admin controls and enforce the number matching for MFA for all users of Microsoft Authenticator push notifications starting February 27, 2023.
It’s highly recommended to enable number matching in a controlled manner, before official Microsoft enforcement.
Please be also aware that number matching is not compatible with NPS. If you are using the NPS with the newest version of the NPS extension it will use OTP instead of approve/deny notification. The older version of the NPS extension will still work with the current approve/deny method, as long as you don’t change the below registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa\OVERRIDE_NUMBER_MATCHING_WITH_OTP = TRUEAfter adding that entry to the registry, the restart of the NPS service is required.
Also, it is worth to consider enabling additional features like showing the app name, or geo-location in the Microsoft Authenticator app. You can read more here.
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023