Microsoft Patch Tuesday – February 2023

This valentines Patch Tuesday brings us 75 new CVEs which contain 3 zero-days and 9 criticals. Let’s take a look at them!

CVE-2023-21823 – Windows Graphics Component Elevation of Privilege Vulnerability

The first zero-day is an EoP to SYSTEM privileges, which can lead to remote code execution and, with consequences, a total takeover of a system.
Microsoft states that Microsoft Store will automatically update affected customers, but please be aware of systems where Microsoft Store is disabled or not present. As this one was exploited in the wild, patch ASAP.

CVE-2023-23376 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Another zero-day, and also without detailed information about the vulnerability. Again, the attacker can elevate to the SYSTEM privileges, which would allow to completely take over a target system. Patch ASAP.

CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability

The last zero-day requires a local, authenticated user to download and open a specially crafted file on a vulnerable system. An attacker would need to entice the user to download and execute the file in order to successfully exploit this flaw.

CVE-2023-21689 / CVE-2023-21690 / CVE-2023-21692 – Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

These 3 bugs are quite similar. The vulnerable system must be running Network Policy Server and configured with a network policy that allows PEAP.
All three vulnerabilities were rated as “Exploitation More Likely” according to their advisories. If you are using PEAP on NPS servers, you can switch to EAP as a workaround, but the ultimate solution is to install the patch.

CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability

The attack vector for this one is Preview Pane. An attacker has to send a malicious e-mail containing an RTF payload that would allow them to gain access to execute commands within the application used to open the malicious file.
As a workaround, you can prevent Word from loading RTF files using MS08-026.

CVE-2023-21803 – Windows iSCSI Discovery Service Remote Code Execution Vulnerability

This one is quite interesting because is important only for 32-bit systems which run the iSCSI Discovery Service.
An attacker can send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service to gain the ability to execute code on the target system.

CVE-2023-21808 / CVE-2023-21815 / CVE-2023-23381 – .NET and Visual Studio Remote Code Execution Vulnerability

The first one of these three is related to .NET and Visual Studio, and two others are just with Visual Studio. All of them were rated as Critical with a score of 8.4.
A .NET vulnerability, in the MSDIA SDK, exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in a crash or remote code execution.

CVE-2023-21718 – Microsoft SQL ODBC Driver Remote Code Execution Vulnerability

An attacker could exploit the vulnerability by tricking an unauthenticated user into attempting to connect to a malicious SQL server database via ODBC. This could result in the database returning malicious data that might cause arbitrary code execution on the client.

Summary

Below you can see the most important CVEs released by Microsoft for February 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in Azure App Service, Dynamics, Exchange, PostScript Printer driver, SharePoint, WDAC OLE DB, or Power BI.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2023-21823Windows Graphics Component Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 10+
Windows Server 2008+
Microsoft Office for Android
Microsoft Office for iOS
Microsoft Office for Universal
CVE-2023-23376Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 10+
Windows Server 2008+
CVE-2023-21715Microsoft Office Security Feature Bypass VulnerabilityImportant (7.3)LocalLowLowRequiredExploitedMicrosoft 365 Apps for Enterprise
CVE-2023-21689Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008 R2+
CVE-2023-21690Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008 R2+
CVE-2023-21692Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008 R2+
CVE-2023-21716Microsoft Word Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWord 2013
Word 2016
Microsoft 365 Apps for Enterprise
Office LTSC 2021
Office 2019 for Mac
Office LTSC for Mac 2021
Office Online Server
Office Web Apps Server 2013
SharePoint Foundation 2013
SharePoint Enterprise Server 2013
SharePoint Enterprise Server 2016
SharePoint Server 2019
SharePoint Server Subscription Edition
SharePoint Server Subscription Edition Language Pack
CVE-2023-21803Windows iSCSI Discovery Service Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10 32-bit only
Windows Server 2008 32-bit only
CVE-2023-21808.NET and Visual Studio Remote Code Execution VulnerabilityCritical (8.4)LocalLowNoneNoneUnproven.NET 6.0, 7.0
.NET Core 3.1
Visual Studio 2022 17.0, 17.2, 17.4
Visual Studio 2019 16.11-
Visual Studio 2017 15.9-
.NET Framework 3.5 / 4.8 / 4.8.1 on
Windows Server 2022 / Windows 11
.NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2016 / 2019
.NET Framework 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on
Windows Server 2008 R2 / 2012 / 2012 R2
.NET Framework 4.6.2 on Windows Server 2008
.NET Framework 3.5 / 4.6.2 / 4.7.2 / 4.8 / 4.8.1 on Windows 10
CVE-2023-21815Visual Studio Code Remote Code Execution VulnerabilityCritical (8.4)LocalLowNoneNoneUnprovenVisual Studio 2022 17.0, 17.2, 17.4
Visual Studio 2019 16.11-
Visual Studio 2017 15.9-
CVE-2023-23381Visual Studio Code Remote Code Execution VulnerabilityCritical (8.4)LocalLowNoneNoneUnprovenVisual Studio 2022 17.0, 17.2, 17.4
Visual Studio 2019 16.11-
Visual Studio 2017 15.9-
CVE-2023-21718Microsoft SQL ODBC Driver Remote Code Execution VulnerabilityCritical (7.8)LocalLowNoneRequiredUnprovenSQL Server 2022 GDR
SQL Server 2019 GDR/CU18
SQL Server 2017 GDR/CU31
SQL Server 2016 SP3 GDR/Azure Connectivity Pack
SQL Server 2014 SP3 GDR/CU4
CVE-2023-21777Azure App Service on Azure Stack Hub Elevation of Privilege VulnerabilityImportant (8.7)LocalLowLowNoneUnprovenAzure App Service on Azure Stack Hub
CVE-2023-21778Microsoft Dynamics Unified Service Desk Remote Code ExecutionImportant (8.3)NetworkHighNoneRequiredUnprovenMicrosoft Dynamics 365 Unified Service Desk
CVE-2023-21706Microsoft Exchange Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenExchange 2013 CU23
Exchange 2016 CU23
Exchange 2019 CU11, CU12
CVE-2023-21707Microsoft Exchange Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenExchange 2013 CU23
Exchange 2016 CU23
Exchange 2019 CU11, CU12
CVE-2023-21529Microsoft Exchange Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenExchange 2013 CU23
Exchange 2016 CU23
Exchange 2019 CU11, CU12
CVE-2023-21797Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21798Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21684Microsoft PostScript Printer Driver Remote Code ExecutionImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21717Microsoft SharePoint Server Elevation of Privilege VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Foundation 2013 SP1
SharePoint Enterprise Server 2013 SP1
SharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2023-21705Microsoft SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSQL Server 2022 GDR
SQL Server 2019 GDR/CU18
SQL Server 2017 GDR/CU31
SQL Server 2016 SP3 GDR/Azure Connectivity Pack
SQL Server 2014 SP3 GDR/CU4
CVE-2023-21713Microsoft SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSQL Server 2022 GDR
SQL Server 2019 GDR/CU18
SQL Server 2017 GDR/CU31
SQL Server 2016 SP3 GDR/Azure Connectivity Pack
SQL Server 2014 SP3 GDR/CU4
CVE-2023-21799Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21685Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21686Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21806Power BI Report Server Spoofing VulnerabilityImportant (8.2)NetworkLowLowRequiredUnprovenPower BI Report Server – January 2023

Enforcing number matching for MFA

As a bonus, I would like to mention that Microsoft will remove the admin controls and enforce the number matching for MFA for all users of Microsoft Authenticator push notifications starting February 27, 2023.
It’s highly recommended to enable number matching in a controlled manner, before official Microsoft enforcement.

Please be also aware that number matching is not compatible with NPS. If you are using the NPS with the newest version of the NPS extension it will use OTP instead of approve/deny notification. The older version of the NPS extension will still work with the current approve/deny method, as long as you don’t change the below registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa\OVERRIDE_NUMBER_MATCHING_WITH_OTP = TRUE

After adding that entry to the registry, the restart of the NPS service is required.

Also, it is worth to consider enabling additional features like showing the app name, or geo-location in the Microsoft Authenticator app. You can read more here.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top