Microsoft Patch Tuesday – March 2023

Today’s Patch Tuesday brings us 74 new CVEs which contain 2 zero-days and 8 criticals. Let’s briefly review them!

CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability

The first zero-day should be treated seriously. This bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the e-mail is viewed in the Preview Pane, so disabling that feature won’t be a mitigation. Access to the hash could be used in an NTLM relay attack to impersonate the user, thus effectively bypassing authentication. Deploy the patch ASAP.

Also please be aware that Microsoft released security updates for Exchange, but they didn’t refer to any CVE. It’s hard to say if Exchange SU is related in any way to this bug but take the early patching of your Exchange, into consideration.

CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability

The second zero-day is not that much thrilling, at first glance. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW. Even though this one is rated quite low (Moderate 5.6), it can be used in phishing attacks, so patch it ASAP on your clients.

CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability

This critical (9.8) bug could allow a remote, unauthenticated attacker to execute code at the SYSTEM level without user interaction, by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Luckily, the target system needs to have HTTP/3 enabled (which is disabled by default) and set to use buffered I/O, and only Windows 11 and Windows Server 2022 are affected.

How to check if HTTP/3 is enabled? Verify below registry keys (if exists with the value “1” = enabled)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"EnableHttp3"=dword:00000001
"EnableAltSvc"=dword:00000001

CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

For this critical (9.8) bug, an attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. The only mitigation is to block ICMP.

CVE-2023-21708 – Remote Procedure Call Runtime Remote Code Execution Vulnerability

To exploit this critical (9.8) vulnerability, an unauthenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. We also have 3 similar bugs this month, marked as important (8.1) – CVE-2023-23405, CVE-2023-24908, CVE-2023-24869. All of them are applicable even for Windows Server 2008! Blocking TCP port 135 at the perimeter firewall is a recommended best practice that could reduce the likelihood of some potential attacks against this vulnerability.

CVE-2023-1017 / CVE-2023-1018 – CERT/CC: TPM2.0 Module Library Elevation of Privilege Vulnerability

These 2 bugs are regarding vulnerabilities in a third-party driver, and seem to be related to TPM and virtualization platforms in general, as these CVEs were present in other hypervisors as well. By leveraging malicious TPM commands from a guest VM to a target running Hyper-V, an attacker can cause an out-of-bounds write in the root partition.

CVE-2023-23416 – Windows Cryptographic Services Remote Code Execution Vulnerability

Exploitation is performed by importing a malicious certificate onto a vulnerable target, requiring the attacker to authenticate to the target or entice an authenticated user into importing the malicious certificate. It might be a good idea to patch ASAP on your clients.

CVE-2023-23404 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

This time only one bug in the PPT protocol. If you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon, as an unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.

CVE-2023-23411 – Windows Hyper-V Denial of Service Vulnerability

Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Although the score is only 6.5 it’s rated as Critical.

Summary

Below you can see the most important CVEs released by Microsoft for March 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about a bugs in PostScript and PCL6 Class Printer Driver, Bluetooth, Visual Studio, Azure Service Fabric, and RPC.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2023-23397Microsoft Outlook Elevation of Privilege VulnerabilityImportant (9.1)NetworkLowNoneNoneExploitedOutlook 2013+
Office 2019
Office LTSC 2021
365 Apps
CVE-2023-24880Windows SmartScreen Security Feature Bypass VulnerabilityModerate (5.4)NetworkLowNoneRequiredExploitedWindows 10+
Windows Server 2016+
CVE-2023-23392HTTP Protocol Stack Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 11
Windows Server 2022
CVE-2023-23415Internet Control Message Protocol (ICMP) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-21708Remote Procedure Call Runtime Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-1017CERT/CC: TPM2.0 Module Library Elevation of Privilege VulnerabilityCritical (8.8)LocalLowLowNoneUnprovenWindows 10+
Windows Server 2016+
CVE-2023-1018CERT/CC: TPM2.0 Module Library Elevation of Privilege VulnerabilityCritical (8.8)LocalLowLowNoneUnprovenWindows 10+
Windows Server 2016+
CVE-2023-23416Windows Cryptographic Services Remote Code Execution VulnerabilityCritical (8.4)LocalLowNoneNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-23404Windows Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-23411Windows Hyper-V Denial of Service VulnerabilityCritical (6.5)LocalLowLowNoneUnprovenWindows 10+
Windows Server 2016+
CVE-2023-24864Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-23403Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-23406Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-23413Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24867Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24907Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24868Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24909Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24872Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24913Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-24876Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-23388Windows Bluetooth Driver Elevation of Privilege VulnerabilityImportant (8.8)LocalLowLowNoneUnprovenWindows 10+
Windows Server 2016+
CVE-2023-24871Windows Bluetooth Service Remote Code Execution VulnerabilityImportant (8.8)AdjacentLowNoneNoneUnprovenWindows 10+
Windows Server 2022
CVE-2023-23618GitHub: CVE-2023-23618 Git for Windows Remote Code Execution VulnerabilityImportant (8.6)UnprovenVisual Studio 2017 version 15.9-
Visual Studio 2019 version 16.11-
Visual Studio 2022 version 17.5-
CVE-2023-23383Service Fabric Explorer Spoofing VulnerabilityImportant (8.2)NetworkHighNoneRequiredUnprovenAzure Service Fabric 9.1 for Windows
Azure Service Fabric 9.1 for Ubuntu
CVE-2023-23405Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-24908Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-24869Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top