Today’s Patch Tuesday brings us 74 new CVEs which contain 2 zero-days and 8 criticals. Let’s briefly review them!
CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability
The first zero-day should be treated seriously. This bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the e-mail is viewed in the Preview Pane, so disabling that feature won’t be a mitigation. Access to the hash could be used in an NTLM relay attack to impersonate the user, thus effectively bypassing authentication. Deploy the patch ASAP.
Also please be aware that Microsoft released security updates for Exchange, but they didn’t refer to any CVE. It’s hard to say if Exchange SU is related in any way to this bug but take the early patching of your Exchange, into consideration.
CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability
The second zero-day is not that much thrilling, at first glance. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW. Even though this one is rated quite low (Moderate 5.6), it can be used in phishing attacks, so patch it ASAP on your clients.
CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability
This critical (9.8) bug could allow a remote, unauthenticated attacker to execute code at the SYSTEM level without user interaction, by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Luckily, the target system needs to have HTTP/3 enabled (which is disabled by default) and set to use buffered I/O, and only Windows 11 and Windows Server 2022 are affected.
How to check if HTTP/3 is enabled? Verify below registry keys (if exists with the value “1” = enabled)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"EnableHttp3"=dword:00000001
"EnableAltSvc"=dword:00000001
CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
For this critical (9.8) bug, an attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. The only mitigation is to block ICMP.
CVE-2023-21708 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
To exploit this critical (9.8) vulnerability, an unauthenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. We also have 3 similar bugs this month, marked as important (8.1) – CVE-2023-23405, CVE-2023-24908, CVE-2023-24869. All of them are applicable even for Windows Server 2008! Blocking TCP port 135 at the perimeter firewall is a recommended best practice that could reduce the likelihood of some potential attacks against this vulnerability.
CVE-2023-1017 / CVE-2023-1018 – CERT/CC: TPM2.0 Module Library Elevation of Privilege Vulnerability
These 2 bugs are regarding vulnerabilities in a third-party driver, and seem to be related to TPM and virtualization platforms in general, as these CVEs were present in other hypervisors as well. By leveraging malicious TPM commands from a guest VM to a target running Hyper-V, an attacker can cause an out-of-bounds write in the root partition.
CVE-2023-23416 – Windows Cryptographic Services Remote Code Execution Vulnerability
Exploitation is performed by importing a malicious certificate onto a vulnerable target, requiring the attacker to authenticate to the target or entice an authenticated user into importing the malicious certificate. It might be a good idea to patch ASAP on your clients.
CVE-2023-23404 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
This time only one bug in the PPT protocol. If you are using VPN connections based on the Point-to-Point Tunnelling protocol, please consider patching soon, as an unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.
CVE-2023-23411 – Windows Hyper-V Denial of Service Vulnerability
Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Although the score is only 6.5 it’s rated as Critical.
Summary
Below you can see the most important CVEs released by Microsoft for March 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about a bugs in PostScript and PCL6 Class Printer Driver, Bluetooth, Visual Studio, Azure Service Fabric, and RPC.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability | Important (9.1) | Network | Low | None | None | Exploited | Outlook 2013+ Office 2019 Office LTSC 2021 365 Apps |
CVE-2023-24880 | Windows SmartScreen Security Feature Bypass Vulnerability | Moderate (5.4) | Network | Low | None | Required | Exploited | Windows 10+ Windows Server 2016+ |
CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 11 Windows Server 2022 |
CVE-2023-23415 | Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-21708 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-1017 | CERT/CC: TPM2.0 Module Library Elevation of Privilege Vulnerability | Critical (8.8) | Local | Low | Low | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-1018 | CERT/CC: TPM2.0 Module Library Elevation of Privilege Vulnerability | Critical (8.8) | Local | Low | Low | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-23416 | Windows Cryptographic Services Remote Code Execution Vulnerability | Critical (8.4) | Local | Low | None | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-23404 | Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-23411 | Windows Hyper-V Denial of Service Vulnerability | Critical (6.5) | Local | Low | Low | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-24864 | Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-23403 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-23406 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-23413 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24867 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24907 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24868 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24909 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24872 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24913 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-24876 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2012+ |
CVE-2023-23388 | Windows Bluetooth Driver Elevation of Privilege Vulnerability | Important (8.8) | Local | Low | Low | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-24871 | Windows Bluetooth Service Remote Code Execution Vulnerability | Important (8.8) | Adjacent | Low | None | None | Unproven | Windows 10+ Windows Server 2022 |
CVE-2023-23618 | GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability | Important (8.6) | – | – | – | – | Unproven | Visual Studio 2017 version 15.9- Visual Studio 2019 version 16.11- Visual Studio 2022 version 17.5- |
CVE-2023-23383 | Service Fabric Explorer Spoofing Vulnerability | Important (8.2) | Network | High | None | Required | Unproven | Azure Service Fabric 9.1 for Windows Azure Service Fabric 9.1 for Ubuntu |
CVE-2023-23405 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-24908 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-24869 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023