Microsoft Patch Tuesday – May 2023

This month, Microsoft has fixed 38 vulnerabilities, including 3 zero-days and 5 other critical ones. Let’s briefly review them!

CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability

The first CVE is exploited in the wild. As usual, we don’t have detailed information about the vulnerability, only we know that the attacker can elevate to the SYSTEM privileges, which would allow to completely take over a target system. Definitely patch ASAP.

CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability

This one is not exploited yet, but we have PoC available. When you see an OLE bug, you think Outlook – so this bug might be used in an email attack scenario. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF email. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message.
As a workaround, Microsoft proposes to read email messages in plain text format, which is not at all a user-friendly solution. In that case, patch ASAP.

CVE-2023-24932 – Secure Boot Security Feature Bypass Vulnerability

This vulnerability allows an attacker to execute self-signed code at the UEFI level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.
The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default, because it could cause disruption and prevent a system from starting up. To fully implement this one you need to update bootable media and apply revocations before enabling this update. Microsoft decided to split this patch into several phases which will end in Q1 2024 when the fix will be enabled by default and will enforce boot manager revocations on all Windows devices.

CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability

This vulnerability is similar to CVE-2022-30136 published in June 2022. NFS role isn’t enabled by default on Windows Servers, but if your environment is a mix of Linux/Unix/Windows, please double-check if NFS isn’t enabled in your systems. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv4.1 (but please ensure you have installed the May 2022 updates, which address CVE-2022-26937 – a Critical vulnerability in NFSV2.0 and NFSV3.0).

Possible mitigation (PowerShell commands):

# disable NFSv4 (restart NFS server needed afterward)
Set-NfsServerConfiguration -EnableNFSV4 $false

# restart NFS server
nfsadmin server stop
nfsadmin server start

# chech if "EnableNFSV4 : False"
Get-NfsServerConfiguration

# enable NFSv4 (restart NFS server needed afterward)
Set-NfsServerConfiguration -EnableNFSV4 $True

To find NFS instances in your domain you can use a PowerShell script like the below one:

$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address | 
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address

$CSV = 
Foreach ($Computer in $Computers){
    $NFS =
    Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
    Where-Object {$_.InstallState -eq "Installed"}
    
    [pscustomobject]@{
        ComputerName = $Computer.Name
        NFSInfo      = if($NFS){$NFS.Name  -join ";"}else{"-"}
    }
}

$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation

CVE-2023-24943 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Similar to CVE-2023-28250 from last month – a remote, unauthenticated attacker can run their code with elevated privileges on affected servers with the Message Queuing service enabled.
As only PGM Server is vulnerable to this vulnerability, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server. Also blocking TCP port 1801 at the perimeter might be a good idea.

CVE-2023-28283 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

This critical bug in LDAP can be exploited by an unauthenticated attacker by sending a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.

CVE-2023-24903 – Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

This critical rated bug (8.1) could allow an unauthenticated attacker to remote code execution on the SSTP server by sending a specially crafted malicious SSTP packet. As you can guess, it’s connected with RAS servers, like in January.

CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability

And the last critical is a SharePoint bug, which requires the attacker to authenticate as Site Owner to run code on the SharePoint Server host. Due to low complexity of the attack, the exploitation is more likely. SharePoint Server 2016, 2019, and Subscription Edition are all vulnerable. If you are still using SharePoint Server 2013 you should upgrade immediately, as May 2023 is the first Patch Tuesday after the end of extended security updates, which it might mean that 2013 is vulnerable as well!

Summary

Below you can see the most important CVEs released by Microsoft in May 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bug in Bluetooth driver.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2023-29336Win32k Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 10
Windows Server 2008-2016
CVE-2023-29325Windows OLE Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNonePoCWindows 10+
Windows Server 2008+
CVE-2023-24932Secure Boot Security Feature Bypass VulnerabilityImportant (6.7)LocalLowHighNonePoCWindows 10+
Windows Server 2008+
CVE-2023-24941Windows Network File System Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows Server 2012+
CVE-2023-24943Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-28283Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-24903Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-24955Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical (7.2)NetworkLowHighNoneUnprovenSharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2023-24947Windows Bluetooth Driver Remote Code Execution VulnerabilityImportant (8.8)AdjacentLowNoneNoneUnprovenWindows 10
Windows Server 2016-2019

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top