Microsoft Patch Tuesday: Two Actively Exploited 0-Days & 9 Critical CVEs
Microsoft's latest Patch Tuesday rollout for March 2023 has included a staggering 80 security patches, with nine vulnerabilities being labeled as Critical.
Two zero-day vulnerabilities have also been reported, which are being actively exploited and we will cover them in detail later in this article.
The first of these zero-day vulnerabilities is a Critical elevation of privilege issue within Microsoft Outlook (CVE-2023-23397), while the second is a Moderate security feature bypass within Windows SmartScreen (CVE-2023-24880).
The leading risk type this month is remote code execution, accounting for 40% of all vulnerabilities, which is a decrease from February 2023. Elevation of privilege has increased to 31% from last month's 16%, and information disclosure is at 22%, which is a significant increase from the 10% in February.
"These statistics emphasize the need for organizations to implement a comprehensive MDR solution to detect and respond to these types of vulnerabilities promptly. A fine MDR should also have a ready-to-go Incident Response team such as the one we grew internally. Relying on on-demand IR being randomly picked by insurance companies can potentially increase the recovery from a major breach", said Ido Naor, CEO of Security Joes.
This month's Patch Tuesday has affected Microsoft Windows the most, with 56 patches being released, followed by Extended Support Updates (20) and the Microsoft Office product family (10).
"It is essential for organizations to have a robust security solutions that can cover all these affected products and ensure they are protected against any possible attacks. Malware authors are quick to incorporate those into their arsenal.", COO Alon Blatt added today.
Let's delve into the actively exploited zero-day vulnerabilities. The first zero-day vulnerability, CVE-2023-23397, is a Critical vulnerability that affects Microsoft Outlook. This flaw can enable an external attacker to send a specially crafted email, which can cause a connection from the victim to an external location under the attacker's control. This connection can leak the victim's Net-NTLMv2 hash to the attacker, who can then relay it to another service and authenticate as the victim.
The second zero-day vulnerability, CVE-2023-24880, is a Moderate vulnerability affecting Windows SmartScreen. An attacker can create a malicious file that can evade Mark of the Web (MOTW) defenses, resulting in limited loss of integrity and availability of security features like Protected View in Microsoft Office that rely on MOTW tagging. Microsoft explains that when a user downloads a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. When the user runs the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates that the file was downloaded from the internet, the SmartScreen performs a reputation check.
These vulnerabilities could potentially cause significant disruption and loss of data, highlighting the importance of having a comprehensive IR plan in place to minimize the impact of an attack.
List of critical vulnerabilities
Critical Vulnerability affecting Remote Procedure Call (RPC)
CVE-2023-21708, a RCE vulnerability affecting Remote Procedure Call (RPC) and rated as Critical, could result in remote code execution on the server side with the same permissions as the running RPC service itself. Microsoft deems this as “less likely exploitable.”
Critical Vulnerability in the HTTP Protocol Stack
CVE-2023-23392, a RCE vulnerability affecting the HTTP Protocol Stack in Windows 11 and Windows Server 2022, is rated as Critical. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
Critical Vulnerability in Internet Control Message Protocol (ICMP)
CVE-2023-23415, a RCE vulnerability affecting Internet Control Message Protocol (ICMP), is rated as Critical. An attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket.
Critical Vulnerabilities affecting the Trusted Platform Module (TPM) Module Library
CVE-2023-1017 and CVE-2023-1018, rated as Critical, are vulnerabilities affecting the TPM2.0 Module Library. An out-of-bounds write vulnerability allows the writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.
Critical Vulnerability in Windows Cryptographic Services
CVE-2023-23416, a RCE vulnerability affecting Windows Cryptographic Services, is rated as Critical and marked as “less likely exploitable” by Microsoft, due to the complexity of the attack vector. For successful exploitation, a malicious certificate needs to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system.
Critical Vulnerability in Windows Point-to-Point Tunneling Protocol
CVE-2023-23404, a RCE vulnerability affecting the P2P Tunneling Protocol, is rated as Critical. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), which could lead to remote code execution (RCE) on the RAS machine. Microsoft marked it as “less likely exploitable” as it requires the attacker to win a race condition.
Critical Vulnerability in Windows Hyper-V
CVE-2023-23411, a Denial of Service vulnerability affecting Windows Hyper-V, is rated as Critical. Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Marked as “less likely exploitable” by Microsoft.
Remote Procedure Call (RPC) Remote Code Execution
HTTP Protocol Stack Remote Code Execution
Internet Control Message Protocol (ICMP) Remote Code Execution
TPM 2.0 Module Library Elevation of Privilege Vulnerability
TPM 2.0 Module Library Elevation of Privilege Vulnerability
Windows Cryptographic Services Remote Code Execution
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Windows Hyper-V Denial of ServiceFigure 4
As past experience have taught us, with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patches are being released and no protocol or workaround exists. Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.