Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Patch Tuesday January 2023: ALPC EoP, Win Backup EoP, LocalPotato, Exchange, Remote RCEs

Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2023, including vulnerabilities that were added between December and January Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239115 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Nessus, Rapid7 and ZDI […]

Alexander V. Leonov
#vulnerability#web#windows#microsoft#git#rce#ldap#auth#chrome#blog

Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2023, including vulnerabilities that were added between December and January Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239115

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Nessus, Rapid7 and ZDI Patch Tuesday reviews.

$ cat comments_links.txt 
Qualys|The January 2023 Patch Tuesday Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/01/10/the-january-2023-patch-tuesday-security-update-review
ZDI|THE JANUARY 2023 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2023/1/10/the-january-2023-security-update-review

$ python3.8 process_classify_ms_products.py  # Automated classifier for Microsoft products

$ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "January" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: January
MS PT Date: 2023-01-10
MS PT CVEs found: 98
Ext MS PT Date from: 2022-12-14
Ext MS PT Date to: 2023-01-09
Ext MS PT CVEs found: 5
ALL MS PT CVEs: 103
Qualys query: January 2023 Patch Tuesday
...
  • All vulnerabilities: 103
  • Urgent: 0
  • Critical: 1
  • High: 44
  • Medium: 58
  • Low: 0

This time there was one vulnerability with a sign of exploitation in the wild:

Elevation of Privilege – Windows Advanced Local Procedure Call (ALPC) (CVE-2023-21674). The vulnerability exists in the Advanced Local Procedure Call (ALPC) functionality. ALPC is a message passing utility in Windows operating systems. When exploited, an attacker can leverage the vulnerability to break out of the sandbox in Chromium and gain kernel-level execution privileges. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites. The existence of the exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit).

For one more vulnerability, there is a public exploit on GitHub:

Elevation of Privilege – Windows Backup Service (CVE-2023-21752). Not much is known about this vulnerability. According to Microsoft’s description, an attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable. This vulnerability was not highlighted in any of the reviews released by VM vendors. However, on January 11, a well-known researcher Filip Dragovic Wh04m1001 released two public PoCs on GitHub. The first PoC can delete any file, the second one launches a shell with elevated privileges.

For one more vulnerability, there is no public exploit yet, but the researchers promise to publish it within 30 days:

Elevation of Privilege – Windows NTLM (CVE-2023-21746). Successful exploitation would allow an attacker to gain SYSTEM privileges. The vulnerability was disclosed by Andrea Pierini with Semperis and Antonio Cocomazzi with Sentinel One. They named it LocalPotato and created site for it. So it is likely that the PoC will be publicly available pretty soon.

Now let’s talk about other vulnerabilities for which there are no public exploits and signs of exploitation in the wild. It makes sense to pay attention to the following:

  1. Elevation of Privilege – Microsoft Exchange (CVE-2023-21763, CVE-2023-21764). This vulnerability arises from failing to patch a previously identified issue, designated as CVE-2022-41123 (November Patch Tuesday). Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM. With Exchange, you can never say that a vulnerability will not be used in a dangerous attack (like ProxyShell or ProxyNotShell), it is better to carefully fix all Exchange vulnerabilities This also applies to Information Disclosure – Microsoft Exchange (CVE-2023-21761) and Spoofing – Microsoft Exchange (CVE-2023-21745).
  2. Remote Code Execution in various protocols Windows Lightweight Directory Access Protocol (LDAP) (CVE-2023-21676), Windows Authentication (CVE-2023-21539), Windows Layer 2 Tunneling Protocol (L2TP) ( 5 CVEs: CVE-2023-21679, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556, CVE-2023-21543), Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2023-21535, CVE-2023-21548). All vulnerabilities with network access vector. Little is known about these vulnerabilities. But if any of these vulnerabilities turn out to be exploitable, it could be very serious.

Also I would like to mention that Windows 8.1 reached end of support on January 10, 2023, at which point technical assistance and software updates will no longer be provided. Also after 10 years of support and 3 additional years extended support, Windows Server 2008/2008R2 Extended Security Updates (ESUs) program has ended. As well as Windows 7 Extended Security Updates program. A good reason to check your infrastructure for such legacy hosts and try to get rid of them.

Full Vulristics report: ms_patch_tuesday_january2023

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Related news

Avast Threat Report: Consumers Plagued With Refund Fraud, Tech Support Scams, and Adware

Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

Update now! Patch Tuesday January 2023 includes one actively exploited vulnerability

Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: CVE-2023-21674 Tags: APLC Tags: CVE-2023-21743 Tags: Sharepoint Tags: CVE-2023-21563 Tags: BitLocker The second Tuesday of the year brings us many updates, including one for an actively exploited vulnerability that could lead to elevation of privileges (Read more...) The post Update now! Patch Tuesday January 2023 includes one actively exploited vulnerability appeared first on Malwarebytes Labs.

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

98 Patches: Microsoft Greets New Year With Zero-Day Security Fixes

Microsoft's January 2023 Patch Tuesday security update contains fixes for bugs in multiple products. Here's what you need to patch now.

Microsoft Patch Tuesday, January 2023 Edition

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

Microsoft Patch Tuesday, January 2023 Edition

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

CVE-2023-21556

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21679.

CVE-2023-21763

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21764.

CVE-2023-21764

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2023-21763.

CVE-2023-21761

Microsoft Exchange Server Information Disclosure Vulnerability.

CVE-2023-21745

Microsoft Exchange Server Spoofing Vulnerability. This CVE ID is unique from CVE-2023-21762.

CVE-2023-21674

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability.

CVE-2023-21539

Windows Authentication Remote Code Execution Vulnerability.

CVE-2023-21543

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21546, CVE-2023-21555, CVE-2023-21556, CVE-2023-21679.

CVE-2023-21546

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21543, CVE-2023-21555, CVE-2023-21556, CVE-2023-21679.

CVE-2023-21548

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21535.

CVE-2023-21555

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21543, CVE-2023-21546, CVE-2023-21556, CVE-2023-21679.

CVE-2023-21535

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2023-21548.

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

CVE-2022-41123

Microsoft Exchange Server Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-41080.

CVE-2022-41123

Microsoft Exchange Server Elevation of Privilege Vulnerability