Headline
Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE
Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239119 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI […]
Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays.
Alternative video link (for Russia): https://vk.com/video-149273431_456239119
As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews.
Microsoft Patch Tuesday for March 2023 was quite refreshing. 😈
$ cat comments_links.txt
ZDI|The March 2023 Security Update Review|https://www.thezdi.com/blog/2023/3/14/the-march-2023-security-update-review
Qualys|The March 2023 Patch Tuesday Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/03/14/the-march-2023-patch-tuesday-security-update-review
$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "March" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: March
MS PT Date: 2023-03-14
MS PT CVEs found: 80
Ext MS PT Date from: 2023-02-15
Ext MS PT Date to: 2023-03-13
Ext MS PT CVEs found: 29
ALL MS PT CVEs: 109
- All vulnerabilities: 109
- Urgent: 1
- Critical: 1
- High: 29
- Medium: 78
- Low: 0
Exploitation in the wild or a public exploit
Let’s start with 3 vulnerabilities for which there are signs of exploitation in the wild or a public exploit.
- Elevation of Privilege – Microsoft Outlook (CVE-2023-23397). Although technically a spoofing bug, the result of this vulnerability could be considered to be Authentication Bypass. The vulnerability can be exploited by sending a malicious email to a vulnerable version of Outlook. When the email is processed by the server, a connection to an attacker-controlled device can be established in order to leak the Net-NTLMv2 hash of the email recipient. The attacker can use this hash to authenticate as the victim recipient in an NTLM relay attack. Microsoft notes that this exploitation can occur before the email is viewed in the Preview Pane, meaning no interaction from the victim recipient is needed for a successful attack. The vulnerability was discovered by Microsoft Threat Intelligence, who have detected in-the-wild exploitation and published a blog post describing the issue in detail, and which provides a Microsoft script and accompanying documentation to detect if an asset has been compromised using CVE-2023-23397. There are currently a large number of repositories available on GitHub related to this vulnerability. Some of them contain scripts to exploit this vulnerability.
- Security Feature Bypass – Windows SmartScreen (CVE-2023-24880). The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. MOTW is a Windows feature that protects users from downloading files from unreliable sources. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites. The exploit’s existence is mentioned in Microsoft CVSS Temporal Score (Functional Exploit).
- Denial of Service – Microsoft Excel (CVE-2023-23396). This vulnerability was not highlighted in any of the Patch Tuesday reports. However, a public exploit and a detailed description of this vulnerability appeared last week. For now, it’s still a DoS. But it is quite possible that this vulnerability can be investigated further and become an RCE. Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites
Potentially very dangerous
Now let’s look at 3 more vulnerabilities without exploits and signs of exploitation in the wild, but potentially very dangerous.
- Remote Code Execution – HTTP Protocol Stack (CVE-2023-23392). The critical severity vulnerability affects Windows 11 Systems and Windows Server 2022. The target system needs to have HTTP/3 enabled (it is disabled by default) and set to use buffered I/O. Exploitation can be performed by a remote, unauthenticated attacker sending a malicious packet to the target server. The code will be executed at SYSTEM level without user interaction. That combination makes this bug wormable.
- Remote Code Execution – ICMP (CVE-2023-23415). ICMP (Internet Control Message Protocol) is an error-reporting protocol that network devices use to generate error messages to the source IP address when network problems prevent delivery of IP packets. The vulnerability lies in the way the operating system handles ICMP packets when an application running on the vulnerable Windows host is bound to a raw socket. Exploitation is performed by sending a malicious fragmented IP packet to a vulnerable target, leading to arbitrary code execution. This is still in theory, but if everything is really so simple, then it will be a disaster. There have been couple of GitHub links for this vulnerability. One is deleted (code 404 error) and the other one is blocked (“Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service”). Whether there were real exploits or rickrolls/malwares, I don’t know. I added both links to Vulristics exclusion list.
- Remote Code Execution – Remote Procedure Call Runtime (CVE-2023-21708, CVE-2023-23405, CVE-2023-24869, CVE-2023-24908). With a specially crafted RPC call to an RPC host, an attacker may exploit this vulnerability. An unauthenticated attacker may exploit this vulnerability to perform remote code execution on the server side with the same privileges as the RPC service. Microsoft recommends blocking TCP port 135 at the perimeter as a mitigation; given the perennial nature of RPC vulnerabilities, defenders will know that this has always been good advice.
Also, I would like to draw your attention to 7 CVEs Remote Code Execution – Microsoft PostScript and PCL6 Class Printer Driver, and Remote Code Execution – TPM2.0 Module Library (CVE-2023-1017).
Full Vulristics report: ms_patch_tuesday_march2023
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Related news
Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.
By Deeba Ahmed Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to… This is a post from HackRead.com Read the original post: FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
A predictable patch cadence is nice, but the software giant can do more.
An update for libtpms is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1017: An out-of-bounds write vulnerability was found in the TPM 2.0's Module Library, which allows the writing of 2-byte data after the end of the TPM command. This flaw may lead to a denial of service or arbitrary code execution within the libtpms scope. * CVE-2023-1018: An out-of-bound read vulnerability was found in the TPM 2.0's Module Library, whic...
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1017: An out-of-bounds write vulnerability was found in the TPM 2.0's Module Library, which allows the writing of 2-byte data after the end of the TPM command. This flaw may lead to a denial of service or arbitrary code execution within the libtpms scope. * CVE-2023-1018: An out-of-bound read v...
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction. "External
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.
Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
HTTP Protocol Stack Remote Code Execution Vulnerability
Microsoft Outlook Elevation of Privilege Vulnerability
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Remote Procedure Call Runtime Remote Code Execution Vulnerability
Microsoft Excel Denial of Service Vulnerability
May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.
**How could an attacker exploit this vulnerability?** In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
**How could an attacker exploit this vulnerability?** To exploit this vulnerability, an unauthenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.
**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.
**What is the relationship between Mark of the Web and Windows SmartScreen?** When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. For more information on SmartScreen, please visit Microsoft Defender SmartScreen overview | Microsoft Learn.
**How could an attacker exploit this vulnerability?** An attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket.
**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?** An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.
Ubuntu Security Notice 5933-1 - Francisco Falcon discovered that Libtpms did not properly manage memory when performing certain cryptographic operations. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code. It was discovered that Libtpms did not properly manage memory when handling certain commands. An attacker could possibly use this issue to cause a denial of service.
A pair of serious security defects has been disclosed in the Trusted Platform Module (TPM) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation. One of the vulnerabilities, CVE-2023-1017, concerns an out-of-bounds write, while the other, CVE-2023-1018, is described as an out-of-bounds read. Credited with discovering and reporting the
An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.