Headline
Microsoft Patch Tuesday April 2023: CLFS EoP, Word RCE, MSMQ QueueJumper RCE, PCL6, DNS, DHCP
Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2023, including vulnerabilities that were added between February and March Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. And this is […]
Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2023, including vulnerabilities that were added between February and March Patch Tuesdays.
As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. And this is the first Patch Tuesday report since I added EPSS support to Vulristics. 😉
Compared to March, Microsoft Patch Tuesday for April 2023 is kind of weak. 🙄
$ cat comments_links.txt
ZDI|The April 2023 Security Update Review|https://www.thezdi.com/blog/2023/4/11/the-april-2023-security-update-review
Qualys|The April 2023 Patch Tuesday Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/04/11/microsoft-and-adobe-patch-tuesday-april-2023-security-update-review
$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "April" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: April
MS PT Date: 2023-04-11
MS PT CVEs found: 97
Ext MS PT Date from: 2023-03-15
Ext MS PT Date to: 2023-04-10
Ext MS PT CVEs found: 26
ALL MS PT CVEs: 123
- All vulnerabilities: 123
- Urgent: 0
- Critical: 2
- High: 61
- Medium: 60
- Low: 0
First, let’s look at two critical vulnerabilities:
- Elevation of Privilege – Windows Common Log File System Driver (CVE-2023-28252). So far, this is the most critical. On successful exploitation, an attacker will gain SYSTEM privileges. Microsoft has mentioned in the advisory that the vulnerability is being exploited in the wild. Cybercriminals have used the vulnerability to deploy Nokoyawa Ransomware. The attacks are happening in South and North America, regions across Asia, and SMBs in the Middle East. There are signs of exploitation in the wild. And there is a Functional Exploit, but it is not yet public. On the other hand, EPSS is unusually low for this vulnerability and there are no rational explanations for this. Apparently this is some kind of bug in EPSS.
- Remote Code Execution – Microsoft Word (CVE-2023-28311). This vulnerability was not highlighted in Qualys, Tenable, Rapid7 reports. However, public exploits have appeared for it. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim’s computer. EPSS is medium.
Now let’s see the most interesting of the rest:
- ****Remote Code Execution**** – Microsoft Message Queuing (CVE-2023-21554). Microsoft Message Queuing Remote Code Execution Vulnerability (QueueJumper) Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages). The Windows message queuing service needs to be enabled for the system to be exploitable. When enabled, TCP port 1801 will be listening on the host, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update. EPSS is quite high.
- Remote Code Execution – Windows Pragmatic General Multicast (PGM) (CVE-2023-28250). Pragmatic General Multicast (PGM) is a multicast computer network transport protocol best suited for applications like multi-receiver file transfer. The protocol provides a reliable sequence of packets to multiple recipients simultaneously. The system will be exploitable if the Windows Message Queuing service is enabled. An attacker may send a specially crafted file over the network for remote code execution. The vulnerability is similar to the previous CVE-2023-21554 and also has a high EPSS score.
- Lots of CVEs Remote Code Execution – Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243). Vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution. EPSS is medium.
- Lots of CVEs Remote Code Execution – Windows DNS Server (CVE-2023-28254, CVE-2023-28255, CVE-2023-28256, CVE-2023-28278, CVE-2023-28305, CVE-2023-28306, CVE-2023-28307, CVE-2023-28308). Maybe something will come of it. EPSS is medium.
- Remote Code Execution – DHCP Server Service (CVE-2023-28231). An authenticated attacker may exploit this vulnerability by sending a specially crafted RPC call to the DHCP service. An attacker must gain access to the restricted network before performing the attack for successful exploitation. Microsoft rates this vulnerability as “Exploitation More Likely” according to the Microsoft Exploitability Index. EPSS is low.
In general, prioritization with EPSS is consistent with prioritization without EPSS. Excluding Elevation of Privilege – Windows Common Log File System Driver (CVE-2023-28252). So, oddities can be – keep this in mind.
Full Vulristics report: ms_patch_tuesday_april2023
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Related news
This Metasploit module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the integer wraps around and depending on the length could cause an out-of-bounds write. In the context of this module a response is sent back, which indicates that the system is vulnerable.
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host. "A
The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new
A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. This Metasploit module exploit makes use to two different kinds of specially crafted .blf files.
By Deeba Ahmed Researchers at the AI-powered Security solutions provider, FortiGuard Labs, have been monitoring Microsoft Message Queuing (MSMQ) service for… This is a post from HackRead.com Read the original post: Critical Flaws Exposed Microsoft Message Queuing Service to DoS Attacks
Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023. Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderated, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser
A predictable patch cadence is nice, but the software giant can do more.
Hello everyone! This episode and will be about latest news in my Vulristics project. EPSS v3 The third iteration of the Exploit Prediction Scoring System (EPSS) was released in March. It is stated that EPSS has become 82% better. There is a pretty cool and detailed article about the changes. For example, EPSS Team began to analyze not 16 parameters […]
Microsoft Word appears to suffer from a remote code execution vulnerability when a user load a malicious file that reaches out to an attacker-controller server to get a hostile payload.
Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Adobe Tags: Cisco Tags: SAP Tags: Mozilla Tags: CVE-2023-28252 Tags: CVE-2023-28231 Tags: CVE-2023-21554 Tags: Word Tags: Publisher Tags: Office One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates. (Read more...) The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Adobe Tags: Cisco Tags: SAP Tags: Mozilla Tags: CVE-2023-28252 Tags: CVE-2023-28231 Tags: CVE-2023-21554 Tags: Word Tags: Publisher Tags: Office One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates. (Read more...) The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Adobe Tags: Cisco Tags: SAP Tags: Mozilla Tags: CVE-2023-28252 Tags: CVE-2023-28231 Tags: CVE-2023-21554 Tags: Word Tags: Publisher Tags: Office One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month's Patch Tuesday updates. (Read more...) The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.
It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20
It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.
The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.
The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.
The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.
Microsoft Message Queuing Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft Word Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
DHCP Server Service Remote Code Execution Vulnerability
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Windows DNS Server Remote Code Execution Vulnerability
Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.
April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.
April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.
April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.