Incorrect default permissions in the Intel(R) SCS Add-on software installer for Microsoft SCCM all versions may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® SCS Add-on Software Installer Advisory**

**Summary: **

A potential security vulnerability in the Intel® Setup and Configuration Software (SCS) Add-on software installer for Microsoft System Center Configuration Manager (SCCM) may allow escalation of privilege. Intel is not releasing updates to mitigate this potential vulnerability and has issued a Product Discontinuation Notice for Intel® SCS Add-on software for Microsoft SCCM.

**Vulnerability Details:**

CVEID: CVE-2023-22440

Description: Incorrect default permissions in the Intel(R) SCS Add-on software installer for Microsoft SCCM all versions may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® SCS Add-on software installer for Microsoft SCCM all versions.

**Recommendations:**

Intel has issued a Product Discontinuation notice for Intel® SCS Add-on software for Microsoft SCCM and recommends that users of the Intel® SCS Add-on software for Microsoft SCCM to uninstall it or discontinue use at their earliest convenience.

**Acknowledgements:**

Intel would like to thank Falcon Corruption @falconCorrup for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/09/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries United States and other countries.  Other names and brands may be claimed as the property of others.

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2023-22440: INTEL-SA-00832

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx.
Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.
The Romanian cybersecurity firm said it first detected the

Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed **DownEx**.

Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors.

The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan.

The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage.

The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file.

Opening the attachment leads to the extraction of two files, including a decoy document that's displayed to the victim while a malicious HTML application (.HTA) with embedded VBScript code runs in the background.

The HTA file, for its part, is designed to establish contact with a remote command-and-control (C2) server to retrieve a next-stage payload. While the exact nature of the malware is not unknown, it's said to be a backdoor to establish persistence.

The attacks are also notable for employing a variety of custom tools for carrying out post-exploitation activities. This includes -

*   Two C/C++-based binaries (wnet.exe and utility.exe) to enumerate all the resources on a network,
*   A Python script (help.py) to establish an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and
*   A C++-based malware (diagsvc.exe aka DownEx) that's chiefly designed to exfiltrate files to the C2 server

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Two other variants of DownEx have also been earthed, the first of which executes an intermediate VBScript to harvest and transmit the files in the form of a ZIP archive.

The other version, which is downloaded via a VBE script (slmgr.vbe) from a remote server, eschews C++ for VBScript, but retains the same functionality as the former.

"This is a fileless attack – the DownEx script is executed in memory and never touches the disk," Bitdefender said. "This attack highlights the sophistication of a modern cyberattack. Cybercriminals are finding new methods for making their attacks more reliable."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Sophisticated DownEx Malware Campaign Targeting Central Asian Governments

Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Wednesday, May 10, 2023 08:05

*   A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
*   Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
*   An analysis of the domains targeted in several ongoing and past campaigns revealed the victims were almost exclusively companies in the U.S., U.K., Australia, South Africa, and Canada, and the most commonly targeted sectors were manufacturing, health care and technology. The exact distribution of victims in each country and sector varies slightly between campaigns.
*   To use Greatness, affiliates must deploy and configure a provided phishing kit with an API key that allows even unskilled threat actors to easily take advantage of the service’s more advanced features. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a “man-in-the-middle” attack and stealing the victim’s authentication credentials or cookies.

**Activity and victimology**

Greatness seems to have started operating in mid-2022 and, based on the number of attachment samples available on VirusTotal, there were spikes in activity in December 2022 and March 2023.

Number of attachment samples found on VirusTotal

Although each campaign had a slightly different geographic focus, collectively, over 50 percent of all targets were based in the U.S. The next most-targeted countries are the U.K., Australia, South Africa and Canada.

Geographical distribution of targeted organizations

Greatness is designed to compromise Microsoft 365 users and can make phishing pages especially convincing and effective against businesses. Based on the data Cisco Talos obtained, Greatness affiliates target almost exclusively businesses. An analysis of the targeted organizations across several campaigns shows that manufacturing was the most targeted sector, followed by health care, technology and real estate.

Distribution of targeted organizations by sector

**The attack flow**

The attack starts when the victim receives a malicious email, which typically contains an HTML file as an attachment and, under the pretext of a shared document, leads the victim to open the HTML page.

Once the victim opens the attached HTML file, the web browser executes a short piece of obfuscated JavaScript code that establishes a connection to the attacker's server to obtain the phishing page HTML code and display it to the user in the same browser window. This code contains a blurred image that shows a spinning wheel, pretending to load the document.

_Blurred attached document decoy._

The page then redirects the victim to a Microsoft 365 login page, usually pre-filled with the victim’s email address, and the custom background and logo used by their company. In the following example, for privacy reasons, we manually replaced the real victim’s email address, background image and company logo on an actual phishing sample with fake Talos data, to show what it looks like.  

_Example of a screen asking the targeted victim for a password._

Once the victim submits their password, the PaaS will connect to Microsoft 365, impersonate the victim and attempt to log in. If MFA is used, the service will prompt the victim to authenticate using the MFA method requested by the real Microsoft 365 page (e.g., SMS code, voice call code, push notification).

__Example of a page asking the victim to enter an MFA code.__

Once the service receives the MFA, it will continue to impersonate the victim behind the scenes and complete the login process to collect the authenticated session cookies. These will then be delivered to the service affiliate on their Telegram channel or directly through the web panel.

**The phishing service**

The service consists of three components: a phishing kit (which contains the admin panel), the service API and a Telegram bot or email address.

Graph of PaaS communication flow

The phishing kit, the service component delivered to affiliates and deployed on a server controlled by them, is the only part of the service the victim connects to. The kit delivers the HTML/JavaScript code for each step of the attack. The kit communicates with the PaaS API service in the background, forwarding the credentials received from the victim and receiving information on what page it should deliver to the victim at each step of the attack. As the victim submits their credentials to the kit, it stores them locally so they can be accessed via the administrative panel and, if configured to do so, sends them to the affiliate’s Telegram channel.

The phishing kit contains an administration panel that allows the affiliate to configure the service API key and Telegram bot and keep track of stolen credentials. The following images show an example of the administration panel login page and dashboard.

Phishing kit administrative panel login page

Phishing kit administrative panel dashboard

The administration panel also builds malicious attachments or links that are submitted via email to the victims. The following image shows the form used to generate the attachments:

Phishing kit malicious attachment builder

The PaaS is designed to be used in a very standard way. The payload delivered to the victim must be a link or, more commonly, an HTML attachment. The attacker can use the builder form above to create a payload with a few options:

*   Autograb: This feature prefills the Microsoft 365 login page with the victim’s email, adding credibility to the attack.
*   Background: The attacker can select the fake attachment background image to be a blurred Microsoft Word, Excel, or PowerPoint online document.

The API is the core part of the service. Each affiliate must have a valid API key to use Greatness, or else the phishing page will not load and displays a message saying the API key is invalid. The following image shows the configuration options available in the panel, where the affiliates can insert their API key.

_Administrative panel configuration page_

The service API contains logic to validate the affiliate’s key, block unwanted IP addresses from viewing the phishing page, and most importantly, behind-the-scenes communication with the real Microsoft 365 login page, posing as the victim.

Working together, the phishing kit and the API perform a “man-in-the-middle” attack, requesting information from the victim that the API will then submit to the legitimate login page in real time. This allows the PaaS affiliate to steal usernames and passwords, along with the authenticated session cookies if the victim uses MFA. Authenticated sessions usually time out after a while, which is possibly one of the reasons the Telegram bot is used — it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 61708.

**Indicators of Compromise (IOCs)**

IOCs for this research can also be found at our GitHub repository here

New phishing-as-a-service tool “Greatness” already seen in the wild

We talk to the Signal Foundation’s Meredith Whittaker about how the surveillance economy is newer than we all might realize—and what we can do to fight back.

How to Reclaim Your Online Privacy

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

Summary

Zipbomb resource exhaustion in Tentacle (CVE-2022-4008)

Advisory Number

2023-08

Discovery Date

16 Nov 2023

Patch Release Date

04 May 2023

Advisory Release Date

11 May 2023

Product

Octopus Tentacle

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-4008

Customers who have downloaded and installed any of the Octopus Tentacle versions listed below ("Details") are affected.

Please upgrade your Octopus Tentacle immediately to fix this vulnerability.

Customers who have upgraded Octopus Tentacle to version 2023.1.10072 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service

The versions of Octopus Tentacle affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x.x, 2019.x.x, 2020.x.x, 2021.x.x versions
*   All 2022.1.x, 2022.2.x versions
*   All 2022.3.x versions before 2022.3.11043
*   All 2022.4.x versions before 2022.4.8401

**Fix**

To address this vulnerability, we have released Octopus Tentacle version:

*   2022.3.11043
*   2022.4.8401

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2023.1.10072). You can download the latest version of Octopus Tentacle from https://octopus.com/downloads

**If you can't upgrade to the latest version (2023.1.10072):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.3.11043 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.3.11043 or greater

2022.1.x, 2022.2.x

2022.3.11043 or greater

2022.3.x

2022.3.11043 or greater

2022.4.x

2022.4.8401 or greater

**Mitigation**

There is no known mitigation for CVE-2022-4008, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-4008: Security Advisory 2023-08

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.
Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."
Of the 38 vulnerabilities, six are rated Critical and

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.

Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."

Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.

This is aside from 18 flaws – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates.

Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said, crediting Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the flaw.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply vendor fixes by May 30, 2023.

Also of note are two publicly known flaws, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325, CVSS score: 8.1) that could be weaponized by an actor by sending a specially crafted email to the victim.

Microsoft, as mitigations, is recommending that users read email messages in plain text format to protect against this vulnerability.

The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which was resolved in January 2022.

"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," Microsoft said in a separate guidance.

"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."

It's worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft cautioned. "Even reformatting of the disk will not remove the revocations if they have already been applied."

The tech giant said it's taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.

"Modern UEFI-based Secure Boot schemes are extremely complicated to configure correctly and/or to reduce their attack surfaces meaningfully," firmware security firm Binarly noted earlier this March. "That being said, bootloader attacks are not likely to disappear anytime soon."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Cisco
*   Citrix
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   Synology
*   Veritas
*   VMware
*   Zoho, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  CVE-2023-29336

Tags:  CVE-2023-24932

Tags:  bootkit

Tags:  CVE-2023-29325

Tags:  Outlook

Tags:  preview

Tags:  CVE-2023-24941

Tags:  Apple

Tags:  Cisco

Tags:  Google

Tags:  Android

Tags:  VMWare

Tags:  SAP

Tags:   Mozilla

Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability



(Read more...)




The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.

It’s that time of the month again: We're looking at May's Patch Tuesday roundup. Microsoft has released its monthly update, and while the total number of patched vulnerabilities is relatively low at 38, among them are three zero-day vulnerabilities.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. Of the three included in this month’s update cycle, two have been found to be actively exploited and the third has been publicly disclosed.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three zero-days are listed as:

*   CVE-2023-29336: a Win32k Elevation of Privilege (EoP) vulnerability. Exploitation of this vulnerability in the Win32k Kernel driver could provide an attacker with SYSTEM privileges. The Cybersecurity & Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
*   CVE-2023-24932: a Secure Boot security feature bypass vulnerability. To exploit the vulnerability, an attacker needs either physical access or administrative rights to a target device to install an affected boot policy. The vulnerability has been used to install the BlackLotus UEFI bootkit, a type of malicious infection which targets the Master Boot Record located on the physical motherboard of the computer.  Attaching malicious software in this manner can allow for a malicious program to be executed prior to the loading of the operating system. The primary benefit to a bootkit infection is that it cannot be detected by standard operating systems processes because all of the components reside outside of the Windows file system. UEFI and Secure Boot have been very effective in reducing the number of bootkits, but this vulnerability allows an attacker to bypass those restrictions.
*   CVE-2023-29325: a Windows OLE Remote Code Execution (RCE) vulnerability. This vulnerability is present in Microsoft Outlook and Explorer and can be exploited by attackers in order to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane. This type of RCE vulnerability is bound to become very popular among malware peddlers, and knowing that it has been publicly disclosed means that it is available for them to use. Microsoft advises users that can't install the patch immediately to read email messages in plain text format.

Another vulnerability to keep an eye on is an RCE vulnerability with a CVSS score of 9.8 out of 10. Listed as CVE-2023-24941 this is a Windows Network File System (NFS) RCE vulnerability which can be exploited over the network by making an unauthenticated, specially crafted request. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation. More information about how to do this and when not to can be found in the Microsoft advisory about this vulnerability under **Mitigation**.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Apple released an update addressing two actively exploited zero-day flaws.

Cisco released security updates.

Google has released Android updates.

Mozilla releases security advisories for Firefox 113 and Firefox ESR 102.11.

SAP released patch day updates.

VMWare fixed four vulnerabilities in virtualization software.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Update now! May 2023 Patch Tuesday tackles three zero-days

Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.

**Microsoft** today released software updates to fix at least four dozen security holes in its **Windows** operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.

First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the **SANS Internet Storm Center** points out, the attack vector for this bug is local.

“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the attacker to disable security tooling and deploy more attacker tools like Mimikatz that lets them move across the network and gain persistence.”

The zero-day patch that has received the most attention so far is CVE-2023-24932, which is a **Secure Boot Security Feature Bypass** flaw that is being actively exploited by “bootkit” malware known as “BlackLotus.” A bootkit is dangerous because it allows the attacker to load malicious software before the operating system even starts up.

According to Microsoft’s advisory, an attacker would need physical access or administrative rights to a target device, and could then install an affected boot policy. Microsoft gives this flaw a CVSS score of just 6.7, rating it as “Important.”

**Adam Barnett**, lead software engineer at **Rapid7**, said CVE-2023-24932 deserves a considerably higher threat score.

“Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access,” Barnett said. “Therefore, the relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.”

Barnett said Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.

“Administrators should be aware that additional actions are required beyond simply applying the patches,” Barnett advised. “The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.”

In addition to the two zero-days fixed this month, Microsoft also patched five remote code execution (RCE) flaws in Windows, two of which have notably high CVSS scores.

CVE-2023-24941 affects the Windows Network File System, and can be exploited over the network by making an unauthenticated, specially crafted request. Microsoft’s advisory also includes mitigation advice. The CVSS for this vulnerability is 9.8 – the highest of all the flaws addressed this month.

Meanwhile, CVE-2023-28283 is a critical bug in the Windows Lightweight Directory Access Protocol (LDAP) that allows an unauthenticated attacker to execute malicious code on the vulnerable device. The CVSS for this vulnerability is 8.1, but Microsoft says exploiting the flaw may be tricky and unreliable for attackers.

Another vulnerability patched this month that was disclosed publicly before today (but not yet seen exploited in the wild) is CVE-2023-29325, a weakness in **Microsoft Outlook** and **Explorer** that can be exploited by attackers to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane.

“To help protect against this vulnerability, we recommend users read email messages in plain text format,” Microsoft’s writeup on CVE-2023-29325 advises.

“If an attacker were able to exploit this vulnerability, they would gain remote access to the victim’s account, where they could deploy additional malware,” Immersive’s Breen said. “This kind of exploit will be highly sought after by e-crime and ransomware groups where, if successfully weaponized, could be used to target hundreds of organizations with very little effort.”

For more details on the updates released today, check out roundups by Action1, Automox and Qualys, If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, May 2023 Edition

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2023-24955

Microsoft Excel Remote Code Execution Vulnerability

Tag

#microsoft