Categories: Exploits and vulnerabilities
Categories: News
Tags: patch Tuesday

Tags:  Microsoft

Tags:  Apple

Tags:  Adobe

Tags:  SAP

Tags:  Citrix

Tags:  Cisco

Tags:  Atlassian

Tags:  Google

Tags:  Mozilla

Tags:  Forta

Tags:  OpenSSH

Tags:  CVE-2023-21823

Tags:  CVE-2023-21715

Tags:  OneNote

Tags:  CVE-2023-23376

Tags:  CVE-2023-21706

Tags:  CVE-2023-21707

Tags:  CVE-2023-21529

Tags:  CVE-2023-21716

Tags:  CVE-2023-23378

Tags:  CVE-2023-22501

Tags:  CVE-2023-24486

Tags:  CVE-2023-24484

Tags:  CVE-2023-24484

Tags:  CVE-2023-24483

Tags:  CVE-2023-25136

Tags:  GoAnywhere

Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors



(Read more...)




The post Update now! February's Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.

The Patch Tuesday roundup from Microsoft for February 2023 includes three zero-days. Not exactly what we had in mind for Valentine's Day.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. As far as we can tell, only two of the vulnerabilities were actually exploited in the wild.

The zero-days patched in these updates are:

**Graphics component**

CVE-2023-21823: A Windows Graphics Component remote code execution (RCE) vulnerability. An attacker who successfully exploited this vulnerability could execute commands with SYSTEM privileges.

Important to note here that this update comes from the Microsoft Store. So users that have disabled automatic updates for the Microsoft Store have to get the update through the Microsoft Store by following the guide titled Get updates for apps and games in Microsoft Store. Be sure to select the tab for the operating system installed on your device to search for updates.

The Microsoft update guide for this vulnerability specifically mentions OneNote for Android. At Malwarebytes, we've recently seen ASyncRAT campaigns using malicious OneNote (.one) attachments, so we hope to see that this update puts an end to that method of infection.

**Microsoft Publisher**

CVE-2023-21715: A Microsoft Publisher security features bypass vulnerability. An attacker who successfully exploited this vulnerability could bypass Office macro policies in Microsoft Publisher which are used to block untrusted or malicious files. The attack itself has to be carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.

Although that makes it sound hard to abuse, Microsoft says it has detected exploitation of this vulnerability.

**Windows Common Log File System Driver**

CVE-2023-23376: A Windows Common Log File System Driver elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This means it can be very useful in a chain of vulnerabilities, but Microsoft gives no clues about any other vulnerabilities this EoP has been used in combination with.

**Other patched vulnerabilities**

Exchange Server: included are patches for three remote code execution flaws that are labelled as likely to be exploited. These vulnerabilities listed as CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529 all require authentication.

Microsoft Word: an RCE vulnerability listed as CVE-2023-21716 with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a malicious email containing a Rich Text Format (RTF) payload that would allow them to gain access to execute commands within the application used to open the malicious file.

**Unpatched**

Microsoft has also disclosed a vulnerability listed as CVE-2023-23378 in the end-of-life (EOL) application Print 3D. EOL is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. Print 3D was deprecated along with Windows 10 version 1903.

Microsoft has confirmed that it will not release a patch to fix the vulnerability and that customers should update to the 3D Builder app.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe published security updates for several of its products.

Apple released information about the new security content of macOS Ventura 13.2.1 and of iOS 16.3.1 and iPadOS 16.3.1.

Atlassian published a FAQ for CVE-2023-22501, an authentication vulnerability in Jira Service Management Server and Data Center.

Cisco released security updates for several of its products.

Citrix has released security updates to address high-severity vulnerabilities (CVE-2023-24486, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24483) in Citrix Workspace Apps, Virtual Apps and Desktops.

Google released security updates for Pixel.

Mozilla has released security advisories for Firefox 110 and Firefox ESR 102.8.

Forta released a security update for the actively exploited GoAnywhere MFT zero-day flaw.

OpenSSH released details about version 9.2 which patches CVE-2023-25136.

SAP has released its February 2023 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update now! February's Patch Tuesday tackles three zero-days

How newly exposed security weaknesses in industrial wireless, cloud-based interfaces, and nested PLCs serve as a wake-up call for hardening the physical process control layer of the OT network.

S4x23 — Miami — As IT and operational technology (OT) network lines continue to blur in the rapidly digitalized industrial sector, new vulnerabilities and threats imperil conventional OT security measures that once isolated and guarded physical processes from cyberattacks.

Two new separate sets of research released this month underscore real, hidden dangers to physical operations in today's OT networks from wireless devices, cloud-based applications, and nested networks of programmable logic controllers (PLCs) — effectively further dispelling conventional wisdom about the security of network segmentation as well as third-party connections to the network.

In one set of findings, a research team from Forescout Technologies was able to bypass safety and functional guardrails in an OT network and move laterally across different network segments at the lowest levels of the network: the controller level (aka Purdue level 1), where PLCs live and run the physical operations of an industrial plant. The researchers used two newly disclosed Schneider Modicon M340 PLC vulnerabilities that they found — a remote code execution (RCE) flaw and an authentication bypass vulnerability — to breach the PLC and take the attack to the next level by pivoting from the PLC to its connected devices in order to manipulate them to perform nefarious physical operations.

"We are trying to dispel the notion that you hear among asset owners and other parties that Level 1 devices and Level 1 networks are somehow different from regular Ethernet networks and Windows \[machines\] and that you cannot move through them in very similar ways," says Jos Wetzels, security researcher with Forescout. "These systems are reachable, and you can bypass safety checks if you have the right level of control. We are showing how to do this."

The highly complex attack sequence that the researchers demonstrated with a proof-of-concept (PoC) — and that they acknowledge would require the technical chops and resources of nation-state attackers — stands in stark contrast to a relatively simple new hack that another group of researchers pulled off that exposes plants via wireless network devices. Both of these separate sets of OT attack findings poke holes in traditional assumptions of inherent security at the lower layers of OT networks, and the two teams of researchers behind them shared their findings here this week at the S4x23 ICS/OT conference.

**Wireless Threat "Got Our Attention"**

In the second batch of research, a team at ICS security provider Otorio found some 38 vulnerabilities in products including cellular routers from Sierra Wireless and InHand Networks, and a remote access server for machines from ETIC Telecom. A dozen other bugs remain in the disclosure process with the affected vendors and were not named in the report.

The flaws include two dozen Web interface bugs that could give an attacker a direct line of access to OT networks.

Matan Dobrushin, vice president of research at Otorio, says his team used the open source WiGLE tool, a Shodan-style search app that locates and maps wireless access points around the world. WiGLE collects SSID or network names, encryption types (such as WEP or WPA), and the geolocation of a wireless access point. The team was able to locate various OT sites via those geolocated Aps that WiGL spotted, including an oil well with weak authentication to its wireless device.

The team discovered relatively simple ways for an attack to hack industrial Wi-Fi access points and cellular gateways and wage man-in-the-middle attacks to manipulate or sabotage physical machinery in production sites. In one attack scenario, the researchers pose, an attacker armed with a laptop could find and drive to a plant location and connect to the operational network.

"You don't have to go through all of the layers of the enterprise IT network or firewalls. In this example, someone can just come with a laptop and connect directly to the most sensitive physical part of that network," Dobrushin says. "This is what got our attention."

Physical proximity is just one of three attack scenarios the team discovered when they found the vulns in these wireless devices. They also could reach the plant wireless devices via oft-exposed IP addresses inadvertently open to the public Internet. But the third and most surprising attack scenario they found: They could reach the OT networks via blatantly insecure cloud-based management interfaces on the wireless access points.

Many of the devices that come with cloud-based management also contain interfaces with either very weak authentication, or no authentication at all. InHand Networks' InRouter302 and InRouter615, for example, use an unsecured communications link to the cloud platform by default, sending information in cleartext.

"It's a single point of security and failure," Dobrushin says of the weak management interfaces, and "the main attack surface" for plant wireless access points.

The onus is on the wireless device vendors to better secure their Web interfaces. "I think the biggest fail point here is not wireless itself, not the cloud itself: It's the integration point between the cloud and modern Web-based world, to the old industrial world. These integration points are not strong enough."

For example, an RCE vulnerability in the Sierra Wireless Airlink's AceManager Web interface could let an attacker inject malicious commands. The vulnerability actually bypasses a previous patch Sierra had issued in April of 2019 for another bug, according to Otorio.

**Lateral Movement Research**

Forescout's research, meanwhile, also shows how Purdue Level 1 of an OT network security is not as airtight as many industrial organizations believe. The company's findings demonstrate how a threat actor could spread an attack across various network segments and types of networks at the Purdue Level 1/controller level of the OT network.

In their proof-of-concept attack, the researchers first hacked a Wago coupler device in order to reach the Schneider M340 PLC. Once they got to the PLC, they employed two newly disclosed vulnerabilities they first found last year as part of the OT:ICEFALL set of vulns but were unable to reveal until Schneider had patched them, CVE-2022-45788 (remote code execution) and CVE-2022-45789 (authentication bypass). That allowed them to bypass the PLC's internal authentication protocol and move through the PLC to other connected devices, including an Allen-Bradley GuardLogix safety control system that protects plant systems by ensuring they operate in a safe physical state. Then they were able to manipulate the safety systems on the GuardLogix backplane.

What sets their findings apart is that it looks at lateral movement not just between Level 1 devices in the same network segment or to Layer 2 SCADA systems but spreading across nested devices and networks at Layer 1. And unlike previous PLC research, Wetzels and Daniel dos Santos, head of security research at Forescout, didn't just hack a PLC via an inherent vulnerability. They instead pivoted from the PLC to other systems connected to it in order to bypass the security and physical safety checks within the OT systems.

"We're not just talking directly \[to\] one of the PLCs. We're moving to all devices existing behind it to bypass the functional and safety constraints" of the PLC that would cause the device to halt or shut down the process, Wetzels says. "Or I can manipulate the PLC and cause physical damage."

Wetzels says some vendors provide incorrect guidance to OT operators that states that "nesting" PLCs via serial links or nonroutable OT protocols provides secure segmentation for those devices and the OT network. "We're demonstrating this is a faulty line of reasoning against a certain type of attacker," he says. The researchers show that all devices — valve controllers and sensors, for example — that reside under the PLC in other networks behind it also can be exposed and provide an attacker more detailed control of the systems.

"If you want to manipulate \[the physical processes\] at a deep level, you move deep into those networks," he says.

Another weak and often-overlooked link are network connections to third-party maintenance providers, for HVAC or water treatment plant work, for example. The maintenance contractor often has a remote connection to their packaged system, which then interfaces with the OT network. "The perimeter to the outside that exists at Level 1 is not hardened or monitored," Wetzels explains.

**How to Defend Against These Threats to OT**

Forescout's Wetzels and dos Santos recommend that OT operators re-evaluate the state of their Level 1 devices and interconnectivity. "Make sure nothing can be disabled by cyber means," Wetzels advises.

He also recommends that plants with Ethernet links that are not firewalled should add a firewall. And at the least, ensure visibility of the traffic with an intrusion detection system, he says. If the PLCs include IP-based access control list (ACL) and forensics inspection functions, deploy them to harden the devices, he says.

"Likely there's a lot of network crawlspace not on your radar," Wetzels said today in his presentation here. "At Level 1, between different \[network\] segments needs a perimeter security profile."

As for the wireless access point vulnerabilities and attacks Otorio revealed, the researchers recommend disabling weak encryption in wireless access devices, masking wireless devices publicly or at least whitelisting authorized devices, and ensuring strong authentication for IP-based devices.

They also advise disabling unused cloud-based services, which typically are on by default, and firewalling and/or adding virtual private network (VPN) tunnels among the connections.

Tom Winston, director of intelligence content at Dragos, says wireless access points in the industrial network should use multifactor authentication. "Access control is always a concern."

OT Network Security Myths Busted in a Pair of Hacks

78 new CVEs patched in this month's batch — nearly half of which are remotely executable and three of which attackers already are exploiting.

Microsoft has issued fixes for three zero-day bugs that attackers currently are actively exploiting in the wild.

One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that gives attackers a way to bypass Office macro policies for blocking untrusted files and content. The second is an elevation-of-privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which allows an attacker to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component which also enables an attacker to gain system-level access.

**The Zero-Day Trio**

The three zero-day vulnerabilities were part of a substantially larger set of 78 new CVEs that Microsoft disclosed in its monthly security update Tuesday. The company assessed nine of these flaws as being of "critical" severity and 66 as presenting an "important" threat to organizations.

Nearly half the vulnerabilities (38) that Microsoft disclosed this month were remote code execution (RCE) bugs — a category of flaws that security researchers consider especially serious. Elevation-of-privilege bugs represented the next highest category, followed by denial-of-service flaws and spoofing vulnerabilities.

Dustin Childs, head of threat awareness at Trend Micro's ZDI, which reported eight of the vulnerabilities in this month's update, says all the bugs that are under active attack represent a critical risk because threat actors are already using them.

"The Graphics Component bug (CVE-2023-21823) makes me worry on two accounts," he says. "Since this was found by Mandiant, it was likely discovered by a team working an incident response," Childs says. That means it's unclear how long threat actors might have been using it. Also worrisome is that the update is available through the Microsoft store, he notes.

"People who are either disconnected or otherwise blocked from the store will need to manually apply the update," he says.

Childs says that based on Microsoft's description of CVE-2023-21715, the security feature bypass vulnerability in Microsoft Office sounds more like an elevation-of-privilege issue. "It's always alarming when a security feature is not just bypassed but exploited. Let's hope the fix comprehensively addresses the problem."

Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would still need to use each of these bugs in combination with some form of a code execution bug to take over a system, Childs says.

Automox recommends that organizations using Microsoft 365 Applications for Enterprise patch CVE-2023-2175 within 24 hours. "This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features," Automox said in a blog post. It allows attackers to "potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering."

**New Exchange Server Threats**

Satnam Narang, senior staff research engineer at Tenable, highlighted three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues that organizations should note because Microsoft has identified them as flaws that attackers are more likely to exploit.

"Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabeShell," Narang said in a statement.

Exchange flaws have become valuable commodities for standard sponsored threat actors in recent years, he said. "We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they've applied the latest Cumulative Updates for Exchange Server."

**RCE Bugs in Microsoft PEAP**

Researchers at Cisco's Talos threat intelligence group, meanwhile, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the most critical bugs in Microsoft's security update for February 2023.

The flaws, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, allow an authenticated attacker to try and trigger malicious code in the context of the server's account.

"Almost all Windows versions are vulnerable, including the latest Windows 11," the company said in a statement.

CVE-2023-21689 — one of the three critical vulnerabilities in PEAP — allows attackers to get server accounts to trigger malicious code via a network call, according to Automox.

"Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy," the company said in its post. Affected organizations — those that have Windows clients with Network Policy Server running and have a policy that allows PEAP — should patch the flaw within 72 hours, Automox advised.

9 New Microsoft Bugs to Patch Now

# Microsoft Security Advisory CVE-2023-21808: .NET Remote Code Execution Vulnerability

## <a name="executive-summary"></a>Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in how .NET reads debugging symbols,  where reading a malicious symbols file may result in remote code execution.
## Discussion

Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/82112

### <a name="mitigation-factors"></a>Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

## <a name="affected-software"></a>Affected software

* Any .NET 7.0 application running on .NET 7.0.2 or earlier.
* Any .NET 6.0 application running on .NET 6.0.13 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

### <a name=".NET 7"></a>.NET 7

Package name | Affected version | Patched version
------------ | ---------------- | -------------------------
[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)|>= 7.0.0, <= 7.0.2|7.0.3
[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)|>= 7.0.0, <= 7.0.2|7.0.3
[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)|>= 7.0.0, <= 7.0.2|7.0.3
[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)|>= 7.0.0, <= 7.0.2|7.0.3

### <a name=".NET 6"></a>.NET 6

Package name | Affected version | Patched version
------------ | ---------------- | -------------------------
[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)|>= 6.0.0, <= 6.0.13|6.0.14
[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)|>= 6.0.0, <= 6.0.13|6.0.14
[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)|>= 6.0.0, <= 6.0.13|6.0.14
[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)|>= 6.0.0, <= 6.0.13|6.0.14

## Advisory FAQ

### <a name="how-affected"></a>How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.

### <a name="how-fix"></a>How do I fix the issue?

* To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET  SDKs.
* If you have .NET Core 3.1 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;
* If you are using one of the affected packages, please update to the patched version listed above. 

```
.NET Core SDK (reflecting any global.json):

 Version:   6.0.300
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 6.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  6.0.300 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
```
* If you're using .NET 7.0, you should download and install Runtime 7.0.3 or SDK 7.0.103 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/7.0.
* If you're using .NET 6.0, you should download and install Runtime 6.0.14 or SDK 6.0.114 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

## Other Information

### Reporting Security Issues

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <https://aka.ms/corebounty>.

### Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

### Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

### Acknowledgements
[Johan Gorter](https://www.linkedin.com/in/jgorter/) with [AFAS Software](https://www.afas.nl/)

### External Links

[CVE-2023-21808]( https://www.cve.org/CVERecord?id=CVE-2023-21808)

### Revisions

V1.0 (February 14, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-02-14_

**Microsoft Security Advisory CVE-2023-21808: .NET Remote Code Execution Vulnerability****Executive summary**

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in remote code execution.

**Discussion**

Discussion for this issue can be found at dotnet/runtime#82112

**Mitigation factors**

Microsoft has not identified any mitigating factors for this vulnerability.

**Affected software**

*   Any .NET 7.0 application running on .NET 7.0.2 or earlier.
*   Any .NET 6.0 application running on .NET 6.0.13 or earlier.

If your application uses the following package versions, ensure you update to the latest version of .NET.

**.NET 7**

Package name

Affected version

Patched version

Microsoft.NetCore.App.Runtime.win-arm

\>= 7.0.0, <= 7.0.2

7.0.3

Microsoft.NetCore.App.Runtime.win-arm64

\>= 7.0.0, <= 7.0.2

7.0.3

Microsoft.NetCore.App.Runtime.win-x64

\>= 7.0.0, <= 7.0.2

7.0.3

Microsoft.NetCore.App.Runtime.win-x86

\>= 7.0.0, <= 7.0.2

7.0.3

**.NET 6**

Package name

Affected version

Patched version

Microsoft.NetCore.App.Runtime.win-arm

\>= 6.0.0, <= 6.0.13

6.0.14

Microsoft.NetCore.App.Runtime.win-arm64

\>= 6.0.0, <= 6.0.13

6.0.14

Microsoft.NetCore.App.Runtime.win-x64

\>= 6.0.0, <= 6.0.13

6.0.14

Microsoft.NetCore.App.Runtime.win-x86

\>= 6.0.0, <= 6.0.13

6.0.14

**Advisory FAQ****How do I know if I am affected?**

If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.

**How do I fix the issue?**

*   To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
*   If you have .NET Core 3.1 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
*   If you are using one of the affected packages, please update to the patched version listed above.

    .NET Core SDK (reflecting any global.json):
    
     Version:   6.0.300
     Commit:    8473146e7d
    
    Runtime Environment:
    
     OS Name:     Windows
     OS Version:  10.0.18363
     OS Platform: Windows
     RID:         win10-x64
     Base Path:   C:\Program Files\dotnet\sdk\6.0.300\
    
    Host (useful for support):
    
      Version: 6.0.5
      Commit:  8473146e7d
    
    .NET Core SDKs installed:
    
      6.0.300 [C:\Program Files\dotnet\sdk]
    
    .NET Core runtimes installed:
    
      Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
      Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
    
    To install additional .NET Core runtimes or SDKs:
      https://aka.ms/dotnet-download
    

*   If you're using .NET 7.0, you should download and install Runtime 7.0.3 or SDK 7.0.103 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/7.0.
*   If you're using .NET 6.0, you should download and install Runtime 6.0.14 or SDK 6.0.114 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

**Other Information****Reporting Security Issues**

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

**Support**

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

**Disclaimer**

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

**Acknowledgements**

Johan Gorter with AFAS Software

**External Links**

CVE-2023-21808

**Revisions**

V1.0 (February 14, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-02-14_

**References**

*   GHSA-824j-wqm8-89mj
*   https://nvd.nist.gov/vuln/detail/CVE-2023-21808
*   https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21808

GHSA-824j-wqm8-89mj: .NET Remote Code Execution Vulnerability 

Visual Studio Remote Code Execution Vulnerability

CVE-2023-21815

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-21808

CVE-2023-23381

Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability

CVE-2023-21778

Azure DevOps Server Remote Code Execution Vulnerability

CVE-2023-21553

Windows Graphics Component Remote Code Execution Vulnerability

Tag

#rce