Windows DNS Server Remote Code Execution Vulnerability

CVE-2023-28255

Windows Clip Service Elevation of Privilege Vulnerability

CVE-2023-28273

Windows Lock Screen Security Feature Bypass Vulnerability

CVE-2023-28270

Windows Win32k Elevation of Privilege Vulnerability

CVE-2023-28274

Windows DNS Server Information Disclosure Vulnerability

CVE-2023-28277

Windows Boot Manager Security Feature Bypass Vulnerability

CVE-2023-28269

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

CVE-2023-28250

April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Tuesday, April 11, 2023 15:04

Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.

April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”

CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible.

Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969. April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Two of the critical vulnerabilities Microsoft also patched are in the Layer 2 Tunneling Protocol: CVE-2023-28219 and CVE-2023-28220. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine. These vulnerabilities do not require any user interaction to be exploited, but the adversary would need to win a race condition to be successful.

One of the most severe issues is CVE-2023-21554, a remote code execution vulnerability in the Microsoft Message queuing system. Microsoft considers exploitation of this vulnerability to be “more likely,” and it received a CVSS severity score of 9.8 out of 10. Users who want to check to see if they’re being targeted by the exploitation of this vulnerability can run a check to see if there’s a service named “Message Queuing” on their machine, and if TCP port 1801 is listening on the machine.

CVE-2023-28231, a remote code execution vulnerability on the DHCP server service, is also considered “more likely” to be exploited. An attacker could exploit this vulnerability by sending a specially crafted RCP call to the targeted DHCP server. However, the adversary first must gain access to the restricted network.

There are four other critical vulnerabilities, though Microsoft considers them “less likely” to be exploited:

*   CVE-2023-28232: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability

*   CVE-2023-28240: Windows Network Load Balancing remote code execution vulnerability    
    CVE-2023-28250: Windows Pragmatic General Multicast (PGM) remote code execution vulnerability
*   CVE-2023-28291: Raw Image Extension remote code execution vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61606, 61607 and 61613 - 61620. There are also Snort 3 rules 300496, 300499 and 300500.

Microsoft Patch Tuesday for April 2023 — Snort rules and prominent vulnerabilities

No access control for the OTP key 

 on OTP entries

 in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.

Security & Compliance Reporting a Security Issue Advisories

**Affected Products**

Remote Desktop Manager

**Change Log**

Initial Publication - 2023-04-11

**Product**

Remote Desktop Manager

**Fix Version**

RDMW 2022.3.34.0, RDML 2022.3.2.1

**Summary**

Remote Desktop Manager is affected by multiple security vulnerabilities.

**Two factor authentication bypass**

**Description**

Two factor authentication bypass on login in Devolutions Remote Desktop Manager 2022.3.35 and earlier allow user to cancel the two factor authentication via the application user interface and open entries.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager to 2022.3.36 and higher

**Severity**

Medium - 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

**Affected Products**

Remote Desktop Manager 2022.3.35 and earlier

**No access control for the OTP key on OTP entries**

**Description**

No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.

**Remediation and Workarounds**

Upgrade to Remote Desktop Manager Windows to 2022.3.34 and higher

Upgrade to Remote Desktop Manager Linux to 2022.3.2.1 and higher

**Severity**

Medium (4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products**

Remote Desktop Manager Windows 2022.3.23.0 and earlier Remote Desktop Manager Linux 2022.3.2.0 and earlier

CVE-2023-1939: DEVO-2023-0009

Malware-as-a-service hackers from Spain decided to use a public code repository to openly advertise their wares.

Researchers have discovered malware peddlers advertising an info-stealer out in the open on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest veneer of obfuscation.

The perpetrators — whom researchers from Sonatype associated with a Spain-based malware-as-aservice (MaaS) gang called SylexSquad — gave their program a not-so-subtle name: "reverse-shell." Reverse shells are programs that hackers commonly use to run commands remotely and receive data from targeted computers.

"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."

However, their brazenness doesn't end there.

**Inside the 'reverse-shell' Data-Heisting Malware**

Sonatype researchers did a double-take when they found a package called "reverse-shell" uploaded to a public forum. "Why would someone name a malicious package in such an blatantly obvious way?" the researchers wondered in their Malware Monthly blog post.

The program turned out to be much more than a reverse shell, in fact. That became clear when the researchers examined one of its files, called "WindowsDefender.py."

WindowsDefender.py includes various obviously named functions, including get\_login\_data(), get\_web\_history(), get\_downloads(), get\_cookies(), get\_credit\_cards(), and ImageGrab.grab(). Per the theme, the hackers had not tried hard to conceal their intentions: this was malware designed to steal information.

"With no obfuscation, \[this\] appears to be ... a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."

Further answers lay in another file, "setup.py." Here, there were several Spanish-language instructions to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — an indication that reverse-shell was a MaaS product.

Further digging uncovered multiple "Made by SylexSquad" tags scattered in the code, some of which was lightly obfuscated. SylexSquad, the researchers found, was once a hacking marketplace operating over the Sellix e-commerce platform in 2022. It has since been shut down.

Publishing so openly to a public repo may have been a way for the group to intentionally draw attention to their product. "How do we know about groups like Anonymous or LulzSec or Killnet?" Conn asks, rhetorically. "It's because they get a reputation."

But PyPI holds much more value to them than that.

**Why Hackers Use Public Repos**

The SylexSquad attackers aren't the only miscreants utilizing forums like PyPI and GitHub, and there are many reasons for such brazenness, according to Sonatype.

"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."

Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."

In other words, rather than delivering malware upfront — which antivirus scanners can pick up on quickly — hackers can simply link to their malicious code elsewhere: "By providing a link to a GitHub, they're maybe circumventing that check,"”" he notes.

Public repositories have protective measures in place to avoid becoming a hub for hackers. Still, even the best scanners and moderators aren't perfect, and they can't be everywhere at once.

"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. In this case, SylexSquad encoded their malicious script as numbers, using easily reversible ASCII codes corresponding to each character.

In this case, Sonatype reported the package to the PyPI maintainers and it was taken down. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."

Aguirre views this story in light of a broader concern with open source software — that, as long as malware authors find use in public repositories, organizations must be aware of the kinds of packages they might be sweeping up.

"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."

Tag

#windows