Windows Media Remote Code Execution Vulnerability

CVE-2023-21802

Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability

CVE-2023-21699

An issue was discovered in TitanFTP through 1.94.1205. The move-file function has a path traversal vulnerability in the newPath parameter. An authenticated attacker can upload any file and then move it anywhere on the server's filesystem.

**Version: <= 1.94.1205****CVE-2023-22629****CWE-24: Path Traversal**

The move-file function has a path traversal vulnerability in the newPath parameter newPath":"/../../../../../../../Program Files/South River Technologies/srxserver/file

So, by uploading a file and then moving it, it can be placed anywhere on the filesystem, because the process runs as NT System

This is an authenticated exploit. An attacker would need a user account on the TitanFTP server, to upload the files.

**CWE-427: Uncontrolled Search Path Element**

The service-application is vulnerable to a DLL search order hijack. It is importing several Windows DLL-files, like version.dll. By placing a proxy-DLL named version.dll exploiting the path traversal vulnerability, this DLL will proxy imports to the original version.dll also uploaded in the application directory, one will gain Remote Code Execution on the server as NT System.

**POC Video**

CVE-2023-22629: Titan FTP vulnerabilities

Windows Graphics Component Elevation of Privilege Vulnerability

CVE-2023-21822

Windows Distributed File System (DFS) Remote Code Execution Vulnerability

CVE-2023-21820

Windows Secure Channel Denial of Service Vulnerability

CVE-2023-21819

CVE-2023-21818

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

CVE-2023-25725: The Reliable, High Performance TCP/HTTP Load Balancer

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.” 
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday

Tuesday, February 14, 2023 13:02

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

*   CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21707 \- Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.

Microsoft Patch Tuesday for February 2023  — Snort rules and prominent vulnerabilities

Tuesday, February 14, 2023 13:02

Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”

According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only one vulnerability CVE-2023-21823, a privilege escalation vulnerability, was seen in the wild.

Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likely” to be exploited are CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692. These are remote code execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP). As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. Almost all Windows versions are vulnerable, including the latest Windows 11.

According to Microsoft the other “Critical“ vulnerabilities are “less likely” to be exploited.  CVE-2023-21716 is a critical Microsoft Word Remote Code Execution Vulnerability which allows an unauthenticated attacker to gain access to execute commands within the application used to open the malicious file.

Developers are at risk due to CVE-2023-21808 a .NET and Visual Studio Remote Code Execution Vulnerability and CVE-2023-21815 also a Visual Studio Remote Code Execution Vulnerability. Both can lead to Arbitrary Code Execution (ACE) .

The last “Critical“ vulnerability which we want to mention is CVE-2023-21803. The vulnerability exists in the way that the Microsoft iSCSI Discovery Service handles certain requests. An attacker might be able to send a specially crafted malicious DHCP discovery request to the iSCSI Discovery Service on 32-bit machines.

The "important" flagged Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21715 is something we want to highlight. This vulnerability allows an attacker to bypass the Mark of the Web (MoTW) policy which usually blocks macro execution for documents originating from the internet. The user would have be enticed to open a malicious file in Microsoft Publisher by the attacker. We highly recommend that users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight three other “Important“ Remote Code Execution vulnerabilities which are affecting the Microsoft Exchange Server.

*   CVE-2023-21529 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21706 - Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21707 \- Attack complexity low , attacker needs to be an authenticated user
*   CVE-2023-21710 - Attack complexity low , attacker needs to be an authenticated administrator

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes the Windows Kerberos and Active Directory services and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57907, 61312-61315, 61320, 61321, 61357, 61359. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300416, 300417, 300420, 300438, 300439.

Tag

#windows