REDLEGG BLOG
96Bravo - Critical Security Bulletin

Patch Tuesday Recap - March 2023

3/15/23 10:22 AM  |  by RedLegg Blog

About:

In an effort to provide additional value to our customers RedLegg will be releasing monthly security bulletins for critical vulnerabilities as they are released from major software vendors. RedLegg will provide as much context and information as is available at the time the bulletin is released.

RedLegg will include a brief description of the vulnerability, whether or not an active exploit or POC exists, and then a link to an update if any exists. If no update exists there will be remediation or mitigation suggestions in order to limit the risk that each vulnerability represents.

*Important note: These are not the only vulnerabilities that were recently released; however, these are the vulnerabilities RedLegg has identified as critical and require immediate attention.

VULNERABILITIES

.NET Framework Remote Code Execution Vulnerability

Identifier: CVE-2022-41089
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41089

Description: CVE-2022-41089 allows for remote code execution. User interaction is required to successfully exploit this vulnerability. This vulnerability triggers restricted mode when parsing XPS files, inhibiting gadget chains and eliciting remote code execution on an affected system. 
Mitigation Recommendation: Patching is currently the only method of mitigation.

 

Microsoft Outlook Elevation of Privilege Vulnerability

Identifier: CVE-2023-23397
Exploit or POC: Yes (Actively Being Exploited)
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Description: CVE-2023-23397 could allow an attacker to elevate privileges independent of user interaction. This vulnerability can be exploited by sending explicitly targeted emails – forcing an automatic connection from the victim to an external UNC of the attackers’ discretion. A connection is initiated automatically once retrieved and processed by the Outlook client. Thus, further facilitating exploitation before the email is displayed in the Preview Pane. Successful exploitation could allow an attacker to secure access to a user’s Net-NTLMv2 hash, eliciting a hash relay attack.

Mitigation recommendation: Mitigation steps listed here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

 

Windows SmartScreen Security Feature Bypass Vulnerability

Identifier: CVE-2023-24880
Exploit or POC: Yes (Actively Being Exploited)
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880

Description: CVE-2023-24880 could allow an attacker to achieve defense evasion techniques. User interaction is required for successful exploitation. This vulnerability could allow an attacker to bypass security features by crafting a malicious file specifically crafted to evade Mark of the Web (MOTW) defenses. Thus, resulting in a limited loss of availability and integrity of security features that are dependent of MOTW tagging, such as Protected View in Microsoft Office.

Mitigation recommendation: Pathing is currently the only method of mitigation.

 

HTTP Protocol Stack Remote Code Execution Vulnerability

Identifier: CVE-2023-23392
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392

Description: CVE-2023-23392 allows for remote code execution. Authentication and user interaction are not required for successful exploitation. This vulnerability can be exploited by sending a specially crafted packet to a targeted server using the HTTP Protocol Stack (http.sys) to process packets.

Mitigation recommendation: Mitigation steps listed here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392

 

Remote Procedure Call Runtime Remote Code Execution Vulnerability

Identifier: CVE-2023-21708
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708

Description: CVE-2023-21708 allows for remote code execution. Authentication and user interaction are not required for successful exploitation. This vulnerability can be exploited by transmitting a specific RPC call to a targeted RPC host. Thereby resulting in remote code execution call on the server side with equivalent permissions to the RPC service. Blocking TCP traffic for port 135 is recommended as best practice to safeguard potential attacks against this vulnerability.

Mitigation recommendation: Patching is currently the only method of mitigation.

 

Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

Identifier: CVE-2023-23415
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415

Description: CVE-2023-23415 allows for remote code execution. User interaction is not required for successful exploitation. This vulnerability can be exploited by sending a low-level protocol error with a fragmented IP packet encapsulated in the header of another ICMP packet to the target machine. Initiating the vulnerable code path demands an application on the targeted host is bound to a raw socket.

Mitigation recommendation: Patching is currently the only method of mitigation.

 

CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability

Identifier: CVE-2023-1017
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1017

Description: This vulnerability was assigned by CERT/CC and pertains to a vulnerability in a third-party driver. CVE-2023-1017 allows an attacker to elevate privileges independent of user interaction. Successful exploitation could allow an attacker to elicit out of bounds write permissions in the root partition by executing malicious TPM commands.

Mitigation recommendation: Patching is currently the only method of mitigation.

 

CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability

Identifier: CVE-2023-1018
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1018

Description: This vulnerability was assigned by CERT/CC and pertains to a vulnerability in a third-party driver. CVE-2023-1018 allows an attacker to elevate privileges independent of user interaction.

Mitigation recommendation: Patching is currently the only method of mitigation.

 

Windows Cryptographic Services Remote Code Execution Vulnerability

Identifier: CVE-2023-23416
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23416

Description: CVE-2023-23416 allows for remote code execution. Authentication is required to successfully exploit this vulnerability. However, an attacker could exploit this vulnerability independent of user interaction. Successfully exploiting this vulnerability calls for a malicious certification to be imported onto a compromised system. The certificate can then be uploaded to a service that manages certificates. An alternative approach would rely on an attacker employing social engineering tactics to sway an authenticated user into importing a certificate onto their system.

Mitigation recommendation: Patching is currently the only method of mitigation.

 

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

Identifier: CVE-2023-23404
Exploit or POC: No
Update: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23404

Description: CVE-2023-23404 allows for remote code execution. Authentication and user interaction are not required for successful exploitation. This vulnerability could allow an attacker to send tailored connection requests to a RAS server, thereby allowing for remote code execution calls on the RAS server machine. Successfully exploiting this vulnerability requires the attacker to win a race condition.

Mitigation recommendation: Patching is currently the only method of mitigation.

Get Blog Updates

Related Articles

Threat Intel: ATP27, FRP, TTNG, and More… threat intel, CTI Report

Threat Intel: ATP27, FRP, TTNG, and More…

EXECUTIVE SUMMARY THREAT INTELLIGENCE AT REDLEGG This report serves as a comprehensive resource, offering insights into ...
Summoning Cyber Awareness: Exorcising the Malevolent Realm of Remote Monitoring and Management Tools threat intel, 96bravo

Summoning Cyber Awareness: Exorcising the Malevolent Realm of Remote Monitoring and Management Tools

EXECUTIVE SUMMARY RedLegg would like to recognize the efforts instituted by the Cybersecurity & Infrastructure ...
Critical Security Vulnerabilities Bulletin