www.belgium.be Logo of the federal government

Microsoft released security patches for 75 vulnerabilities (9 critical, 66 Important, 1 moderate) including 2 actively exploited zero-days. Patch ASAP!

Reference: 
Advisory #2023-029
Version: 
1.0
Affected software: 
Azure
Client Server Run-time Subsystem (CSRSS)
Internet Control Message Protocol (ICMP)
Microsoft Bluetooth Driver
Microsoft Dynamics
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office SharePoint
Microsoft OneDrive
Microsoft PostScript Printer Driver
Microsoft Printer Drivers
Microsoft Windows Codecs Library
Office for Android
Remote Access Service Point-to-Point Tunnelling Protocol
Role: DNS Server
Role: Windows Hyper-V
Service Fabric
Visual Studio
Windows Accounts Control
Windows Bluetooth Service
Windows Central Resource Manager
Windows Cryptographic Services
Windows Defender
Windows HTTP Protocol Stack
Windows HTTP.sys
Windows Internet Key Exchange (IKE) Protocol
Windows Kernel
Windows Partition Management Driver
Windows Point-to-Point Protocol over Ethernet (PPPoE)
Windows Remote Procedure Call
Windows Remote Procedure Call Runtime
Windows Resilient File System (ReFS)
Windows Secure Channel
Windows SmartScreen
Windows TPM
Windows Win32K
Type: 
Several types, ranging from information disclosure, remote code execution and privilege elevation.
CVE/CVSS: 

Microsoft patched 76 CVEs in its March 2023 Patch Tuesday release, 9 rated as critical and 66 rated as important.

Number of CVE by type:

- 25 Remote Code Execution vulnerabilities
- 20 Elevation of Privilege vulnerabilities
- 14 Information Disclosure vulnerabilities
- 11 Spoofing vulnerabilities
- 4 Denial of Service vulnerabilities
- 2 Security Feature Bypass vulnerabilities

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar
 

Risks

Microsoft's March Patch Tuesday includes 9 critical and 66 important vulnerabilities for a wide range of Microsoft products and technologies.

Microsoft reported two zero-day vulnerabilities that are actively exploited: CVE-2023-23397 (Microsoft Outlook Elevation of Privilege) and CVE-2023-24880 (Windows SmartScreen Security Feature Bypass.)

Microsoft fixed three critical Remote Code Execution (RCE) vulnerabilities in the Windows operating systems: CVE-2023-23416 in the Windows Cryptographic Services, CVE-2023-23415 in the Internet Control Message Protocol (ICMP) handling, and CVE-2023-23392 in the HTTP Protocol Stack.

Three critical Remote Code Execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP) have been fixed: CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692.

Description

CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability

CVE-2023-23397 is an elevation of privilege in Microsoft Outlook for Windows. This vulnerability has a CVSSv3.1 score of 9.8 and is actively exploited. The exploit works by sending a malicious email to a victim with a vulnerable version of Outlook. No additional user interaction is required.

More information is available in our advisory for this vulnerability:

CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-24880 is a vulnerability that allows an attacker to bypass the Windows SmartScreen security feature. This vulnerability has a CVSSv3.1 score of 5.4 and is actively exploited. To be exploited a victim needs to open a malicious file on an affected version of Windows. The malicious file bypasses the Mark of the Web (MOTW) defences. The exploit is publicly available.

CVE-2023-23416 - Windows Cryptographic Services Remote Code Execution Vulnerability

CVE-2023-23416 is a vulnerability in the Windows operating systems involving Remote Code Execution (RCE.) This vulnerability has a CVSSv3.1 score of 8.4. Exploitation requires a malicious certificate to be imported on the affected system. The exploit requires local access to a machine, or to trick a user into installing the malicious certificate.

CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

CVE-2023-23415 is a vulnerability in the Windows operating systems involving Remote Code Execution (RCE.) This vulnerability has a CVSSv3.1 score of 9.8. An attacker could craft packet to trigger this vulnerability on an application that is bound to a raw socket.

CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability

CVE-2023-23392 is a vulnerability in the HTTP Protocol Stack in Microsoft operating systems that can lead to Remote Code Execution (RCE.) This vulnerability has a CVSSv3.1 score of 9.8. A remote, unauthenticated attacker could send a malicious packet to the target server that is vulnerable. For a system to be vulnerable, it must HTTP/3 and buffered I/O. Microsoft notes that HTTP/3 support is a new feature and must first be enabled with a registry key.

CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692 - Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

These vulnerabilities have a CVSSv3.1 score of 9.8. There is no known exploit at the time of writing, however Microsoft assesses that exploitation is more likely. Microsoft Protected Extensible Authentication Protocol (PEAP) is only negotiated with the client if Network Policy Server (NPS) is running on the Windows Server and has a network policy configured that allows PEAP.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

References

https://www.tenable.com/blog/microsofts-march-2023-patch-tuesday-addresses-76-cves-cve-2023-23397

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2023-patch-tuesday-fixes-2-zero-days-83-flaws/