Other official information and services: www.belgium.be

Microsoft released security patches for 75 vulnerabilities (9 critical, 66 Important, 1 moderate) including 2 actively exploited zero-days. Patch ASAP!

Reference:

Advisory #2023-029

Version:

1.0

Affected software:

Azure

Client Server Run-time Subsystem (CSRSS)

Internet Control Message Protocol (ICMP)

Microsoft Bluetooth Driver

Microsoft Dynamics

Microsoft Edge (Chromium-based)

Microsoft Graphics Component

Microsoft Office Excel

Microsoft Office Outlook

Microsoft Office SharePoint

Microsoft OneDrive

Microsoft PostScript Printer Driver

Microsoft Printer Drivers

Microsoft Windows Codecs Library

Office for Android

Remote Access Service Point-to-Point Tunnelling Protocol

Role: DNS Server

Role: Windows Hyper-V

Service Fabric

Visual Studio

Windows Accounts Control

Windows Bluetooth Service

Windows Central Resource Manager

Windows Cryptographic Services

Windows Defender

Windows HTTP Protocol Stack

Windows HTTP.sys

Windows Internet Key Exchange (IKE) Protocol

Windows Kernel

Windows Partition Management Driver

Windows Point-to-Point Protocol over Ethernet (PPPoE)

Windows Remote Procedure Call

Windows Remote Procedure Call Runtime

Windows Resilient File System (ReFS)

Windows Secure Channel

Windows SmartScreen

Windows TPM

Windows Win32K

Type:

Several types, ranging from information disclosure, remote code execution and privilege elevation.

CVE/CVSS:

Microsoft patched 76 CVEs in its March 2023 Patch Tuesday release, 9 rated as critical and 66 rated as important.

Number of CVE by type:

- 25 Remote Code Execution vulnerabilities
- 20 Elevation of Privilege vulnerabilities
- 14 Information Disclosure vulnerabilities
- 11 Spoofing vulnerabilities
- 4 Denial of Service vulnerabilities
- 2 Security Feature Bypass vulnerabilities

Date:

15/03/2023

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar

Risks

Microsoft's March Patch Tuesday includes 9 critical and 66 important vulnerabilities for a wide range of Microsoft products and technologies.

Microsoft reported two zero-day vulnerabilities that are actively exploited: CVE-2023-23397 (Microsoft Outlook Elevation of Privilege) and CVE-2023-24880 (Windows SmartScreen Security Feature Bypass.)

Microsoft fixed three critical Remote Code Execution (RCE) vulnerabilities in the Windows operating systems: CVE-2023-23416 in the Windows Cryptographic Services, CVE-2023-23415 in the Internet Control Message Protocol (ICMP) handling, and CVE-2023-23392 in the HTTP Protocol Stack.

Three critical Remote Code Execution (RCE) vulnerabilities in the Microsoft Protected Extensible Authentication Protocol (PEAP) have been fixed: CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692.

Description

CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability

CVE-2023-23397 is an elevation of privilege in Microsoft Outlook for Windows. This vulnerability has a CVSSv3.1 score of 9.8 and is actively exploited. The exploit works by sending a malicious email to a victim with a vulnerable version of Outlook. No additional user interaction is required.

More information is available in our advisory for this vulnerability:

CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-24880 is a vulnerability that allows an attacker to bypass the Windows SmartScreen security feature. This vulnerability has a CVSSv3.1 score of 5.4 and is actively exploited. To be exploited a victim needs to open a malicious file on an affected version of Windows. The malicious file bypasses the Mark of the Web (MOTW) defences. The exploit is publicly available.

CVE-2023-23416 - Windows Cryptographic Services Remote Code Execution Vulnerability

CVE-2023-23416 is a vulnerability in the Windows operating systems involving Remote Code Execution (RCE.) This vulnerability has a CVSSv3.1 score of 8.4. Exploitation requires a malicious certificate to be imported on the affected system. The exploit requires local access to a machine, or to trick a user into installing the malicious certificate.

CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

CVE-2023-23415 is a vulnerability in the Windows operating systems involving Remote Code Execution (RCE.) This vulnerability has a CVSSv3.1 score of 9.8. An attacker could craft packet to trigger this vulnerability on an application that is bound to a raw socket.

CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability

CVE-2023-23392 is a vulnerability in the HTTP Protocol Stack in Microsoft operating systems that can lead to Remote Code Execution (RCE.) This vulnerability has a CVSSv3.1 score of 9.8. A remote, unauthenticated attacker could send a malicious packet to the target server that is vulnerable. For a system to be vulnerable, it must HTTP/3 and buffered I/O. Microsoft notes that HTTP/3 support is a new feature and must first be enabled with a registry key.

CVE-2023-21689, CVE-2023-21690, and CVE-2023-21692 - Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

These vulnerabilities have a CVSSv3.1 score of 9.8. There is no known exploit at the time of writing, however Microsoft assesses that exploitation is more likely. Microsoft Protected Extensible Authentication Protocol (PEAP) is only negotiated with the client if Network Policy Server (NPS) is running on the Windows Server and has a network policy configured that allows PEAP.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

References

https://www.tenable.com/blog/microsofts-march-2023-patch-tuesday-addresses-76-cves-cve-2023-23397

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2023-patch-tuesday-fixes-2-zero-days-83-flaws/