www.belgium.be Logo of the federal government

Warning: Microsoft Patch Tuesday addressed 38 Microsoft vulnerabilities including 2 actively exploited 0-day vulnerabilities. Patch Immediately!

Reference: 
Advisory #2023-53
Version: 
1.1
Affected software: 
Microsoft Bluetooth Driver
Microsoft Graphics Component
Microsoft Office
Microsoft Office Access
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Microsoft Teams
Microsoft Windows Codecs Library
Reliable Multicast Transport Driver (RMCAST)
Remote Desktop Client
SysInternals
Visual Studio Code
Windows Backup Engine
Windows Installer
Windows iSCSI Target Service
Windows Kernel
Windows LDAP - Lightweight Directory Access Protocol
Windows MSHTML Platform
Windows Network File System
Windows NFS Portmapper
Windows NTLM
Windows OLE
Windows RDP Client
Windows Remote Procedure Call Runtime
Windows Secure Boot
Windows Secure Socket Tunneling Protocol (SSTP)
Windows SMB
Windows Win32K
Type: 
Several types, ranging from Information Disclosure to Remote Code Execution and Privilege Escalation.
CVE/CVSS: 

Microsoft patched 38 CVEs in its May 2023 Patch Tuesday release including 3 0-day vulnerabilities with two of them being actively exploited. Of the 38 vulnerabilities 6 are rated as critical and 32 are rated as important. Microsoft also republished fixes for 9 vulnerabilities in the open-source Chromium engine that Edge uses.

Number of CVE by type:

  • 12 Remote Code Execution vulnerabilities
  • 8 Elevation of Privilege vulnerabilities
  • 8 Information Disclosure vulnerabilities
  • 6 Denial of Service vulnerabilities
  • 5 Security Feature Bypass vulnerabilities
  • 1 Spoofing vulnerability

Sources

Microsoft MSRC - https://msrc.microsoft.com/update-guide/releaseNote/2023-May

Risks

Microsoft’s May 2023 Patch Tuesday includes 6 critical and 32 important vulnerabilities for a wide range of Microsoft products and technologies. Microsoft fixed 3 zero-day vulnerabilities with two of them actively exploited in the wild:

  • CVE-2023-29336, a Win32k privilege escalation vulnerability that attackers can exploit to gain complete control of affected systems. This flaw can be chained with a code execution bug to spread malware.
  • CVE-2023-24932, a security feature bypass vulnerability that allows an attacker to bypass Secure Boot and install a boot policy of their choice. CVE-2023-24932 is used by threat actors to install the BlackLotus UEFI bootkit.

Microsoft reports 8 vulnerabilities that are more likely to be exploited and 1 vulnerability where exploitation was detected. These vulnerabilities do not necessarily map 1 to 1 with the reported critical vulnerabilities.

Microsoft announced that Windows 10 20H2 has reached its end of life for Enterprise, Education, IoT Enterprise, and Enterprise multi-session editions. This means that users of these versions of Windows 10 20H2 will no longer receive security updates and should upgrade as soon as possible.

The Centre for Cyber security Belgium has launched multiple spear warning campaigns and advised Belgian organisations frequently to patch their servers.

 

Description

Below you can find an overview of the critical and more likely to be exploited vulnerabilities.

CVE-2023-24902 - Win32k Elevation of Privilege Vulnerability

CVSS 3.1: 7.8

CVE-2023-24902 is an elevation of privilege vulnerability affecting Win32k, a Windows Core Library. a threat actor that successfully exploits this vulnerability could gain SYSTEM privileges. The vulnerability is known to be exploited in the wild.

A threat actor needs to have a foothold on the victim’s system to successfully exploit CVE- 2023-24902. No additional user interaction or privileges are required.

CVE-2023-24903 - Windows Secure Socket Tunnelling Protocol (SSTP) Remote Code Execution Vulnerability

CVSS 3.1:8.1

CVE-2023-24903 is a Remote Code execution vulnerability affecting the Windows Secure Socket Tunnelling Protocol. Microsoft categorised CVE-2023-24903as "exploitation less likely." due to the high complexity of the attack. Successful exploitation of this vulnerability requires an attacker to win a race condition.

A threat actor can successfully exploit CVE-2023-24903 by sending a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side.

CVE-2023-24941 - Windows Network File System Remote Code Execution Vulnerability

CVSS 3.1: 9.8

CVE-2023-2491 is a Remote Code execution vulnerability affecting the Windows Network File System. The attack complexity is low and the attack does not require user interaction or high privileges. Microsoft assesses this vulnerability to be likely exploited.

A threat actor can successfully exploit CVE-2023-24941 over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).

CVE-2023-24943 - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

CVSS 3.1: 9.8

CVE-2023-24943 is a Remote Code execution vulnerability affecting the Windows Pragmatic General Multicast (PGM). This vulnerability can only be exploited when the Windows message queuing service is enabled.

A threat actor can successfully exploit CVE-2023-24943, after sending a specially crafted file over the network to a vulnerable server.

CVE-2023-24947 - Windows Kernel Elevation of Privilege Vulnerability

CVSS 3.1: 7.8

CVE-2023-24947 is an Elevation of Privilege vulnerability affecting the Windows kernel. Microsoft assesses this vulnerability likely to be exploited. This vulnerability can only be exploited when the threat actor has already gained a foothold on the target system.

A threat actor that has gained a foothold on the target system and successfully exploits CVE-2023-24947 could gain SYSTEM privileges.

CVE-2023-24950 - Microsoft SharePoint Server Spoofing Vulnerability

CVSS 3.1: 8.8

CVE-2023-24950 is a spoofing vulnerability affecting SharePoint. A remote authenticated threat actor with privileges to create SharePoint sites could exploit this vulnerability to cause the server to leak its NTLM hash. This could help the threat actor to move laterally. Microsoft assesses this vulnerability to be likely exploited.

CVE-2023-24954 - Microsoft SharePoint Server Information Disclosure Vulnerability

CVSS 3.1: 6.5

CVE-2023-24954 is an Information Disclosure vulnerability affecting Sharepoint. An authenticated threat actor could exploit this vulnerability to gain user tokens and other potentially sensitive information. Microsoft assesses this vulnerability to be likely exploited.

CVE-2023-24955 - Microsoft SharePoint Remote Code Execution Vulnerability

CVSS 3.1: 6.5

CVE-2023-24955 is a Remote Code Execution vulnerability affecting Sharepoint. A remote authenticated attacker that is Site Owner could exploit this vulnerability to execute code remotely on the SharePoint Server. Microsoft assesses this vulnerability to be critical and likely to be exploited.

  • UPDATE 2023-12-19: A proof-of-concept exploit chain has been released for CVE-2023-29357 and CVE-2023-24955 Microsoft SharePoint Server Vulnerabilities. These vulnerabilities can be used to achieve remote code execution (RCE).

CVE-2023-29324- Windows MSHTML(Trident) Platform Security Feature Bypass Vulnerability

CVSS 3.1: 6.5

CVE-2023-29324 is a security bypass vulnerability affecting Windows MSHTML. A remote unauthenticated threat actor could exploit this vulnerability by crafting a malicious URL that would evade zone checks, resulting in a limited loss of integrity and availability of the victim machine. 

It is important to note that customers must install the updates for CVE-2023-23397 and CVE-2023-29324 to be fully protected. For more information, please see the MSRC Blog Post relating to CVE-2023-23397. 
 
This vulnerability is known to be actively exploited by Russian threat actors.
 

CVE-2023-28283- Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

CVSS 3.1: 8.1

CVE-2023-28283 is a Remote Code Execution vulnerability affecting LDAP. A remote unauthenticated threat actor could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. Microsoft assesses this vulnerability to be less likely exploited due to the high attack complexity required. The threat actor needs to win a race condition to successfully exploit CVE-2023- 28283.

CVE-2023-29325- Windows OLE Remote Code Execution Vulnerability

CVSS 3.1: 8.1

CVE-2023-29325 is a Remote Code Execution vulnerability affecting Windows Object Linking and Embedding. A remote unauthenticated threat actor could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim's machine.

Microsoft assesses this vulnerability to be critical and likely exploited. Even though the attack complexity is high there is already a Proof-of-Concept code available detailing the exploitation of CVE-2023-29325.

CVE-2023- 29336- Win32k Elevation of Privilege Vulnerability

CVSS 3.1: 7.8

CVE-2023- 29336 is an Elevation of Privilege vulnerability affecting Win32k, a Windows Core Library. A local authenticated threat actor successfully exploiting this vulnerability could gain SYSTEM privileges. Microsoft assesses this vulnerability to be likely exploited due to the low attack complexity and low privileges required.

CVE-2023- 29336 is known to be exploited in the wild, likely as part of an exploit chain to deliver malware.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

References

Qualys - https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/05/09/microsoft-patch-tuesday-may-2023-security-update-review

Tenable - https://www.tenable.com/blog/microsofts-may-2023-patch-tuesday-addresses-38-cves-cve-2023-29336

Tenable - https://www.tenable.com/blog/cve-2023-29357-cve-2023-24955-exploit-chain-released-for-microsoft-sharepoint-server