www.belgium.be Logo of the federal government

Warning: Microsoft Patch Tuesday addressed 97 vulnerabilities including an actively exploited 0-day RCE vulnerability. Patch Immediately!

Reference: 
Advisory #2023-40
Version: 
1.0
Affected software: 
Multiple Microsoft products
Type: 
Several types, ranging from information disclosure to remote code execution and Privilege escalation.
CVE/CVSS: 

Microsoft patched 97 CVEs in its April 2023 Patch Tuesday release including an actively exploited 0-day RCE vulnerability, 7 are rated as critical and 90 rated as important.

Number of CVE by type:

- 45 Remote Code Execution vulnerabilities
- 20 Elevation of Privilege vulnerabilities
- 10 Information Disclosure vulnerabilities
- 9 Denial of Service vulnerabilities
- 7 Security Feature Bypass vulnerabilities
- 6 Spoofing vulnerabilities
 

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr

Risks

Microsoft’s April 2023 Patch Tuesday includes 7 critical and 90 important vulnerabilities for a wide range of Microsoft products and technologies. Microsoft reported one zero-day vulnerability that is actively exploited in the wild: CVE-2023-28252 affecting the Windows Common Log File System (CLFS).

Mandiant and Webin Lab discovered CVE-2023-28252. Threat actors can leverage CVE-2023-28252 during low-complexity attacks if local access is already achieved. Successful exploitation requires no user interaction and grants the threat actor SYSTEM privileges. Kaspersky observed Nokoyawa ransomware operators leveraging CVE-2023-28252. The Nokoyawa ransomware group is notable for its use of many similar but unique Common Log File System (CLFS) driver exploits.

Targeting CLFS to elevate privileges as part of post-compromise activity is a successful TTP for threat actors, there is a significant increase in observed activity during security incidents for the last two years.

Patching 0-day vulnerabilities from Microsoft Patch Tuesday should be prioritised, there have been at least 19 in-the-wild zero-day attacks which are observed in about one-third of all observed exploitation in 2023.

Microsoft also patched 2 critical CVEs affecting Microsoft's Message Queuing (MSMQ) service.

CVE-2023-21554 has been categorised by Microsoft as "exploitation more likely." This vulnerability can only be exploited when the Windows message queuing service is enabled. In that situation, TCP port 1801 will be listening on the host. A threat actor can successfully exploit CVE-2023-21554, after sending a specially crafted MSMQ packet to a targeted server.

Microsoft fixed another critical Remote Code Execution vulnerability affecting MSMQ, tracked as CVE-2023-28250.

CVE-2023-21554 & 2023-28250 are currently not exploited in the wild. Bharat Jogi (Director of the Vulnerability- and Threat Research at Qualys), expressed his concerns that CVE-2023-21554 & CVE-2023-28250 have a CVSSv3 base score of 9.8/10 and are potentially wormable.

Microsoft also announced that Exchange Server 2013 has reached its end of life. Microsoft’s Exchange Server 2013 will no longer receive security updates and must be upgraded as soon as possible.

Organisations that are still using Microsoft Exchange 2013 are advised to follow the guidance to decommission Microsoft Exchange Server 2013: https://techcommunity.microsoft.com/t5/exchange-team-blog/decommissioning-exchange-server-2013/ba-p/3613793.

Microsoft Exchange servers were a major target for at least 10 ransomware groups in 2022 and are also often targeted by Nation State actors such as the Hafnium group, Turla, and many other APT groups.

The Centre for Cyber security Belgium has launched multiple spear warning campaigns and advised Belgian organisations frequently to patch their servers.

Description

CVE-2023-28252 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2023-28252 is an elevation of privilege vulnerability affecting the Windows Common Log File System Driver. This 0-day vulnerability has a CVSSv3.1 score of 7.8 and is actively exploited in the wild.

A threat actor needs to have a foothold on the victim’s network to successfully exploit CVE-2023-28252. No additional user interaction is required.

CVE-2023-21554 - Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-21554 is a Remote Code execution vulnerability affecting the Windows Common Log File System Driver. This vulnerability has a CVSSv3.1 score of 9.8. Microsoft categorised CVE-2023-21554 as "exploitation more likely." This vulnerability can only be exploited when the Windows message queuing service is enabled. If so, the TCP port 1801 will be listening on the host.

A threat actor can successfully exploit CVE-2023-21554, after sending a specially crafted MSMQ packet to a vulnerable server.

CVE-2023-28250 - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

CVE-2023-28250 is a Remote Code execution vulnerability affecting the Windows Pragmatic General Multicast (PGM). This vulnerability has a CVSSv3.1 score of 9.8. This vulnerability can only be exploited when the Windows message queuing service is enabled.

A threat actor can successfully exploit CVE-2023-28250, after sending a specially crafted file to a vulnerable server.

CVE-2023-28231- DHCP Server Service Remote Code Execution Vulnerability

CVE-2023-28231is a Remote Code execution vulnerability affecting the Dynamic Host Configuration Protocol (DHCP) server service. This vulnerability has a CVSSv3.1 score of 8.8. CVE-2023-28231 and has been categorised by Microsoft as "exploitation more likely." This vulnerability can only be exploited when the attacker is on an adjacent network.

A threat actor can successfully exploit CVE-2023-28231, after sending a specially crafted RPC call to a vulnerable server.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

References

https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2023-patch-tuesday-fixes-2-zero-days-83-flaws/
https://www.tenable.com/blog/microsofts-april-2023-patch-tuesday-addresses-97-cves-cve-2023-28252
https://www.getinfosec.news/30886319/nokoyawa-ransomware-attacks-with-windows-zero-day#/
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-2013-reaches-end-of-support-next-month/ba-p/3762083