Other official information and services: www.belgium.be

WARNING: MICROSOFT PATCH TUESDAY, JANUARY 2023 PATCHES 98 VULNERABILITIES INCLUDING ONE ZERO-DAY EXPLOITED IN THE WILD (11 CRITICAL, 87 IMPORTANT)

Referentie:

Advisory #2023-06

Versie:

1.0

Geïmpacteerde software:

Microsoft Windows

Microsoft 3D Builder

Microsoft Office

Microsoft Exchange Server

Microsoft SharePoint Server

Microsoft Azure

Microsoft Malware Protection Engine

Microsoft .NET framework

Microsoft Visual Studio

Type:

Several types, ranging from denial of service to privilege escalation and remote code execution.

CVE/CVSS:

Microsoft Patch Tuesday, January 2023 patches 98 vulnerabilities including a zero-day vulnerability exploited in the wild (11 critical, 87 important)

Number of CVEs per type

39 Elevation of Privilege Vulnerabilities
4 Security Feature Bypass Vulnerabilities
33 Remote Code Execution Vulnerabilities
10 Information Disclosure Vulnerabilities
10 Denial of Service Vulnerabilities
2 Spoofing Vulnerabilities

Risk

0-day vulnerability: 1
Exploitation detected: 1
Exploitation more likely in latest version: 7
Exploitation more likely in older versions: 4

Datum:

11/01/2023

Bronnen

https://msrc.microsoft.com/update-guide/releaseNote/2023-Jan

Risico’s

This month’s Patch Tuesday includes 11 critical and 87 important vulnerabilities for a wide range of Microsoft products and technologies.

In addition, Microsoft reports one zero-day vulnerability CVE-2023-21674 (Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege) as being exploited in the wild without providing public disclosure.

Two other privilege escalation vulnerabilities identified as being of high priority affect Microsoft Exchange Server CVE-2023-21763 and CVE-2023-21764. Implementing patch management for Microsoft Exchange servers is highly recommended. Microsoft Exchange servers are high-value targets for threat actors.

The CCB warned its constituency multiple times in the last two years for actively exploited vulnerabilities targeting Microsoft Exchange server.

March 2021: ProxyLogon
August 2021: ProxyShell
November 2022: ProxyNotShell
December 2022: OWASSRF

CISA added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the Known Exploited Vulnerability catalogue following reports that the vulnerability is being chained alongside CVE-2022-41082 to achieve remote code execution on vulnerable systems. The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach target environments. The defects were fixed by Microsoft in November 2022.

Remark:

Patch Tuesday, January updates also arrive as Windows 7, Windows 8.1, and Windows RT reached their end of support on January 10, 2023. Microsoft won’t be offering an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

Continuing to use Windows 8.1 after January 10, 2023, may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.

Beschrijving

CVE-2023-21674 - Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

While Microsoft notes this 0-day vulnerability is being exploited in the wild, no further technical details have been disclosed at the time of this writing.

Successful exploitation can result in an attacker gaining SYSTEM permissions.

CVE-2023-21743 - Microsoft SharePoint Server Security Feature Bypass Vulnerability

While Microsoft only granted a CVSS score of 5.3, they noted that exploitation of this vulnerability is more likely as it can be exploited remotely and allows an attacker to bypass expected user access as an unauthenticated user.

SharePoint Server 2016/2019 administrators should also consider that patching this vulnerability will require a SharePoint upgrade action which is included in this Patch Tuesday.

CVE-2023-21762 & CVE-2023-21745 - Microsoft Exchange Server Spoofing Vulnerabilities

Microsoft notes that exploitation of both vulnerabilities requires an attacker to be authenticated on a vulnerable Exchange server. An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path.

Exchange server admins should also note that CVE-2023-21762 affects Exchange server 2013 in addition to 2016 and 2019, while CVE-2023-21745 only affects Exchange server 2016 and 2019.

CVE-2023-21678 - Windows Print Spooler Elevation of Privilege Vulnerability

Attackers will likely seek to chain exploitation of this vulnerability with others to elevate their privileges on a compromised system as it affects both Windows Servers and Windows clients.

CVE-2023-21563 - BitLocker Security Feature Bypass Vulnerability

An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data. The CCB recommends Windows administrators to deploy an endpoint device management solution with device-wiping capabilities.

Aanbevolen acties

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to install updates for vulnerable systems with the highest priority, after thorough testing.

Referenties

https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2023-patch-tuesday-fixes-98-flaws-1-zero-day/
https://krebsonsecurity.com/2023/01/microsoft-patch-tuesday-january-2023-edition/
https://www.rapid7.com/blog/post/2023/01/10/patch-tuesday-january-2023/