Patch Tuesday April 2023

Patch Tuesday April 2023 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, please watch the recorded April 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday page.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday:
• ^ The WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900)
• ^ Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2023-28252)
• ^ DHCP Server Service Remote Code Execution Vulnerability (CVE-2023-28231)
• ^ Microsoft Word Remote Code Execution Vulnerability (CVE-2023-28311)
• ^ Microsoft Message Queuing Remote Code Execution Vulnerability (CVE-2023-21554)
• ^ Microsoft Snipping Tool
• ^ Third-party application vulnerabilities:
  • ^ Google Chrome
  • ^ Mozilla Firefox
  • ^ Android
  • ^ Bing
  • ^ IEEE 802.11 Wi-Fi protocol
  • ^ Apple

Microsoft Vulnerabilities

Welcome to the April Patch Tuesday release. This month, Microsoft has released a series of important security updates for their products to help ensure that your systems are up to date and protected against potential threats.

In this Patch Tuesday release, Microsoft has addressed a total of 102 vulnerabilities, which is more than the number of vulnerabilities addressed in March. However, the number of critical updates has decreased, with only 7 fixes compared to 9 in March.

This month, two zero-day vulnerabilities have been fixed, which is the same number as last month. Additionally, two vulnerabilities with publicly available proof of concepts have been disclosed. Below, you will find more details on the most notable critical updates.

The WinVerifyTrust Signature Validation Vulnerability

The WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900) is an old security flaw that is being highlighted by Microsoft to inform its customers about the availability of EnableCertPaddingCheck in all currently supported versions of Windows 10 and Windows 11. This zero-day vulnerability allows an attacker to inject malicious code into an executable binary without invalidating its current certification from Microsoft, which makes the software appear legitimate to the user. While the current patches don’t directly address this vulnerability, the mitigation is already built into the latest OS versions, and can be enabled manually in the registry if desired.
Microsoft suggests that developers ensure their signed binaries conform to the new verification standard by eliminating any extraneous information in the WIN_CERTIFICATE structure, and recommends that customers test this change to evaluate its impact in their own environments.

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Another zero-day vulnerability has been discovered that affects the Windows Common Log File System driver. This vulnerability has a low complexity and uses a local attack vector, requiring only low privileges to exploit and no interaction from the user. It affects Windows Server versions from 2008 onward, as well as all versions of Windows 10. The vulnerability has a CVSS risk score of 7.8, which is lower because it can only be executed locally. However, it still poses a high privilege escalation risk because an attacker who successfully exploits it can gain SYSTEM privileges. Microsoft has confirmed that this vulnerability is being actively exploited in the wild, but no PoC of it has been found yet. Therefore, all Microsoft customers must update their systems immediately.

DHCP Server Service Remote Code Execution Vulnerability

This vulnerability affects the Microsoft DHCP server. It has low complexity, uses only the DHCP protocol to exploit, requires no privileges to exploit, and requires no user interaction. The vulnerability affects the DHCP role of Windows Server versions starting from Windows Server 2008 and has a high CVSS risk score of 8.8. Although there is no evidence of exploitation yet, Microsoft warns that this vulnerability is likely to be exploited.

To exploit the vulnerability, an attacker with authentication credentials could use a specially crafted RPC call to the DHCP service. This means that the attacker must already have access to the network, which makes it a great vulnerability for lateral movement. To protect against this vulnerability, any company using Microsoft’s DHCP server should update their DHCP servers.

Microsoft Word Remote Code Execution Vulnerability

This vulnerability in Microsoft Word could allow attackers to remotely execute code. However, despite being called “remote code execution,” it actually requires the attacker and victim to be on the same local network or machine. This means that the attacker must first convince the user to open a malicious file sent by them, and then execute the code from the local machine. This vulnerability affects Microsoft 365 and Microsoft Word for Mac 2019 and 2021, and has a CVSS risk score of 7.8.

Although it is considered low complexity and does not require privileges to exploit, it does require user interaction and cannot be exploited through the Preview pane. This means that an attacker must send a malicious file to the user and convince them to open it. While Microsoft says this vulnerability is less likely to be exploited, it is still recommended to update your Microsoft 365 applications to the latest version as a precaution.

Microsoft Message Queuing Remote Code Execution Vulnerability

A critical vulnerability has been found in the Microsoft Message Queuing (MSMQ) service, which could enable remote code execution. This vulnerability, known as CVE-2023-21554, has been given a CVSS severity rating of 9.8 out of 10.

The impact of this vulnerability is significant, as it is easily exploitable over the network with low attack complexity, without requiring special privileges or user interaction by the attacker. However, the scope of the vulnerability is limited to Windows servers running the MSMQ role.

To exploit the vulnerability, an attacker can send specially crafted malicious MSMQ packets to the MSMQ server, which could result in the remote execution of arbitrary code on the server.

Microsoft has released an official patch to address the issue, and it is essential that users take immediate action to update their systems and apply the necessary fixes. In addition, Microsoft has suggested that disabling the MSMQ service may be a good mitigation to reduce the severity of the exploit. Users can check if a service named “Message Queuing” is running and if TCP port 1801 is listening on their machine.

Microsoft stated that they were not aware of any public disclosure or exploitation of this vulnerability.

Microsoft Snipping Tool

Microsoft has issued an emergency update for its Snipping Tool, available on Windows 10 and Windows 11, to address a security vulnerability called Acropalypse.

This vulnerability is identified as CVE-2023-2830 and is caused by image editors not completely removing cropped image data when overwriting the source file. Google Pixel markup tool is also impacted by this issue. The residual data left behind could potentially expose sensitive information that the user had intended to conceal. Although the vulnerability is considered low severity, researchers have noted that there could be a significant number of publicly available images affected by Acropalypse, with more than 4,000 posted on VirusTotal alone.

Users are recommended to upgrade to the latest versions of Windows 10 Snip & Sketch (11.2302.20.0) and Windows 11 Snipping Tool (10.2008.3001.0) to avoid this vulnerability.

Additionally, it is crucial to bear in mind the possibility of restored data in snapshots captured with earlier versions of the software.

Google Chrome

The latest version of Google Chrome, version 112, has addressed 16 security vulnerabilities, many of which were detected through automated testing using AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL tools. None of these vulnerabilities were identified as being critical enough to allow code execution outside the sandbox environment, which provides multiple layers of browser protection.

However, two vulnerabilities have been classified as high-risk:

• CVE-2023-1810: Heap buffer overflow in Visuals.
• CVE-2023-1811: Use-after-free vulnerability in Frames.

CVE-2023-1810 could allow a compromised renderer to register multiple things with the same FrameSinkId, violating ownership assumptions. To address this issue, DCHECKs have been turned into CHECKs, allowing for specific code to skip the DCHECK debugger.

CVE-2023-1811 is a use-after-free vulnerability that can occur in a program used by developers to debug code, called DevTools. Attackers can exploit this bug by manipulating the program in a way that changes how it stores data in its memory, creating a loop inside the program and moving edit commands to an on-stack variable. This can cause the program to attempt to use memory that has already been freed or deleted, leading to program crashes or malicious code execution.

Google has not reported any known exploits of these vulnerabilities in the wild. Nonetheless, it is strongly recommended to update to the latest version of Google Chrome to ensure the security of your system.

Firefox

The latest version of Firefox, version 111, has resolved 13 vulnerabilities. Seven of these vulnerabilities were rated as high severity. Three of the fixed bugs specifically impact Firefox for Android and have the potential to allow attackers to display fake full-screen notifications or launch third-party applications without the user’s consent, leading to confusion or impersonation attacks. Additionally, other vulnerabilities fixed in recent updates have the potential to allow Remote Code Execution (RCE) and information disclosure.

Sophos experts have examined the patches and highlighted two particularly noteworthy vulnerabilities: CVE-2023-28161 and CVE-2023-28163. CVE-2023-28161 permits the extension of a single permission granted to a local file to other local files downloaded from the same tab. This means that if a user opens a local file that requires access to a device, such as a webcam, any other local file opened subsequently inherits the same access permission without seeking the user’s consent. Mozilla notes that this flaw could pose issues when viewing files in the Downloads directory, and the permission warnings users receive will vary based on the order in which files are opened.

CVE-2023-28163 is a vulnerability that occurs when users download files from the Windows Save As dialog box that include suggested filenames with environment variable names. This flaw is exclusive to Firefox on Windows and is caused by the way Windows resolves specific character sequences, such as %USERNAME%, which is replaced with the name of the currently logged-in user, or %PUBLIC%, which denotes a shared directory in the C:\Users directory. By exploiting a fake website, attackers can trick users into downloading files that look harmless but end up in a different directory, leading to potential negative consequences.

Given the potential risks associated with these vulnerabilities, Firefox users are strongly advised to update their browser to the latest version.

Android

Google has recently announced the security updates for Android devices in April 2023, which address more than 65 vulnerabilities, including two critical Remote Code Execution (RCE) issues. The security bulletin provides details on 26 vulnerabilities, with most of them being severe bugs that could lead to disclosure or privilege escalation. The two critical bugs are identified as CVE-2023-21085 and CVE-2023-21096, but there is no technical information available yet.

The most severe issue is a bug in the System component that allows for RCE without the need for user interaction or additional operating system privileges.

The second set of updates addresses 40 vulnerabilities in kernel components such as Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm. Most of these bugs are rated as serious, with four bugs related to Qualcomm components rated as critical.

Bing

A Wiz researcher, Hillai Ben-Sasson, has reported that he was able to hack Bing and manipulate search results using a vulnerability named BingBang, which he demonstrated through a video on YouTube. This vulnerability also granted access to millions of Office365 user accounts. The vulnerability was linked to a misconfiguration in Azure Active Directory, a cloud-based identity and access management service that is widely used by organizations worldwide.

Further investigation by Wiz revealed that at least 35% of the applications they scanned were susceptible to Azure authentication bypass. The researchers were able to not only manipulate search results but also execute a cross-site scripting (XSS) attack, which compromised the login credentials of all Bing users who utilize Microsoft Office365.

Bing is the 27th most visited website globally, and this vulnerability, if exploited, could have had significant implications for other services such as Mag News, MSN, PoliCheck, Power Automate Blog, and others. However, Microsoft acted promptly and addressed the issue by adding additional authorization checks and releasing a separate security advisory.

According to Microsoft, there is no evidence that this vulnerability has been exploited by any attacker so far.

IEEE 802.11 Wi-Fi protocol

A team of researchers, including Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef, have discovered a serious vulnerability in the IEEE 802.11 Wi-Fi protocol. This flaw allows attackers to intercept network traffic by exploiting the lack of security in the queued frames. The vulnerability affects a wide range of devices, including those running on Linux, FreeBSD, iOS, and Android operating systems. The researchers will present their findings at the upcoming BlackHat Asia conference in May.

WiFi frames are data containers that contain information about the source and destination MAC addresses and control data. They are queued and transmitted in a controlled manner. The problem found by the researchers is related to the lack of security of the queued frames. The IEEE 802.11 standard includes power-saving mechanisms that allow WiFi devices to conserve power by buffering or queuing frames intended for sleeping devices. When a client station goes to sleep, a frame is sent to the access point with a header containing the power-saving bit, and all frames intended for it are queued. However, the standard does not imply any explicit procedures for managing the security of frames in the queue and does not include any restrictions on how long frames can remain in this state. An attacker can exploit this vulnerability by spoofing the MAC address of a device on the network, sending power-saving frames to the access points, and forcing them to queue frames destined for the target. The attacker can then send a wake-up frame to obtain the frame stack. The frames transmitted are typically encrypted, but an attacker can change the security context of the frames by sending authentication and association frames to the access point.

The attack can be executed using specialized tools such as MacStealer, which can bypass client isolation and intercept traffic at the MAC level. Lancom, Aruba, Cisco, Asus, and D-Link network device models are vulnerable to these attacks. The attacks can be used to inject malicious content such as JavaScript, fundamental TCP packets. However, the impact of the attack is limited because most Web traffic is encrypted using TLS.

Cisco was the first vendor to acknowledge the impact of the vulnerability. Although the attacks described could be successful against Cisco Wireless Access Point and Cisco Meraki products with wireless capabilities, the resulting material is unlikely to compromise the overall security of a properly protected network. The company recommends mitigation measures, including the use of policy enforcement mechanisms with the Cisco Identity Services Engine (ISE), which can restrict network access by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

Apple

Apple has released a series of updates for all of its devices, including iOS, iPadOS, tvOS, watchOS, all versions of macOS, and the Studio Display external monitor firmware. These updates contain numerous security patches that address a range of vulnerabilities, such as potential system-level attacks and RCE, information disclosure, Bluetooth access, and more. It is important to note that if you are using macOS Ventura and have your Mac connected to Studio Display, updating Ventura alone is not sufficient protection against potential attacks.

The updates are available for iOS 16.4, iPadOS 16.4, macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5, tvOS 16.4 and watchOS 9.4.

The update package also closes a 0-day vulnerability in WebKit that could allow attackers to inject malware into older iOS 15 or iPadOS 15 devices. This vulnerability, CVE-2023-23529, relates to a type confusion bug in the WebKit browser engine and was originally fixed in February 13, 2023 updates. Apple notes that the vulnerability has been exploited in actual attacks, but details of the exploit are not yet public.

The updates are available for a range of devices and can be found under the following versions: iOS 16.4, iPadOS 16.4, macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5, tvOS 16.4, and watchOS 9.4.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: April 2023 Vulnerability Digest from Action1