Action1 5 Blog 5 Patch Tuesday January 2023

Patch Tuesday January 2023

January 11, 2023

By Mike Walters

Patch Tuesday January 2023 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

In this issue, you will learn about patches for:

For even more information, please watch the recorded January 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday page.

Microsoft Vulnerabilities

The first Patch Tuesday of 2023 brings us 98 fixed vulnerabilities from Microsoft. It is almost twice as high as in December. The number of fixes for critical security updates is also higher than last month since Microsoft has now rolled out 11 fixes, compared to 7 issued in December. In addition, this month brings us one fixed zero-day and one vulnerability that has working proof of concept and is being actively exploited in the wild. Here are details on the most interesting critical updates.

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

Microsoft has released the patch to fix CVE-2023-21674, a new zero-day vulnerability that impacts the Windows Advanced Local Procedure Call (ALPC). It has low complexity, uses the local vector, and requires low privileges and no user interaction. It affects all Windows OS versions starting from Windows 8.1 and Windows Server 2012 R2. This zero-day exploit has a high CVSS risk score of 8.8, and Microsoft has confirmed that it is being actively exploited in the wild. However, the proof of concept has not been publicly disclosed yet.

However, the risk is significant since this flaw affects millions of organizations, allowing a potential attacker to gain SYSTEM privileges in case of successful exploitation.

To mitigate this vulnerability, install the update from Microsoft on all systems after testing it properly.

Windows Credential Manager User Interface Elevation of Privilege Vulnerability

According to Microsoft, the Windows Credential Manager vulnerability (CVE-2023-21726) is more likely to be exploited in the wild. It has low complexity, uses the local vector, and requires low privileges and no user interaction. This vulnerability can be exploited only locally and has a high CVSS risk score of 7.8. However, the proof of concept and actual exploitation evidence have not been publicly disclosed yet. The vulnerability affects Windows OS versions starting from Windows 7 and Windows Server 2008.

An attacker who successfully exploits this vulnerability can gain SYSTEM privileges.

The mitigation is to install the update from Microsoft on all systems (after installing it in a test environment).

Windows Kernel Vulnerabilities

Microsoft resolved a bunch of Windows Kernel vulnerabilities in the January patch. Windows OS cannot run without its kernel – a program at the core of a computer’s operating system that has complete control over everything in this system, which makes these updates very important. The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7.

Vulnerabilities under CVE-2023-21772, CVE-2023-21750, CVE-2023-21675, CVE-2023-21747, CVE-2023-21748, CVE-2023-21749, CVE-2023-21773, CVE-2023-21774 are all related to elevation of privilege, and CVE-2023-21776 is related to information disclosure.

Seven elevation-of-privilege vulnerabilities have low complexity, use the local vector, require low privileges, and no user interaction. These vulnerabilities have a high CVSS risk score of 7.8, because they can be exploited only locally. An attacker who successfully exploits these vulnerabilities could gain SYSTEM privileges.

CVE-2023-21750 is different because it has no confidentiality impact. This vulnerability does not allow disclosure of confidential information; however, it can allow an attacker to delete certain data, including data that results in service disruption. That also lowers its score to 7.1 under CVSS.

And CVE-2023-21776 only impacts Confidentiality. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

The score is also lower – 5.5 CVSS

The proof of concept for all vulnerabilities and real exploitation evidence have not yet been publicly disclosed. The mitigation is to install the update from Microsoft on all systems (after installing it in a test environment).

Windows SMB Witness Service Elevation of Privilege Vulnerability

According to Microsoft, the Windows SMB Witness Service (CVE-2023-21549) has working proof of concept. It has low complexity, uses the network vector, requires low privileges and no user interaction. The vulnerability has a high CVSS risk score of 8.8. However, there is no real exploitation evidence.

To exploit this vulnerability, an attacker can run a specially crafted malicious script that executes a Remote Procedure Call (RPC) call to an RPC host running the SMB Witness service. This action can result in the elevation of privilege on the server that can execute RPC functions that are restricted to privileged accounts only.

The vulnerability affects Windows OS versions starting from Windows 7 and Windows Server 2008.

The mitigation is to install the update from Microsoft on all systems (after installing it in a test environment).

Windows Print Spooler Elevation of Privilege Vulnerability

For months, Microsoft keeps issuing fixes to resolve vulnerabilities in Windows Print Spooler. This month, we see updates for three vulnerabilities. Two of them, CVE-2023-21678 and CVE-2023-21765, have a CVSS risk score of 7.8. They both have low complexity, use the local vector, require low privileges, and no user interaction. An attacker who successfully exploits this vulnerability can gain SYSTEM privileges.

CVE-2023-21760 differs from them in such a way that it has no impact on Confidentiality. This vulnerability does not allow disclosure of any confidential information but could allow an attacker to delete data that could include data that results in the service being unavailable. This aspect lowers its CVSS score to 7.1.

There has been no proof of concept or real exploitation evidence. This vulnerability affects Windows OS versions starting from Windows 7 to Windows Server 2008 with a running printing service.

The mitigation is to install the update from Microsoft on all systems (after installing it in a test environment).

Microsoft Exchange Server Spoofing Vulnerability

According to Microsoft, the Microsoft Exchange Server vulnerability is likely to be exploited in the wild (CVE-2023-21745 and CVE-2023-21762). It has low complexity, requires low privileges to use, and doesn’t need user interaction; however, it needs to be authenticated in the Exchange Server. Its vector is Adjacent, meaning it cannot be exploited through the internet; instead, it needs something specifically tied to the target, such as the same shared physical network, logical network, or a secure or limited administrative domain. This is typical for many attacks that require man-in-the-middle type setups or that rely on initially gaining a foothold in the victim’s environment.

Exploiting this vulnerability could allow the disclosure of NTLM hashes. If the attack is successful, it could lead to a NTLM relay allowing for controls that could block a resource’s availability.

The vulnerability has a high CVSS risk score of 8.0. However, the proof of concept and actual exploitation evidence have not yet been publicly disclosed. This vulnerability affects Microsoft Exchange servers starting from 2013. Update as soon as possible only after testing this update in a test environment.

Google Chrome

Google has announced an update to Chrome that fixes eight vulnerabilities in the browser, including five reported by outside researchers.

All five security flaws are related to use after free errors, a type of memory security bug prevalent in Chrome in recent years.

The use after free problems are related to the misuse of dynamic memory while the program is running because the application may fail to clear a pointer to that area after releasing the memory area.

An attacker capable of exploiting the use after free vulnerability could cause the application to crash, corrupt data, or execute arbitrary code on the computer.

In Chrome, use after free flaws can be used to escape the browser sandbox, requiring the exploitation of additional security flaws.

According to a Google bulletin, four of these issues are high-severity bugs affecting components such as Blink Media, Mojo IPC, Blink Frames, and Aura.

The other vulnerabilities were given CVE identifiers ranging from CVE-2022-4436 to CVE-2022-4440 and were assigned with medium severity.

The latest version of the Chrome browser is currently distributed to Mac and Linux users as version 108.0.5359.124 and to Windows users as 108.0.5359.124/.125.

Google makes no mention of using any of these vulnerabilities in malicious attacks.

Mozilla Firefox

In addition to innovations and bug fixes in its new version, Firefox developers have fixed 20 vulnerabilities. Sixteen vulnerabilities are marked as dangerous, of which 14 (collected under CVE-2022-46879 and CVE-2022-46878) are caused by memory issues such as buffer overflows and accessing areas of memory. These problems could potentially lead to the execution of the attacker’s code when opening specially crafted pages.

CVE-2022-46871 is related to the use of code from an obsolete version of the libusrsctp library, which contains unpatched vulnerabilities.

CVE-2022-46872 allows an attacker, gaining access to page processing, to bypass the Linux sandbox isolation and read the contents of arbitrary files by manipulating IPC messages associated with the clipboard.

Citrix

Thousands of Citrix ADC and Gateway servers remain unprotected from two recent serious vulnerabilities.

The first, CVE-2022-27510, was patched on November 8 and is an authentication bypass affecting both Citrix products. An attacker could use it to gain unauthorized access to a device, perform a remote desktop hijacking, or bypass security to log in.

A second bug tracked as CVE-2022-27518 was disclosed and patched on December 13. It allows unauthenticated attackers to execute commands remotely on vulnerable devices and gain control over them.

Attackers were already actively using it at the time Citrix released the fix.

Despite the updates released, Fox NCC Group researchers report that thousands of deployments remain vulnerable to the attacks.

Overall, Fox statistics show that many companies still have a lot of work to do to close all the security holes, as do hackers, who still have a large enough gap to plan and carry out attacks.

WordPress

Apparently, Christmas Eve is not considered as the time for applying updates, especially when online stores on WordPress are actively selling gift cards through the popular YITH WooCommerce Gift Cards Premium plugin.

As it turned out, there are equally active sales by hackers scouring the web and exploiting a critical plugin vulnerability CVE-2022-45359 with a CVSS score of 9.8, which allows unauthenticated users to upload files to vulnerable resources, giving themselves full control.

According to the genre’s classics, anything involving WordPress is always famous for the scale of threats, and the bug in YITH WooCommerce Gift Cards Premium is no exception, as the plugin is used on more than 50,000 sites.

The vulnerability was discovered on November 22 and affects all plugin versions up to 3.19.0.
The patch appeared as part of version 3.20.0, but since then, the manufacturer has released version 3.21.0 and strongly recommends upgrading it.

Wordfence researchers report that many sites are still using the vulnerable version of the plugin, which, unfortunately, was not left without the attention of criminals, who are in full swing exploiting the bug to download backdoors, RCE, and capture sites of others.

According to specialists, who took apart the exploit used by hackers, the root of the problem lies in the import_actions_from_settings_panel function, which is associated with the admin_init hook. In addition, this function does not perform CSRF and capability checks, sending POST requests to /wp-admin/admin-post.php to download malicious PHP executables to the site. In the logs, it shows up as an unexpected POST request from unknown IP addresses.

Analysts report that most attacks occurred in November before administrators had time to patch the vulnerability, but the second peak of hacks occurred on December 14, 2022.

The attacks continue to this day, making it necessary to update YITH WooCommerce Gift Cards Premium to version 3.21 as soon as possible.

Linux

We’d like to especially warn you about a critical 10-point CVSS vulnerability in the Linux kernel that affects SMB servers and can lead to RCEs.

A critical Linux kernel vulnerability makes SMB servers with ksmbd (a Linux kernel server that implements the SMB3 protocol in the kernel space to exchange files over the network) enabled vulnerable to hacking.

The problem is related to the incorrect handling of SMB2_TREE_DISCONNECT commands due to a lack of object existence check before performing operations on an object.

A remote attacker, not authenticated, can execute arbitrary code on vulnerable Linux kernel installations. No authentication is required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.

Researcher Shir Tamari of Wiz_IO noted that SMB servers using Samba were not affected, adding that SMB servers using ksmbd are vulnerable to read access, which could lead to a server memory leak (similar to the Heartbleed vulnerability).

Because of the newness of ksmbd most users still use Samba.

We recommend administrators using ksmbd to update their Linux kernel to version 5.15.61 or later, released in August.

Foxit Reader

Fans of Foxit, namely its flagships PDF Reader and PDF Editor, are advised to upgrade to the latest version, as a critical vulnerability has been discovered in the products. The problem was reported by researchers from Renmin University of China, who found a dangerous RCE vulnerability related to the use of falsified PDF files.

The essence of the problem lies in the possibility of writing outside the buffer and crashing when opening specific PDF files containing JavaScript scripts with a lot of text specified in certain controls, which attackers can use to execute arbitrary code.

This is due to out-of-bounds data access, as the application cannot verify the length of the input parameter when calling certain API functions from the GDI library.

Foxit said the vulnerability is related to the Windows platform and affects Foxit PDF Reader 12.0.2.12465 and earlier, as well as Foxit Phantom PDF – 10.1.7.37777 and earlier.

Threat actors can exploit this vulnerability by tricking a target into visiting a falsified Web page or opening a malicious file.

Foxit is known to have previously struggled with code execution issues in its PDF products, affecting more than 300,000 users.

Foxit Software has already issued a fix and recommends upgrading to the current version as soon as possible.

VMware

Virtualization giant VMware released emergency updates to fix three security problems.

The VM escape vulnerability, documented as CVE-2022-31705, was exploited by Ant Security researcher Yuhao Jiang on systems running fully patched VMware Fusion, ESXi, and Workstation products. VMware described the bug as a write outside the heap vulnerability in the USB 2.0 controller (EHCI).

According to the bulletin, VMware gave it a CVSS rating of 9.3 and warned that an attacker with local administrative privileges on a virtual machine could use the issue to execute code.

On ESXi, exploitation is contained within the VMX sandbox, while on Workstation and Fusion, it could lead to RCE on the machine where Workstation or Fusion is installed.

The company has released patches covering a couple of command injection and directory traversal bugs affecting VMware vRealize Network Insight (vRNI).

The vulnerability in the vRNI REST API is also rated critical by VMware with a maximum baseline CVSSv3 score of 9.8 because an attacker with network access to the vRNI REST API can execute commands without authentication.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Get started today and use Action1 on 100 endpoints free of charge with no functionality limitations.

Webinar Recording: January 2023 Vulnerability Digest from Action1

See What You Can Do with Action1 RMM

 

Join our weekly LIVE webinar “Patching and remote management” to learn more

about Action1 RMM features and use cases for your IT needs.

 

spiceworks logo
getapp logo review
software advice review
trustradius
g2 review
spiceworks logo

Related Posts

The Air France-KLM data breach

Customers of Air France-KLM are receiving notifications that their frequent-flier account data might have been exposed in a data breach, underscoring the potential risks if...

read more