Patch Tuesday March 2023

Patch Tuesday March 2023 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, please watch the recorded March 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday page.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday
• ^ Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)
• ^ Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-24880)
• ^ Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability (CVE-2023-23415)
• ^ HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2023-23392)
• ^ Microsoft Office
• ^ Intel Processors in Windows OS
• ^ Third-party application vulnerabilities:
  • ^ TPM 2.0
  • ^ Google Chrome
  • ^ Mozilla Firefox
  • ^ Jenkins
  • ^ Veeam
  • ^ Android

Microsoft Vulnerabilities

Welcome to this month’s Patch Tuesday release. This month’s release includes a set of important security updates for Microsoft products to keep your systems up to date and safeguard against any potential threats.
This Patch Tuesday, Microsoft has fixed a total of 74 vulnerabilities, nearly the same as last month’s release. More critical updates were addressed as well, with a total of 9 critical fixes compared to 6 in February. This month, there are also two zero-day vulnerabilities that have been fixed, similar to last month’s updates. Notably, one of these zero-days has been publicly disclosed, with a proof-of-concept available on the darknet.
Here are details on the most interesting critical updates.

Microsoft Outlook Elevation of Privilege Vulnerability

Microsoft has identified a new security vulnerability, called CVE-2023-23397, in Microsoft Outlook that allows attackers to elevate their privileges. This vulnerability is considered a zero-day vulnerability and affects all versions of Microsoft Outlook from 2013 onwards. The risk score for this vulnerability is high, with a score of 9.8, and Microsoft has confirmed that it is already being exploited in the wild. However, the proof of concept has not yet been publicly disclosed.

The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server. This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user.

To mitigate the risk, Microsoft recommends updating to the latest version of Outlook. If updating is not feasible, adding privileged users such as Domain Admins to the Protected Users Security Group can help prevent the use of NTLM as an authentication mechanism. Blocking TCP 445/SMB outbound from your network via perimeter firewalls, local firewalls, and VPN settings can also help prevent the sending of NTLM authentication messages to remote file shares.

However, the best course of action is to install the Microsoft update on all systems after testing it in a controlled environment.

Windows SmartScreen Security Feature Bypass Vulnerability

A new vulnerability, CVE-2023-24880, has been discovered in the Windows SmartScreen security feature. This vulnerability allows malicious code to bypass the SmartScreen technology, even in cases where it is used to protect against threats such as Protected View in Microsoft Office. The exploit is low in complexity and uses a network vector, requiring no special privileges, but it does require some user interaction. While the vulnerability has a moderate CVSS risk score of 5.4, it cannot be used to gain access to private information or privileges. However, it can allow other malicious code to run without being detected by SmartScreen reputation checks.

It is important to note that Microsoft has confirmed this vulnerability is being exploited in the wild, with proof of concept examples available in the dark net. The best way to mitigate the risk posed by this vulnerability is to install the latest update from Microsoft on all systems, after testing it in a controlled environment.

Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

A critical security flaw, CVE-2023-23415, has been found in the Internet Control Message Protocol (ICMP). This vulnerability exploits the ICMP protocol, which is used by commands like “ping”. An attacker can use this weakness to send a low-level protocol error, containing a fragmented IP packet within another ICMP packet header, to the target machine. To activate the flaw, an application on the target must be connected to a raw socket. This vulnerability could result in remote code execution. The attack is easy to execute and does not require any privileges or user interaction, making it a significant threat with a critical CVSS risk score of 9.8. While Microsoft believes that exploitation is possible, there is currently no evidence of it. The best way to mitigate this risk is to install the Microsoft update on all systems after testing it in a controlled environment.

HTTP Protocol Stack Remote Code Execution Vulnerability

A critical vulnerability in a protocol has been identified as CVE-2023-23392, which affects the HTTP Protocol Stack. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted packet to a targeted server that utilizes the HTTP Protocol Stack (http.sys) to process packets. This can lead to remote code execution, posing a significant security risk.

The vulnerability affects Windows Server 2022 and Windows 11, and has a low complexity attack vector that requires no privileges or user interaction. The CVSS risk score for this vulnerability is 9.8, indicating a critical level of risk. While there is no evidence of exploitation yet, it is highly likely to occur.

To mitigate this risk, Microsoft recommends installing the latest update on all systems, following proper testing in a controlled environment. It’s crucial to take this step to ensure the safety and security of your systems.

Microsoft Office

Millions of Microsoft Office users are in danger because hackers, including script kiddies, have created a proof-of-concept (PoC) for a recently patched security vulnerability CVE-2023-21716. This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8, which means that an attacker can execute arbitrary code on a victim’s computer remotely, gaining full control of the system with the victim’s privileges. The vulnerability is found in the wwlib.dll of Microsoft Office suite, which makes all versions of the software vulnerable.

The technical analysis of CVE-2023-21716 shows that an unauthenticated attacker can send a malicious email containing an RTF payload. If the victim opens the malicious file, the attacker can run commands in the application used to open the file. This could result in the installation of malware, data theft, or other malicious activities.

The vulnerability is triggered by a font table (\fonttbl) in the RTF parser of Microsoft Word that contains an excessive number of fonts (\f###). After memory corruption, the threat actor can execute arbitrary code using the error.

At present, there is no evidence that the vulnerability is being exploited in practice, and Microsoft believes that exploitation is “less likely.” Microsoft Office 2010 and later versions use protected browsing to minimize the potential damage caused by malicious documents from untrusted sources. If this vulnerability manifests, protected browsing is activated, and an additional sandbox exit vulnerability is required to gain full privileges.

Hackers are always interested in critical vulnerabilities like this, and more advanced hackers try to reverse-engineer the patch to exploit it. As the exploit code becomes available, a wider range of attackers will exploit the vulnerability.

To protect against this vulnerability, users should update their Microsoft Office to the latest version as soon as possible. In addition, users should exercise caution when opening emails from unknown or suspicious sources.

Intel Processors in Windows OS

Microsoft has released unscheduled updates to address Memory Mapped I/O Stale Data Microsoft has taken action to address vulnerabilities that affect Intel processors known as Memory Mapped I/O Stale Data (MMIO) disclosure vulnerabilities. These flaws were disclosed by Intel on June 14, 2022, and were assigned CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, and CVE-2022-21166. Processes running on a virtual machine could potentially access data from another virtual machine, compromising sensitive information across trust boundaries. Microsoft released bulletin ADV220002 to highlight scenarios that could be affected by these vulnerabilities, noting that attackers could exploit them to access data on another virtual machine in shared resource environments like cloud services.

Initially, no security updates were provided, and mitigation measures were only available for Windows Server 2019 and Windows Server 2022. Recently, Microsoft has released a set of security updates for Windows 10, 11, and Windows Server, addressing the vulnerabilities. However, these updates are not automatic and must be installed manually from the Microsoft Update Center catalog. It is important to read both Intel and Microsoft recommendations carefully before applying the updates, as it is unclear whether they are new Intel microcode or other mitigation measures. Furthermore, fixing these vulnerabilities may result in performance problems. In some scenarios, disabling Intel Hyper-Threading Technology (Intel HT Technology) may be necessary to fully resolve the flaws.

TPM 2.0

Billions of IoT and enterprise devices are under threat due to newly discovered vulnerabilities in the TPM 2.0 library. TPM, a hardware solution designed to provide secure cryptographic functions and physical security mechanisms, is used for measuring system integrity and creating and using keys. However, the Trusted Platform Module library specifications have revealed two serious vulnerabilities (CVE-2023-1017 and CVE-2023-1018) that can potentially lead to information disclosure or privilege escalation. These vulnerabilities were reported by Quarkslab researchers in November 2022, and can affect user-mode applications by sending malicious commands to TPM 2.0.

This is concerning for organizations using enterprise computers, servers, IoT devices, and embedded systems that include TPM, as billions of devices may be vulnerable. The vulnerabilities are caused by buffer overflows due to the lack of necessary length checks, which can occur during the system boot process when bootable code (including firmware and operating system components) is measured and written to TPM.

To address these issues, users of highly trusted computing environments are advised to apply updates issued by TCG and use TPM Remote Attestation to detect any changes to their devices. However, vendors have yet to address deficiencies to reduce risks in the supply chain.

Google Chrome

Google has released Chrome version 111, which includes fixes for a total of 40 vulnerabilities. Of these, 24 were reported by external researchers and have been resolved. Among the external vulnerabilities, eight were considered high severity, eleven were medium severity, and five were low severity issues.

The high-severity vulnerabilities identified by external researchers include use after free bugs that affected Swiftshader, DevTools, and WebRTC. The bulletin also notes two type confusion flaws in V8 and CSS, as well as a stack buffer overflow issue in crash reports.

In addition to the high-severity issues, Chrome 111 also addresses several medium-severity concerns. These include inconsistent implementation issues in permission requests, web application installation, and autofill, a heap buffer overflow problem in the web audio API, a use after free vulnerability in Core, and policy under-application bugs that impacted various browser components such as extension APIs, autocomplete, web payment APIs, navigation, and intent.

Google has not stated whether any of these vulnerabilities were used in attacks.

Mozilla Firefox

In addition to innovations and bug fixes, 20 vulnerabilities have been fixed in Firefox 111. 14 vulnerabilities are marked as dangerous, 9 of them (collected under CVE-2023-28176 and CVE-2023-28177) are caused by memory handling issues, such as buffer overflows and access to already freed memory regions. These problems could potentially lead to the execution of attacker code when opening specially crafted pages.

Jenkins

The popular open-source automation server Jenkins has recently uncovered two severe vulnerabilities, known as CVE-2023-27898 and CVE-2023-27905, which affect both the Jenkins server and Update Center. Cloud security specialists Aqua have named these flaws “CorePlague”.

All versions of Jenkins up to 2.319.2 are affected by these vulnerabilities. If exploited, these flaws could allow unauthenticated attackers to execute arbitrary code on a victim’s Jenkins server, potentially leading to complete server compromise.

The vulnerabilities are related to how plugins are handled in the Update Center, which could enable threat actors to download a plugin containing malicious code and initiate a cross-site scripting (XSS) attack. The attack can be launched when the victim opens the Available Plugin Manager on their Jenkins server, allowing attackers to execute arbitrary code on the server using the scripting console API. This is a case of stored XSS, where JavaScript code is injected into the server, and the vulnerability can be activated without even installing the plugin or visiting its URL.

An alarming aspect of these vulnerabilities is that they can affect Jenkins’ own servers and can be exploited even if the server is not publicly accessible via the internet. This is because an attacker can compromise the publicly available Jenkins update center. However, for a successful attack, the rogue plugin must be compatible with the Jenkins server and displayed on top of the main feed on the Available Plugin Manager page.

Veeam

Veeam urges customers to fix a serious vulnerability in backup and replication software. The vulnerability, CVE-2023-27532, was discovered in mid-February and affects all versions of Veeam Backup & Replication (VBR).

The flaw enables unauthenticated attackers to access backup infrastructure nodes by acquiring encrypted credentials stored in the VeeamVBR configuration database. The primary cause of this vulnerability is Veeam.Backup.Service.exe, which runs on TCP 9401 by default, allowing unauthenticated users to request encrypted credentials.

Veeam has released updates to address this vulnerability for VBR V11 and V12, while customers using older versions are advised to first update to one of these two supported products. For those unable to deploy the updates immediately, Veeam provides a temporary fix for CVE-2023-27532. Customers should block external connections to TCP port 9401 using a backup server firewall. However, this workaround should only be used in unallocated Veeam environments, as it can also affect mount server connections to the VBR server.

Android

Google has released security updates for Android in March 2023, aimed at fixing a total of 60 bugs, including two critical RCE vulnerabilities affecting systems with versions 11, 12, and 13. These updates are being deployed in two separate tiers of security patches, namely the 2023-03-01 and 2023-03-05.

The first tier includes 31 fixes for major Android components like Framework, System, and Google Play. The most serious issue fixed in this package is a critical security vulnerability in the System component, which could lead to RCE without additional execution and user interaction rights. While details of two vulnerabilities tracked as CVE-2023-20951 and CVE-2023-20954 have not been disclosed by Google, the other fixed bugs relate to serious privilege escalation, disclosure issues, and denial-of-service flaws.

The second package, 2023-03-05, includes 29 fixes for the Android core and third-party components from MediaTek, Unisoc, and Qualcomm. This tier of updates addresses two critical vulnerabilities in closed-source Qualcomm components, tracked as CVE-2022-33213 and CVE-2022-33256.
However, users of Android 10 or earlier whose end-of-life expired in September 2022 (for version 10) will not receive patches for the above-mentioned flaws. Nevertheless, some critical security fixes may be available through Google Play system updates. Users of older devices that still work are recommended to switch to third-party Android distribution such as LineageOS, which offers updated OS images for devices no longer supported by their OEMs.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: March 2023 Vulnerability Digest from Action1