Patch Tuesday May 2023

Patch Tuesday May 2023 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, please watch the recorded May 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday page.

In this issue, you will learn about patches for:

• ^ Microsoft vulnerabilities from Patch Tuesday:
• ^ Windows OLE Remote Code Execution Vulnerability (CVE-2023-29325)
• ^ Win32k Elevation of Privilege Vulnerability (CVE-2023-29336)
• ^ Secure Boot Security Feature Bypass (CVE-2023-24932)
• ^ Windows Network File System Remote Code Execution Vulnerability (CVE-2023-24941)
• ^ Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2023-28283)
• ^ Third-party application vulnerabilities:
  • ^ Google Chrome
  • ^ Mozilla Firefox
  • ^ Apache
  • ^ Service Location Protocol
  • ^ VMware
  • ^ Apple
  • ^ Intel
  • ^ Linux

Microsoft Vulnerabilities

Welcome to May 2023 Patch Tuesday release! We have a lineup of important security updates from Microsoft that will keep your systems up to date and fortify them against potential threats.

In this Patch Tuesday, Microsoft has addressed a total of 39 vulnerabilities, which is significantly fewer than the previous month. The most surprising part is that there are only six fixed critical vulnerabilities this time, marking the lowest number we’ve seen this year. This month also brought us two fixed zero-day vulnerabilities, just like last month, and a couple of publicly disclosed vulnerabilities that are worth paying attention to.

Windows OLE Remote Code Execution Vulnerability

Windows OLE Remote Code Execution Vulnerability (CVE-2023-29325) is a critical vulnerability confirmed by Microsoft, and a proof of concept is available. It has a network attack vector and high attack complexity. Although no privileges are required, the user needs to open a specially crafted email, at least in the preview pane. The CVSS score is 8.1, indicating its significant severity. However, it’s not a perfect 10 due to the complexity involved in exploiting the vulnerability, including winning a race condition and taking additional preparatory actions.

This vulnerability affects all versions of Windows Server 2008 and later, as well as Windows 10 and later. It targets the OLE technology developed by Microsoft for linking and embedding objects in documents and objects, with the preview pane being the attack vector.

In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email message to the victim. The victim could either open the email with an affected version of Microsoft Outlook or preview it in the Outlook application, thereby allowing the attacker to execute remote code on the victim’s computer.

To mitigate the risk, Microsoft recommends employing certain measures. In Microsoft Outlook, caution should be exercised when handling RTF files from unknown or untrusted sources. Another precautionary step is to read email messages in plain text format, which can be configured in Outlook or through Group Policy. It’s important to note that adopting the plain text format may result in the loss of visual elements such as images, special fonts, and animations.

Considering that emails can be accessed not only through Microsoft Outlook but also through Windows Mail app or any other third-party email apps (Thunderbird, for instance), it is crucial to highlight an important distinction. Unlike Outlook, these alternative mail apps do not typically perform checks on mail reputation or sender domain to detect spoofing attempts. Therefore, it is advisable to prioritize checking emails through Outlook as it provides a more reliable and robust security framework.

Given the severity and potential risk, installing the patch is highly recommended. Although Microsoft has reported that this vulnerability is not currently being exploited in the wild, the availability of a proof of concept is a matter of time. Therefore, it is crucial to install the update as soon as possible to stay protected.

Win32k Elevation of Privilege Vulnerability

The Win32k Elevation of Privilege Vulnerability (CVE-2023-29336) is a critical zero-day vulnerability that currently lacks a publicly available proof of concept. It has a local attack vector, meaning the attacker needs access to the targeted system. The attack complexity is low, requiring minimal privileges and no user interaction. While it carries a high CVSS rating of 7.8, just shy of being critical, its impact is limited to local attacks.

Exploiting this vulnerability grants the attacker SYSTEM privileges, allowing them to escalate their access level. This vulnerability serves as another means of privilege escalation for an attacker who already possesses basic privileges on the system, such as through a successful phishing attack or credential harvesting.

Microsoft has verified that this vulnerability is actively exploited in real-world scenarios, posing a significant risk to the vast number of companies worldwide that rely on Windows. In light of this, it is absolutely crucial to promptly update systems with the provided patches. As of now, no workarounds or alternative solutions are available, making the installation of the updates the most effective way to mitigate the risk and ensure the security of your systems.

Secure Boot Security Feature Bypass Vulnerability

There is a critical zero-day vulnerability known as the Secure Boot Security Feature Bypass (CVE-2023-24932) that requires urgent attention. This vulnerability, with a proof of concept available, operates through a local attack vector with low complexity. However, it necessitates high privileges and does not require user interaction. The CVSS rating of 6.7 may not appear extremely high, but it should be noted that the attacker would need physical access to the target system or administrative access.

Successful exploitation of this vulnerability allows an attacker to bypass Secure Boot, thereby enabling the loading of malicious drivers or malware without Microsoft-trusted signatures during Windows startup.

To address this vulnerability, a security update has been released that updates the Windows Boot Manager. However, it is important to note that this update is not enabled by default. To mitigate the vulnerability, you must follow three essential steps detailed in the Microsoft article KB5025885 titled “How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.” These steps involve:

• • installing the May 9, 2023 updates on all affected systems
  • updating bootable media with Windows updates released on or after May 9, 2023
  • applying revocations to safeguard against CVE-2023-24932.

Considering that this vulnerability is already being actively exploited and poses the risk of delivering malware during boot time, it is strongly advised to promptly apply the provided update and take the necessary precautions.

Windows Network File System Remote Code Execution Vulnerability

Introducing the Windows Network File System Remote Code Execution Vulnerability (CVE-2023-24941), a critical security flaw demanding immediate attention. This vulnerability pertains to NFS version 4.1, following a series of vulnerabilities in different NFS versions last year. Although version 4.1 was previously fixed, it has now been found to possess another flaw.

With a network attack vector and low attack complexity, this vulnerability requires no privileges or user interaction to exploit. Its CVSS rating of 9.8 indicates its extremely high severity, making it a matter of utmost importance. The impact extends to all versions of Windows Server 2012 and later.

Exploiting this vulnerability involves making an unauthenticated, specially crafted call to a Network File System (NFS) service over the network, triggering Remote Code Execution (RCE).

While this vulnerability cannot be exploited in NFSV2.0 or NFSV3.0, there are steps you can take to mitigate the risk before applying the Windows update. One option is to disable NFSV4.1, although this should only serve as a temporary solution as it may adversely affect your ecosystem.

Given the gravity of this vulnerability, it is essential to apply the provided patch without delay.

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

A critical vulnerability has been identified in the Windows Lightweight Directory Access Protocol (LDAP), posing a significant risk. This vulnerability, assigned CVE-2023-28283, affects all versions of Windows Server 2008 and later, as well as Windows 10 and later.

Exploiting this vulnerability requires a network attack vector and entails high attack complexity. However, it does not necessitate any privileges or user interaction. The vulnerability has been assigned a CVSS rating of 8.1, which could have been higher. The rating is lowered due to the high complexity involved in successfully exploiting the vulnerability, as it requires an attacker to win a race condition.

If this vulnerability is successfully exploited by an unauthenticated attacker, it allows for the execution of arbitrary code within the context of the LDAP service. This potential remote code execution on a domain controller has severe implications, as it could potentially compromise the entire organization’s infrastructure.

Although there are currently no known exploits or proof-of-concept demonstrations in the wild, it is crucial to take immediate action by applying the available patch. This is especially vital if you utilize Active Directory in your infrastructure.

Google Chrome

Chrome 113 has been released, addressing a total of 15 vulnerabilities in the stable channel. The updated version is now available for Linux and MacOS as 113.0.5672.63, and for Windows as either 113.0.5672.63 or 113.0.5672.64. None of the reported vulnerabilities were deemed to be severe. In addition to these fixes, the new release also resolves four other medium-severity bugs found in the Cues, Screen Mode, Picture-in-Picture, and CORS components. Furthermore, two vulnerabilities related to insufficient input validation in extensions and a use-after-free vulnerability in OS input data have been addressed.

This release follows two weeks after Google patched two zero-day vulnerabilities, namely CVE-2023-2136 and CVE-2023-2033, in the widely used Chrome browser. Despite the major version change, the current update focuses on rectifying medium and low-level bugs. Here is a recap of the zero-day vulnerabilities:

• • CVE-2023-2136 is an integer overflow vulnerability found in Skia. Skia is a Google-owned, cross-platform, open-source 2D graphics library written in C++. It plays a crucial role in Chrome’s rendering pipeline by providing APIs for graphics, text, shapes, images, and animations. An integer overflow error within Skia can lead to improper rendering, memory corruption, and potentially allow remote code execution (RCE), enabling unauthorized access to the system.
  • CVE-2023-2033 involves type confusion within the JavaScript mechanism of Chrome’s V8 engine. Type confusion vulnerabilities typically allow attackers to crash the browser by successfully exploiting them to read or write out-of-buffer memory. In some cases, these vulnerabilities can also be leveraged to execute remote code on compromised devices (RCE).

Firefox

Firefox 113 release addresses a total of 41 security issues, including 33 critical vulnerabilities. Among them, 30 vulnerabilities (combined as CVE-2023-32215 and CVE-2023-32216) are related to memory handling, involving buffer overflows and access to freed memory areas. These memory issues have the potential to execute an attacker’s code when specially crafted web pages are accessed.

Another notable vulnerability is CVE-2023-32207, which allows bypassing credential requests by tricking users into clicking on confirmation buttons through spoofed content overlays, a technique known as clickjacking.

Furthermore, vulnerability CVE-2023-32205 permits the hiding of browser warnings by overlaying pop-up windows.

Given the significant number of critical vulnerabilities addressed in this release, it is strongly advised to update your Firefox browser as soon as possible.

Apache

Nearly 2,000 Apache Superset servers are at risk due to vulnerabilities that allow for authentication bypass and remote code execution in default configurations. Apache Superset is an open-source tool for data visualization and analysis initially developed for Airbnb and later adopted as a project by the Apache Software Foundation in 2021.

The main issue lies in the use of the default flask secret key by Apache Superset to sign session authentication cookies. Attackers can exploit this by forging cookies, granting themselves administrative privileges, and enabling unauthorized access to the server. This unauthorized access could lead to compromising connected databases or executing arbitrary SQL statements on the application server using tools like flask-unsign.

The vulnerability was discovered by Horizon3, who reported it to the Apache security team on October 11, 2021. In response, the developers released version 1.4.1 on January 11, 2022, which changed the default SECRET_KEY value. However, Horizon3 also identified two other default keys used in documentation and templates and alerted Apache once again. Finally, on April 5, 2023, the Superset team released version 2.1, which prevents the server from starting if the default SECRET_KEY is used.

Despite Apache’s documentation and update releases mandating the change of secret keys, Horizon3 researchers found approximately 2,124 servers (67% of the total) with the dangerous default configuration publicly accessible on the internet. These servers belong to organizations across various domains, including critical sectors. While the researchers are not providing explicit exploit details, they believe that interested attackers would likely be able to figure it out independently.

It’s worth noting that if administrators have already changed the default key, their installations are not vulnerable to this attack. However, Apache has shared a script on GitHub that Apache Superset administrators can utilize to assess the vulnerability status of their instances.

Service Location Protocol

Service Location Protocol (SLP) vulnerability poses a significant threat by enabling massive Distributed Denial of Service (DDoS) attacks with an amplification factor of 2,200 times. SLP, developed in 1997, facilitates easy device discovery within local area networks for PCs, printers, routers, and servers. However, due to its widespread integration into modern enterprise software and hardware, it often remains accessible to the global network.

Currently, over 70,000 servers have exposed SLP ports (both UDP and TCP on port 427) directly to the Internet. This includes various devices such as VMware ESXi hypervisors, Konica Minolta printers, Planex routers, Supermicro IPMI servers, and several IBM hardware units.

The identified protocol flaw, assigned CVE-2023-29552, allows an attacker to send a small request to an SLP server, which then redirects a significantly larger-scale request to the victim’s network. Exploiting this vulnerability, attackers can launch powerful and amplified DDoS attacks. In the case of SLP, the amplification factor reaches a staggering 2,200 times, making it the third-largest amplification factor ever observed.

Cloudflare and Netscout predict that once attackers learn how to exploit this bug, the immense potential of utilizing SLP for DDoS attacks will become a reality in the near future. This concern is further substantiated by the fact that SLP was previously exploited to deploy ESXiArgs ransomware on VMware servers earlier this year.

It is strongly advised against opening SLP ports 427 (TCP, UDP) to the internet in order to mitigate the associated risks and potential for exploitation.

VMware

VMware has released fixes for two zero-day vulnerabilities discovered during the Pwn2Own Vancouver 2023 hacking competition. These vulnerabilities affected the VMware Workstation and Fusion hypervisors and were exploited by researchers from STAR Labs.

• • The first vulnerability, identified as CVE-2023-20869, is a stack buffer overflow issue found in the Bluetooth device sharing feature. It allows local attackers to execute arbitrary code within the VMX virtual machine process on the host system.
  • The second vulnerability, CVE-2023-20870, is an Information Disclosure flaw in the host Bluetooth device sharing feature. It enables privileged information stored in hypervisor memory to be read.

To address these vulnerabilities, VMware has provided patches. However, for administrators who are unable to immediately install the patches, a temporary workaround has been shared. This workaround involves disabling Bluetooth support in the virtual machine to mitigate the risks.

Additionally, VMware has addressed two other vulnerabilities present in the Workstation and Fusion hypervisors:

• • CVE-2023-20871 is a critical local privilege escalation vulnerability discovered in VMware Fusion Raw Disk. It allows an attacker with read or write access to the host operating system to escalate privileges and gain root access.
  • CVE-2023-20872 is an out-of-range read or write vulnerability affecting SCSI CD/DVD device emulation in both Workstation and Fusion products. This vulnerability can be exploited by local attackers who have access to virtual machines with a physical CD/DVD drive attached and configured to use a virtual SCSI controller. It could potentially lead to remote code execution (RCE) on the hypervisor from within the virtual machine. A temporary workaround for CVE-2023-20872 involves either removing the CD/DVD device from the virtual machine or configuring the virtual machine to not use the virtual SCSI controller, thereby preventing exploitation attempts.

Android

Google has released the May security updates for Android, addressing over 40 vulnerabilities. These updates include fixes for various components such as the framework, system, kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm. The majority of these vulnerabilities are rated as high severity and can potentially be exploited for privilege escalation, denial-of-service (DoS) attacks, and information disclosure.

Among the vulnerabilities addressed is a critical kernel bug that was previously exploited as a zero-day by spyware vendors. Tracked as CVE-2023-0266, this vulnerability allows for local privilege escalation without user interaction. Google first reported the exploitation of this vulnerability in late March, along with other vulnerabilities affecting both Android and iOS that were being exploited by spyware vendors.

CVE-2023-0266 was exploited as part of a series of attacks that involved Chrome and the Mali GPU kernel driver. Attackers delivered the exploits to their targets through SMS links. The campaign specifically targeted Samsung’s browser, which is based on Chromium but lacks certain important security mitigations found in Chrome. The victims of the attacks were users in the United Arab Emirates, who were subjected to full-featured Android spyware. It is believed that a client of Variston, a Spanish spyware provider previously highlighted by Google in November 2022, was responsible for these attacks. In fact, Google has identified three Android vulnerabilities that have been exploited in attacks this year.

Given the gravity of these incidents, it is crucial to emphasize the importance of timely software updates.

Apple

Apple recently introduced Rapid Security Response (RSR) as a mechanism to address security issues between major software updates for iPhone, iPad, and Mac platforms. These unscheduled security updates are meant to swiftly fix vulnerabilities that are actively exploited or have the potential to be exploited in real attacks.

As the first wave of RSR updates, Apple released iOS 16.4.1 (a) and MacOS 13.3.1 (a). However, numerous reports indicate that users encountered issues with the RSR update specifically for iPhones.

Some users reported that the patch did not appear on their devices, resulting in an error message stating “cannot verify security response.” Researchers speculate that these problems may be related to a server-side bug. It appears that with RSR, Apple not only neglected to focus on the software itself but also overlooked the documentation process.

Notably, Apple’s traditional updates page does not provide any information regarding the new RSR fixes. Furthermore, Apple has not officially disclosed where they will publish information about these updates, leaving users in the dark about the details of the RSR patches.

Intel (New Meltdown)

A team of researchers from Chinese and American universities have discovered a new vulnerability in Intel processors that can leak information about the speculative execution of operations. This information can be used to create covert communication channels between processes or leak detection in Meltdown attacks.

The vulnerability is caused by the modification of the EFLAGS processor register during the speculative execution of instructions. The change affects the subsequent execution time of JCC instructions, which are transitions based on certain conditions. The result of speculative operations is discarded, but the discarded EFLAGS change can be determined by analyzing the execution time of JCC instructions. Speculative comparison operations performed before the transition can result in a small delay that can be measured and used as an indication of content matching.

Unlike other similar attacks, this method does not require analysis of access times to procached and unprocached data and does not need a reset of the EFLAGS register to its initial state. This makes the attack difficult to detect and block. As a demonstration, researchers used the new method to implement a variant of the Meltdown attack, which successfully obtained information about the result of a speculative operation on Intel Core i7-6700 and i7-7700 CPUs running Ubuntu 22.04 with the Linux 5.15 kernel. However, the attack was only partially successful on Intel i9-10980XE CPUs.

Meltdown attacks involve speculative execution of code that accesses a private data area, which the user process is not authorized to access. The processor discards the result, but the speculatively executed block can be separated from the main code by a conditional jump. The speculative execution of all branch variants branches, which allows the attacker to access the private data area.

In the classic version of Meltdown, cache markers reflect the contents of individual bits in a closed memory area during speculative execution. This information can be used to determine the value of these bits by analyzing the time cached and non-cached data. In the new version, the EFLAGS register change is used as a leakage marker. One process modulates the data being sent, causing the EFLAGS register to change, and another process analyzes the change in execution time of the JCC instruction to reconstruct the data sent by the first process.

Linux (New Spectre)

A vulnerability (CVE-2023-1998) has been discovered in the Linux 6.2 kernel that could potentially lead to Spectre v2 class attacks. These attacks allow unauthorized access to the memory of other processes running on the same physical processor core but in different Simultaneous Multithreading (SMT) or Hyper-Threading threads. The vulnerability has implications for data leakage between virtual machines in cloud systems, among other scenarios. It is important to note that this issue only affects the Linux 6.2 kernel.

The vulnerability is a result of incorrect optimizations aimed at reducing significant overhead when implementing Spectre v2 protection. The flaw specifically impacts the Linux 6.2 kernel and has been addressed in the Linux 6.3 experimental kernel branch, where the necessary fixes have been implemented.

In userspace, processes can mitigate Spectre class attacks by selectively disabling speculative instruction execution using the prctl PR_SET_SPECULATION_CTRL command or utilizing seccomp-based system call filtering. However, according to the researchers who identified the problem, a flawed optimization in the Linux 6.2 kernel has left virtual machines from at least one major cloud provider unprotected, even when prctl is used to block Spectre BTI attacks. The vulnerability is also present in regular servers running the Linux 6.2 kernel with the “spectre_v2=ibrs” setting enabled during boot time.

The crux of the vulnerability lies in optimizations made to the Indirect Branch Restricted Speculation (IBRS) or enhanced IBRS (eIBRS) protection modes. These optimizations inadvertently disable the Single Thread Indirect Branch Predictors (STIBP) mechanism, which is crucial for preventing leaks when using multithreading (SMT or Hyper-Threading). In this case, only the eIBRS mode provides protection against leakage, while the IBRS mode does not, as the IBRS bit is used in this mode to prevent leakage between logical cores. When control returns to user space, the cores are cleared, leaving threads in user space unprotected against Spectre v2 class attacks.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: May 2023 Vulnerability Digest from Action1