Microsoft has issued patches for two zero-day vulnerabilities among a total of just over 80 bugs addressed in its monthly Patch Tuesday update.
The number of issues, which includes four CVEs that were assigned by Github, is roughly on par with the disclosure volumes seen in the first two months of the year, with another heavy slant towards remote code execution (RCE) issues.
“Microsoft has resolved 80 new CVEs this month and expanded four previously released CVEs to include additional Windows versions,” said Ivanti vice-president of security products Chris Goettl. “This brings the total number of CVEs addressed this month to 84. There are two confirmed zero-day exploits resolved in this month’s updates that impact Microsoft Office and Windows Smart Screen. Both exploits are user-targeted. There are a total of nine CVEs rated as critical this month. Eight of the nine critical CVEs are in the Windows OS update this month.”
Tracked as CVE-2023-23397, the Outlook vulnerability is being exploited but has not been made public until now. It carries a CVSS score of 9.1 and is of important severity. It’s an elevation of privilege (EoP) vulnerability that can be exploited by sending an email to a potential target.
It’s triggered on the email server side, which means it can be exploited before the email is actually opened and viewed. Successfully exploited, it lets an unauthenticated actor access the victim’s Net-NTLMv2 hash and use it to authenticate as the victim, bypassing authentication measures.
Kev Breen, Immersive Labs director of cyber threat research, said CVE-2023-23397 was particularly dangerous, and additionally noted that its assigned status as an EoP bug did not entirely accurately reflect this.
“Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash and use it in an attack commonly known as Pass the Hash,” he said. “The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password. This is on par with an attacker having a valid password with access to an organisation’s systems.”
Its discovery is credited to Microsoft’s Incident Response and Threat Intelligence teams working alongside Ukraine’s national CERT, which implies it’s being exploited by Russian state actors in their ongoing cyber war campaign.
Rapid7 lead software engineer Adam Barnett said: “Microsoft has detected in-the-wild exploitation by a Russia-based threat actor targeting government, military and critical infrastructure targets in Europe. Given the network attack vector, the ubiquity of SMB shares and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement.”
The second zero-day is tracked as CVE-2023-24880. It’s public, and known to have been exploited in the wild. A security feature bypass vulnerability in the Windows SmartScreen anti-phishing and anti-malware service, it carries a CVSS score of 5.4 and is of moderate severity.
Left unaddressed, CVE-2023-24880 allows an attacker to create a file that bypasses the Mark of the Web defence, making it much easier for them to spread tainted documents and malware that SmartScreen might otherwise spot.
Breen said that even though it carries a less severe rating, defenders should still prioritise fixing it. “The notes from Microsoft say that an attacker can craft a malicious file that would disable some security features like ‘protected view’ in Microsoft Office,” he said.
“Macro-based malware is still frequently seen as part of initial compromises, and users have grown accustomed to these prompts protecting them from dangerous files,” added Breen. “Protected View and Mark of the Web should be part of your defence in depth strategy and not a single layer of protection.”
Its discovery is credited to the Google Threat Analysis Group’s Benoit Sevens and Vlad Stolyarov, and Microsoft’s Bill Demirkapi.
The critical vulnerabilities listed in the March update are as follows:
Of these, Gal Sadeh, head of data and security research at Silverfort, said CVE-2023-21708 and CVE-2023-23415 were particularly noteworthy.
“A critical RCE vulnerability in Remote Procedure Call Runtime, CVE-2023-21708, should be a priority for security teams as it allows unauthenticated attackers to run remote commands on a target machine,” he said. “Threat actors could use this to attack Domain Controllers, which are open by default. To mitigate, we recommend Domain Controllers only allow RPC from authorised networks and RPC traffic to unnecessary endpoints and servers is limited.
“Another critical vulnerability, CVE-2023-23415, poses a serious risk as it allows attackers to exploit a flaw in Internet Control Message Protocol – which is often not restricted by firewalls – to gain remote code execution on exposed servers using a malicious packet. Requiring the targeting of a raw socket – any organisation using such infrastructure should either patch, or block ICMP packets at the firewall,” said Sadeh.