A less crowded Patch Tuesday for May 2023: Microsoft is offering fixes for just 49 vulnerabilities this month. There are no fixes this month for printer drivers, DNS, or .NET, three components which have featured heavily in recent months. Three zero-day vulnerabilities are patched, alongside a further five critical Remote Code Execution (RCE) vulnerabilities. None of the three zero-day vulnerabilities have a particularly high CVSSv3 base score, but timely patching is always indicated.
First up: a zero-day Secure Boot Security Feature Bypass vulnerability which is actively exploited by the BlackLotus bootkit malware. Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access. The relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.
Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.
Administrators should be aware that additional actions are required for remediation of CVE-2023-24932 beyond simply applying the patches. The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. Attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.
The second of this month’s zero-day trio is an RCE vulnerability targeting Outlook users, as well as Windows Explorer. The vulnerability is in the proprietary Microsoft Object Linking and Embedding (OLE) layer, which allows embedding and linking to documents and other objects, and the Microsoft bulletin for CVE-2023-29336 suggests that the attack is likely conducted via a specially-crafted Rich Text File (RTF). All current versions of Windows are vulnerable, and viewing the malicious file via the Preview pane is one route to exploitation; however, successful exploitation requires an attacker to win a race condition and to otherwise prepare the target environment. This should significantly reduce the real-world impact of this vulnerability. Mitigations include disabling the Preview Pane, as well as configuring Outlook to read all emails in plain text mode. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation.
Rounding out this month’s trio of zero-day vulnerabilities is a Win32k Local Privilege Escalation (LPE) vulnerability. Successful exploitation will result in SYSTEM privileges. Win32k is a kernel-space driver responsible for aspects of the Windows GUI. As Rapid7 has noted in the past, the Win32k sub-system offers reliable attack surface that is not configuration-dependent. Although LPE vulnerabilities may seem less immediately concerning than a remote exploit, attackers frequently chain them together with other vulnerabilities to achieve full control over remote resources. Microsoft assesses attack complexity as low, and is aware of in-the-wild exploitation.
The remaining five RCE vulnerabilities this month include two with high CVSSv3 base scores of 9.8.
Although Microsoft is not aware of public disclosure or in-the-wild exploitation, Network File System (NFS) RCE vulnerability CVE-2023-24941 is a network attack with low complexity affecting Windows assets running NFS v4.1. As a mitigation prior to patching, Microsoft recommends disabling NFSv4.1 and then re-enabling it once the patch is applied, although this may impact functionality. OIder versions of NFS (NFSv3 and NFSv2) are not affected by this vulnerability. Microsoft warns that assets which haven’t been patched for over a year would be vulnerable to CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. In other words: applying today’s mitigation to an asset missing the May 2022 patches would effectively cause a downgrade attack.
CVE-2023-24943 describes a vulnerability in Windows Pragmatic General Multicast (PGM), and is a concern only for assets running Windows Message Queuing Service (MSQS) in a PGM environment. Microsoft recommends newer alternatives to PGM in the advisory. A further two critical RCE for MSQS were patched last month, and the continued flow of vulnerabilities suggests that MSQS will continue to be an area of interest for security researchers. Although MSQS is not installed by default, some software, including some versions of Microsoft Exchange Server, will helpfully enable it as part of their own installation routine.
Another candidate for inclusion in an exploit chain is SharePoint Critical RCE CVE-2023-24955, which requires the attacker to authenticate as Site Owner to run code on the SharePoint Server host. Microsoft assesses this one as Exploitation More Likely, due in part to the low attack complexity. SharePoint Server 2016, 2019, and Subscription Edition are all vulnerable until patched. Anyone still running SharePoint Server 2013 should upgrade immediately, as May 2023 is the first Patch Tuesday after the end of ESU; absence of evidence of vulnerability is by no means evidence of absence.
Long-standing Patch Tuesday entrant Windows Secure Socket Tunneling Protocol (SSTP) provides CVE-2023-24903 this month, which is a critical RCE involving sending a specially crafted SSTP packet to an SSTP server and winning a race condition. This qualifies as high attack complexity, and Microsoft considers exploitation less likely.
The final Critical RCE this month is CVE-2023-28283, which is also a high-complexity network-vector attack involving a race condition. In this case, the attack is conducted via a specially-crafted set of LDAP calls.
As well as the SharePoint Critical RCE CVE-2023-24955 mentioned above, Microsoft is offering patches for two further SharePoint Server vulnerabilities.
Have you ever wondered how to obtain the NTLM hash of a SharePoint Server host? If so, then CVE-2023-24950 may be just what you’ve been looking for. Although this Spoofing vulnerability requires privileges to create a site on the SharePoint server, that need not be much of a problem, since in many SharePoint environments, this privilege is widely granted.
You could also try your hand at CVE-2023-24954, which allows an authenticated attacker to harvest user tokens from an unpatched system, as well as the Domain SID prefix for the targeted site, which might be worth knowing for an attacker looking to conceal persistence.
“Windows Remote Desktop” and “Remote Code Execution” can be a very potent combination, as defenders who remember the BlueKeep vulnerability are acutely aware. However, while CVE-2023-24905 is interesting, it is an altogether different and less threatening animal. Opening a specially-crafted malicious .rdp file on an unpatched asset can now lead to RCE, although the user must open the file locally – but the .rdp file could be hosted remotely on a file share.
The Remote Desktop app installed from the Windows Store is also vulnerable to an attack where an attacker could place a forged certificate in the place of a valid self-signed certificate with the same serial number. By default, apps installed from the Microsoft Store will update automatically, so only assets where this has been explicitly disabled will remain vulnerable to CVE-2023-28920 for long.
Two related vulnerabilities in the AV1 video extension are patched this month: CVE-2023-29340 and CVE-2023-29341. A victim who opens a specially-crafted AV1 video file may enable an attacker to run code on their local machine. Only assets with the AV1 video extension installed via the Microsoft Store are vulnerable. This is another one of those arguably counterintuitive RCE vulnerabilities where Microsoft reminds us that “remote” refers to the location of the attacker, rather than the attack, since local user interaction is required.
This is an unusually small Patch Tuesday, at least by recent standards. No patches for printer driver or .NET vulnerabilities. Nothing for Azure, SQL Server, System Center, Microsoft Dynamics, or Microsoft 3D Builder. Even Exchange Server admins have no patches to apply this month.
It’s possible that there’s simply a finite supply of vulnerabilities out there and supply is slowing to a trickle. Of course, it’s also very possible that there’s a significant number of patches brewing which for whatever reason weren’t quite ready for inclusion in this month’s updates, and perhaps Patch Tuesday June 2023 will be a behemoth.
Only time will tell which of these two possibilities is closer to the truth.
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
---|---|---|---|---|
CVE-2023-29350 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 7.5 |
CVE-2023-29354 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 4.7 |
CVE-2023-2468 | Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture | No | No | N/A |
CVE-2023-2467 | Chromium: CVE-2023-2467 Inappropriate implementation in Prompts | No | No | N/A |
CVE-2023-2466 | Chromium: CVE-2023-2466 Inappropriate implementation in Prompts | No | No | N/A |
CVE-2023-2465 | Chromium: CVE-2023-2465 Inappropriate implementation in CORS | No | No | N/A |
CVE-2023-2464 | Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture | No | No | N/A |
CVE-2023-2463 | Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode | No | No | N/A |
CVE-2023-2462 | Chromium: CVE-2023-2462 Inappropriate implementation in Prompts | No | No | N/A |
CVE-2023-2460 | Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions | No | No | N/A |
CVE-2023-2459 | Chromium: CVE-2023-2459 Inappropriate implementation in Prompts | No | No | N/A |
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
---|---|---|---|---|
CVE-2023-29343 | SysInternals Sysmon for Windows Elevation of Privilege Vulnerability | No | No | 7.8 |
CVE-2023-29338 | Visual Studio Code Information Disclosure Vulnerability | No | No | 5 |
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
---|---|---|---|---|
CVE-2023-24904 | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.1 |
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
---|---|---|---|---|
CVE-2023-24943 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | No | No | 9.8 |
CVE-2023-24903 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | No | No | 8.1 |
CVE-2023-29325 | Windows OLE Remote Code Execution Vulnerability | No | Yes | 8.1 |
CVE-2023-28283 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 8.1 |
CVE-2023-24946 | Windows Backup Service Elevation of Privilege Vulnerability | No | No | 7.8 |
CVE-2023-29336 | Win32k Elevation of Privilege Vulnerability | Yes | No | 7.8 |
CVE-2023-24940 | Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability | No | No | 7.5 |
CVE-2023-24942 | Remote Procedure Call Runtime Denial of Service Vulnerability | No | No | 7.5 |
CVE-2023-24932 | Secure Boot Security Feature Bypass Vulnerability | Yes | Yes | 6.7 |
CVE-2023-29324 | Windows MSHTML Platform Security Feature Bypass Vulnerability | No | No | 6.5 |
CVE-2023-24900 | Windows NTLM Security Support Provider Information Disclosure Vulnerability | No | No | 5.9 |
CVE-2023-24945 | Windows iSCSI Target Service Information Disclosure Vulnerability | No | No | 5.5 |
CVE-2023-28251 | Windows Driver Revocation List Security Feature Bypass Vulnerability | No | No | 5.5 |
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
---|---|---|---|---|
CVE-2023-29344 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
CVE-2023-24953 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 |
CVE-2023-29335 | Microsoft Word Security Feature Bypass Vulnerability | No | No | 7.5 |
CVE-2023-24955 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.2 |
CVE-2023-24881 | Microsoft Teams Information Disclosure Vulnerability | No | No | 6.5 |
CVE-2023-24950 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 6.5 |
CVE-2023-24954 | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 6.5 |
CVE-2023-29333 | Microsoft Access Denial of Service Vulnerability | No | No | 3.3 |
CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
---|---|---|---|---|
CVE-2023-24941 | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 |
CVE-2023-24947 | Windows Bluetooth Driver Remote Code Execution Vulnerability | No | No | 8.8 |
CVE-2023-24949 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
CVE-2023-24902 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 |
CVE-2023-24905 | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 7.8 |
CVE-2023-29340 | AV1 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 |
CVE-2023-29341 | AV1 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 |
CVE-2023-24898 | Windows SMB Denial of Service Vulnerability | No | No | 7.5 |
CVE-2023-24901 | Windows NFS Portmapper Information Disclosure Vulnerability | No | No | 7.5 |
CVE-2023-24939 | Server for NFS Denial of Service Vulnerability | No | No | 7.5 |
CVE-2023-24948 | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.4 |
CVE-2023-24899 | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7 |
CVE-2023-24944 | Windows Bluetooth Driver Information Disclosure Vulnerability | No | No | 6.5 |
CVE-2023-28290 | Microsoft Remote Desktop app for Windows Information Disclosure Vulnerability | No | No | 5.3 |