Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252)

-

 Microsoft addresses 97 CVEs, including one that was exploited in the wild as a zero day.





CVE-2023-28252 | Windows Common Log File System Driver Elevation of Privilege Vulnerability


CVE-2023-28252 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. 

It was assigned a CVSSv3 score of 7.8. This vulnerability is a post-compromise flaw, meaning an attacker could exploit it after gaining access to a vulnerable target. 

Successful exploitation would elevate an attacker’s privileges SYSTEM. According to Microsoft, it was exploited in the wild as a zero day. 

Its discovery is attributed to Genwei Jiang of Mandiant and Quan Jin with DBAPPSecurity WeBin Lab.


CVE-2023-28252 is the second CLFS Driver EoP vulnerability to be exploited in the wild in 2023, as CVE-2023-23376 was disclosed in the February 2023 Patch Tuesday. 

It is the fourth known CLFS EoP vulnerability to be exploited in the wild in the last two years, following CVE-2022-24521 from the April 2022 Patch Tuesday 

and CVE-2022-37969 from the September 2022 Patch Tuesday release. CVE-2022-37969 was also disclosed to Microsoft by Wang and Jin, though it is unclear if there is any connection between both flaws.


CVE-2023-21554 | Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-21554 is a RCE vulnerability affecting Microsoft Message Queuing (MSMQ) with a CVSSv3 score of 9.8. An attacker could exploit this flaw by sending a specially crafted MSMQ packet to an affected MSMQ server. Microsoft’s advisory notes that exploitation of this flaw requires the Windows message queuing service to be enabled. 

When enabled, TCP port 1801 will be listening on the host.

In addition to this RCE flaw, two denial of service CVEs (CVE-2023-21769 and CVE-2023-28302) rated as “important” were also patched in MSMQ this month.

CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

CVE-2023-28250 is a RCE vulnerability affecting Windows Pragmatic General Multicast (PGM). Successful exploitation requires the MSMQ service to be enabled. 

An attacker could exploit this flaw by sending a crafted file over the network in order to execute arbitrary code. This vulnerability has a CVSSv3 score of 9.8 and impacts 

supported versions of Windows including Server Core installations.

CVE-2023-28231 | DHCP Server Service Remote Code Execution Vulnerability

CVE-2023-28231 is a RCE vulnerability affecting the Dynamic Host Configuration Protocol (DHCP) server service. Microsoft rates this vulnerability as 

“Exploitation More Likely” according to the Microsoft Exploitability Index. With a CVSSv3 score of 8.8, successful exploitation requires an attacker to be on an adjacent 

network prior to using a crafted RPC call to exploit the flaw.

Microsoft Exchange Server 2013 End Of Life

Microsoft announced that Exchange Server 2013 has reached its end of life. This version of Exchange Server will no longer receive security updates and should be upgraded as soon as possible. Microsoft released guidance to assist customers with decommissioning Exchange Server 2013. As we noted in our 2022 Threat Landscape Report, Microsoft Exchange was a major target in 2022, with at least 10 ransomware groups targeting vulnerabilities affecting the popular mail server. In fact, the ProxyShell chain of vulnerabilities affecting Microsoft Exchange were highlighted in our top five vulnerabilities of the year.

To assist organizations in identifying unsupported versions of Microsoft Exchange Server, the following plugins are available:

Plugin ID 22313: Microsoft Exchange Server Unsupported Version Detection

Plugin ID 10880: Microsoft Exchange Server Unsupported Version Detection (Uncredentialed)

Reference 

1- https://www.tenable.com/blog/microsofts-april-2023-patch-tuesday-addresses-97-cves-cve-2023-28252

EB

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more