Patch Tuesday Microsoft’s March Patch Tuesday includes new fixes for 74 bugs, two of which are already being actively exploited, and nine that are rated critical. Let’s start with the two that miscreants found before Redmond issued a fix.
First up: prioritize patching CVE-2023-23397, a privilege elevation bug in Microsoft Outlook that received a 9.8 out of 10 CVSS rating. While details of the hole haven’t been publicly disclosed, it has already been exploited in the wild by miscreants in Russia against government, energy, and military sectors in Europe, we’re told. Microsoft lists the attack complexity as “low.”
Redmond is sufficiently worried about this one to have published a guide to the bug, and provided documentation and a script to determine if your business has been targeted by criminals trying to exploit this vulnerability. In other words: it’s serious.
The CVE allows a remote, unauthenticated attacker to access a victim’s Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker.
“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft explained. “This could lead to exploitation BEFORE the email is viewed in the Preview Pane.”
While Microsoft doesn’t provide any details about what kind of nefarious deeds attackers are doing after exploiting the bug — or how widespread attacks are — Zero Day Initiative’s Dustin Childs advises: “Definitely test and deploy this fix quickly.”
As to who was abusing the security shortcoming in the first place, Microsoft pointed the finger at someone in Russia carrying out “targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.”
The flaw was reported to the IT giant by Ukraine’s CERT as well as by the Windows maker’s internal threat intelligence and research teams.
Yet another MotW bypass bug
The second bug under active exploit is publicly known, and related to a similar vulnerability, CVE-2022-44698, that Microsoft fixed in December 2022.
This new vulnerability, CVE-2023-24880 is a Windows SmartScreen security feature bypass bug, and allows attackers to create malicious files that can bypass Mark-of-the-Web security features. While it’s only rated 5.4/10, it’s already being exploited by crooks demanding ransom payments. Remember, dear reader: CVSS is only a number and does not indicate real-world risks.
Google’s Threat Analysis Group (TAG) spotted this issue first and said it’s being used to deliver Magniber ransomware. The TAG team has documented more than 100,000 downloads to date, mostly in Europe, so although this vulnerability only received a 5.4 CVSS, unless you want to deal with encrypted systems and extortion, patch now.
One critical CVE down, eight to go
Of the other critical-rated vulnerabilities: we’d suggest patching CVE-2023-23392, a 9.8 CVSS-rated HTTP protocol stack remote code execution (RCE) bug, next. It affects Windows 11 and Windows Server 2022.
A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted packet to a targeted server that uses the HTTP Protocol Stack (http.sys), according to Microsoft. The miscreant could then execute code at SYSTEM level without any user interaction.
“That combination makes this bug wormable — at least through systems that meet the target requirements,” Childs noted.
CVE-2023-23415 is another critical, 9.8-rated RCE bug that, according to Childs, is also potentially wormable. It’s the result of a flaw in the Internet Control Message Protocol (ICMP).
“An attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine,” Microsoft explained. “To trigger the vulnerable code path, an application on the target must be bound to a raw socket.”
Of the remaining critical CVEs, CVE-2023-21708, CVE-2023-23404 and CVE-2023-23416 could result in remote code execution.
CVE-2023-23411 is a denial-of-service vulnerability in Windows Hyper-V hypervisor, which Microsoft says could “affect the functionality of the Hyper-V host.”
The final two critical bugs, CVE-2023-1017 and CVE-2023-1018, are a pair of out-of-bounds-read and out-of-bounds-write flaws in Trusted Platform Module 2.0’s reference implementation code that are now being fixed in Microsoft products.
Fortinet bug used to attack govt networks
Also this month, Fortinet released fixes for 15 flaws. Of those CVE-2022-41328 is a path transversal vulnerability in FortiOS and has been exploited to target government agencies and large organizations.
“A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” Fortinet said in a security advisory issued earlier this month.
Days later, Fortinet issued an analysis that states miscreants were using the flaw in an attempt to attack large organizations and steal their data, and cause OS or file corruption.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” the analysis said.
Adobe fixes 105 bugs
Adobe’s monthly patch party included fixes for 105 vulnerabilities across its Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application and Illustrator products.
The software maker says it’s not aware of any of these security issues being exploited in the wild.
Adobe’s Dimension 3D rendering and design tool scored the most (58) CVEs, with exploitation possibly causing memory leak and arbitrary code execution.
The update for Experience Manager fixes 18 bugs that could result in arbitrary code execution, privilege escalation and security feature bypass.
The Substance 3D Stager patch addresses 16 vulnerabilities, again possible vectors for arbitrary code execution and memory leak issues.
Updates for Photoshop (one CVE) and Illustrator (five CVEs) also plug holes that could lead to – you guessed it – remote code execution.
Finally, a Cold Fusion update fixes three bugs, including a critical code execution vulnerability, and a patch for Creative Cloud fixes one critical code execution bug.
SAP issues 21 patches
SAP released 21 new and updated security patches, including two 9.9-rated bugs.
CVE-2023-25616 is a code injection vulnerability in SAP Business Objects Business Intelligence Platform that could allow an attacker to inject arbitrary code.
CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java version 7.50.
Another SAP fix addresses the 9.0-rated CVE-2023-25617. While that’s less dangerous than other SAP patches this month, “that doesn’t mean it’s less critical,” according to Thomas Fritsch, SAP security researcher at Onapsis.
“The lower CSS rating is due to the fact that a successful exploit requires interaction with another user,” Fritsch wrote.
The patch fixes an OS command execution vulnerability in SAP’s Business Objects Adaptive Job Server. If exploited, it could allow execution of arbitrary OS commands over the network.
Android fixes no-touch RCE
Google’s Android Security Bulletin addressed 60 flaws this month including two critical RCE bugs in the System component: CVE-2023-20951 and CVE-2023-20954.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Android’s infosec bulletin warned. “User interaction is not needed for exploitation.”
Chrome crushes 40 flaws
And finally, Google fixed 40 flaws in its Chrome web browser, the most severe of which could allow for arbitrary code execution in the context of the user.
Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” according to the Center for Internet Security. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.” ®