Get in Touch
January Patch Tuesday
Overview
Microsoft has released updates for 98 security vulnerabilities in January’s patch cycle.
Eleven of these are considered CRITICAL vulnerabilities, mostly allowing Remote Code Execution (RCE) or local Elevation of Privilege (EoP) as well as one Security Feature Bypass (SFB):
– Three EoPs in Windows Cryptographic Services
– Five RCEs in Layer 2 Tunneling Protocol (L2TP)
– Two RCEs in Secure Socket Tunneling Protocol (SSTP)
– One SFB in SharePoint.
Of particular note, the SharePoint security feature bypass would allow an attacker to get around authentication requirements to make an anonymous connection to the server. The fix for this requires manual intervention.
Another interesting fix is for an elevation of privilege vulnerability (CVE-2023-21674) in Windows Advanced Local Procedure Call (ALPC) which has been seen to be exploited in the wild. The researchers at Avast who reported it say it was likely chained with a Chrome RCE to get kernel access from within the browser sandbox.
With this release, Windows 7 and Windows Server 2008 have now reached End of Life (EoL) and will not receive security updates in future. Windows Server 2012 will be EoL in October 2023.
Impact
An attacker who successfully exploited Windows ALPC could gain system privileges.
A remote unauthenticated attacker could bypass authentication and make an anonymous connection to an affected SharePoint server.
Affected Products
.NET Core
3D Builder
Azure Service Fabric Container
Microsoft Bluetooth Driver
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Local Security Authority Server (lsasrv)
Microsoft Message Queuing
Microsoft Office
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft WDAC OLE DB provider for SQL
Visual Studio Code
Windows ALPC
Windows Ancillary Function Driver for WinSock
Windows Authentication Methods
Windows Backup Engine
Windows Bind Filter Driver
Windows BitLocker
Windows Boot Manager
Windows Credential Manager
Windows Cryptographic Services
Windows DWM Core Library
Windows Error Reporting
Windows Event Tracing
Windows IKE Extension
Windows Installer
Windows Internet Key Exchange (IKE) Protocol
Windows iSCSI
Windows Kernel
Windows Layer 2 Tunneling Protocol
Windows LDAP – Lightweight Directory Access Protocol
Windows Local Security Authority (LSA)
Windows Local Session Manager (LSM)
Windows Malicious Software Removal Tool
Windows Management Instrumentation
Windows MSCryptDImportKey
Windows NTLM
Windows ODBC Driver
Windows Overlay Filter
Windows Point-to-Point Tunneling Protocol
Windows Print Spooler Components
Windows Remote Access Service L2TP Driver
Windows RPC API
Windows Secure Socket Tunneling Protocol (SSTP)
Windows Smart Card
Windows Task Scheduler
Windows Virtual Registry Provider
Windows Workstation Service
Containment, Mitigations & Remediations
Customers with SharePoint Server must trigger an upgrade action included in this update to protect their SharePoint cluster.
Indicators of Compromise
None given.
Mitre Methodologies
– T1068 – Exploitation for Privilege Escalation
– T1210 – Exploitation of Remote Services
Further Information
Glossary
– BYOVD – Bring Your Own Vulnerable Driver (a technique for getting access to the OS kernel)
– CVE – Common Vulnerabilities and Exposures (a scheme to categorise and index vulnerabilities)
– DoS – Denial of Service (an attack that prevents a service from operating)
– EoP – Elevation of Privilege (allows a user to gain more permissions)
– IoC – Indicator of Compromise (an artifact that can be used to identify malicious activity such as an IP or domain used by an attacker)
– MotW – Mark of the Web (a safety feature to discourage users from running things they’ve just downloaded)
– RCE – Remote Code Execution (a hacking tool that allows the attacker to run code on another machine)
– SFB – Security Feature Bypass, allowing an attacker to get around the security protection