Get in Touch
Indiscriminate, opportunistic targeting.
Microsoft Patch Tuesday for April 2023: One actively exploited zero-day vulnerability as well as two critical level vulnerabilities, with a CVSS score of 9.0 and above, were addressed as a part of 98 total security flaws addressed by Microsoft.
The zero-day flaw, tracked as CVE-2023-28252 (CVSSv3 Score: 7.8), relates to a Windows Common Log Sile System Driver Elevation of Privilege (EoP) vulnerability. Although actively exploited in the wild, a Proof-of-Concept (PoC) has yet to be released.
The critical vulnerabilities have been classified as CVE-2023-21554 (CVSSv3 Score 9.8) and CVE-2023-28250(CVSSv3 Score 9.8), which pertain to a Microsoft Message Queuing remote code execution (RCE) and Windows Pragmatic General Multicast (PGM) RCE vulnerability, respectively. At the time of writing, neither has been reported to have been exploited in the wild. Further, the Microsoft Message Queueing service must be enabled and listening on TCP port 1801 for a system to be vulnerable to exploit. Even though the Message Queueing service is not installed by default, future exploitation of CVE-2023-21554, CVE-2023-28250remains a possibility.
A RCE vulnerability was also discovered on the DHCP service. The flaw, tracked as CVE-2023-28231(CVSSv3 Score 8.8), requires a threat actor to gain access to the target network prior to exploitation.
The remaining RCE vulnerabilities of note that were patched have been outlined below:
CVE-2023-28291(CVSSv3 Score 8.4): Raw Image Extension Remote Code Execution Vulnerability
CVE-2023-28232(CVSSv3 Score XX): Windows Point-to-Point Tunnelling Protocol remote code execution vulnerability
CVE-2023-28240(CVSSv3 Score 8.8): Windows Network Load Balancing remote code execution vulnerability(CVSSv3 Score 8.8)
A complete list of the disclosed security vulnerabilities can be found at the Microsoft Advisory.
– Successful exploitation of CVE-2023-28252 allows a threat actor to obtain SYSTEM privileges via a vulnerability in the Windows Common Log File System (CLFS) driver.
– Successful exploitation of CVE-2023-21554 allows a threat actor to obtain RCE capabilities by sending a specially crafted Microsoft Messaging Queue packet.
– Successful exploitation of [CVE-2023-28250](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28250) allows a threat actor to obtain Remote Code Execution (RCE) capabilities by sending a specially crafted file over the target network.
– Successful exploitation of CVE-2023-28219 and CVE-2023-28220 results in an unauthenticated threat actor being able to deliver a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine.
– Successful exploitation of CVE-2023-28231 would allow an authenticated threat actor to leverage a specially crafted RPC call to the DHCP service.
– Successful exploitation of CVE-2023-28291 allows a threat actor to run a specially crafted application and take control of a target system.
– Exploitation of CVE-2023-28232 requires the target to connect to a malicious server. Once connected, the threat actor can leverage this flaw to run code on the target system.
– Successful exploitation of CVE-2023-28240 would allow a remote threat actor to pass specially crafted input to the target application and execute arbitrary code on the target system.
Security patches for the vulnerabilities reported on have been released by Microsoft. Previous versions therefore remain vulnerable to potential exploitation.
A full list of the affected products pertaining to the April 2023 Patch Tuesday can be found on the Microsoft Update page.
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patches are applied to the respective Microsoft products. The patches can be found directly at the Microsoft Patch Tuesday April 2023 Security Guide.
Last month, Microsoft published remediations for 83 security flaws in the March 2023 Patch Tuesday release, including two actively exploited zero-day vulnerabilities. Moving into the April disclosure, leading attack vectors continue to be those of RCE and privilege escalation (accounting for a combined two-thirds of patched vulnerabilities). Further, information disclosure, denial-of-service and spoofing vulnerability cases continue to account for a similar proportion of reported security flaws, compared to March 2023.
April is the third consecutive month in which at least one of the vulnerabilities in a Patch Tuesday release had been exploited in the wild prior to disclosure. The related 45 RCE patches have resulted in a significant increase from the average of 33 per month throughout the previous three-month period.
A threat actor has been reported to have exploited CVE-2023-28252 to deploy the Nokoyawa ransomware variant on systems belonging to small to medium-sized organisations in the US, the Middle East and Asia. With regards to the remaining vulnerabilities, no attribution to specific threat actors or groups have been identified at the time of writing.
Quorum Cyber Actions
A threat hunt will be conducted with the available Indicators of Compromise (IoCs) relating to the exploitation of CVE-2023-28252 by Nokoyawa ransomware for all SOC customers.
Lateral Movement Technique:
T1210 – Exploitation of Remote Services
T1499 – Endpoint Denial of Service