Patch Tuesday – February 2023

Home / Threat Intelligence bulletins / Patch Tuesday - February 2023

Patch Tuesday – February 2023 Update (7th March 2023 at 15:55 UTC)

Overview

A proof-of-concept (PoC) for a critical Microsoft Word vulnerability, being tracked as CVE-2023-21716, has been published. The security flaw was addressed in the February 2023 Patch Tuesday, where it received a CVSSv3.1 score of 9.8.

Successful exploitation of the vulnerability allows a remote threat actor to manipulate Microsoft Office’s ‘wwlib.dll’, which opens up the potential for a remote code execution within the same level of privilege as the target that opens a malicious .RTF document.

Updated Affected Products

– Microsoft Office 2019 for 32-bit editions
– Microsoft Office 2019 for 64-bit editions
– Microsoft Word 2013 Service Pack 1 (64-bit editions)
– Microsoft Word 2013 RT Service Pack 1
– Microsoft Word 2013 Service Pack 1 (32-bit editions)
– Microsoft SharePoint Foundation 2013 Service Pack 1
– Microsoft Office Web Apps Server 2013 Service Pack 1
– Microsoft Word 2016 (32-bit edition)
– Microsoft Word 2016 (64-bit edition)
– Microsoft SharePoint Server 2019
– Microsoft SharePoint Enterprise Server 2013 Service Pack 1
– Microsoft SharePoint Enterprise Server 2016
– Microsoft 365 Apps for Enterprise for 64-bit Systems
– Microsoft Office 2019 for Mac
– Microsoft Office Online Server
– SharePoint Server Subscription Edition Language Pack
– Microsoft 365 Apps for Enterprise for 32-bit Systems
– Microsoft Office LTSC 2021 for 64-bit editions
– Microsoft SharePoint Server Subscription Edition
– Microsoft Office LTSC 2021 for 32-bit editions
– Microsoft Office LTSC for Mac 2021

Updated Containment, Mitigations & Remediations

It is strongly advised that the relevant mitigation steps are followed to prevent the potential for exploitation by the vulnerability reported on. A comprehensive review of the recommended mitigation steps can be found within the associated Microsoft Adivisory.

Microsoft has also released the following list of recommended available workarounds, in the event that the mitigation steps cannot be implemented immediately:

– Read emails in plain text format
– Enable the Microsoft Office File Block policy. This prevents Office applications from opening untrusted RTF documents.

However, it should be noted that applying the above workarounds comes with some risk as they require modifying the Widows registry. If these steps are not followed correctly, it might be required to reinstall the operating system. It is therefore ideal to install the security update from Microsoft to address the potential of exploitation by CVE-2023021716.

Updated Further Information

Bleeping Computer Article

Patch Tuesday – February 2023 update (16th February 2023 at 06:25 UTC)

Overview

Microsoft has reported that specific Windows Server 2022 virtual machines may experience issues whilst booting up following the updates released as a part of the February 2023 Patch Tuesday. This issue has been detected after installing KB5022842 on guest virtual machines running Windows Server 2022 on some versions of VMware ESX.

Updated Affected Products

– Virtual machines with Secure Boot enabled running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. This known issue only affects WSUS servers upgraded from Windows Server 2016 or Windows Server 2019.

Updated Containment, Mitigations & Remediations

No additional patch has been released for this virtual machine flaw at the time of writing. However, VMware has provided administrators with the following set of temporary workarounds that should be implemented in the interim until a permanent remediation option is released:

– Upgrade the ESXi Host where the virtual machine in question is running vSphere ESXi 8.0
– Disable ‘Secure Boot’ on the virtual machines
– Do not install the KB5022842 patch on any Windows 2022 Server virtual machine until the issue is resolved.

Additionally, the Secure Boot option can be disabled for each virtual machine by following the steps below:

– Power off the virtual machine
– Right-click the virtual machine and select ‘Edit Settings’
– Select the ‘VM Options’ tab
– Under Boot Option, uncheck the ‘Secure Boot enabled’.

It should be noted that if the KB5022842 Windows Server 2022 cumulative update has already been installed, uninstalling it will not resolve the issue. In such a case, to ensure that the virtual machine can boot again, the ESXi host must be updated to vSphere ESXi 8.0 or ‘Secure Boot’ must be disabled.

Updated Further Information

Bleeping Computer Article

 

15th February 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Microsoft Patch Tuesday for February 2023: three exploited zero-day vulnerabilities were remediated and a further 74 security flaws addressed, nine of which were classified as critical. The following list contains a breakdown of the outlined vulnerabilities:

  • 12 privilege escalation flaws
  • Two Security Feature Bypass Vulnerabilities
  • 38 Remote Code Execution Vulnerabilities
  • Eight Information Disclosure Vulnerabilities
  • 10 Denial of Service Vulnerabilities
  • Eight Spoofing Vulnerabilities

The three exploited zero-day vulnerabilities have been classified as follows:

  • CVE-2023-21823: Windows Graphics Component Remote Code Execution Vulnerability
  • CVE-2023-21715: Microsoft Publisher Security Features Bypass
  • CVE-2023-23376: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Nine of the addressed vulnerabilities attained a critical CVSSv3 score:

  • CVE-2023-21808: .NET and Visual Studio Remote Code Execution Vulnerability (CVSSv3 Score – 8.4)
  • CVE-2023-21716: Microsoft Word Remote Code Execution Vulnerability (CVSSv3 Score – 9.8)
  • CVE-2023-21718: Microsoft SQL ODBC Driver Remote Code Execution Vulnerability (CVSSv3 Score – 7.8)
  • CVE-2023-21815: Visual Studio Remote Code Execution Vulnerability (CVSSv3 Score – 8.4)
  • CVE-2023-23381: Visual Studio Remote Code Execution Vulnerability (CVSSv3 Score – 8.4)
  • CVE-2023-21803: Windows iSCSI Discovery Service Remote Code Execution Vulnerability (CVSSv3 Score – 9.8)
  • CVE-2023-21692: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability (CVSSv3 Score – 9.8)
  • CVE-2023-21690: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability (CVSSv3 Score – 9.8)
  • CVE-2023-21689: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability (CVSSv3 Score – 9.8)

Impact

It’s been reported that each of the zero-day vulnerabilities have been exploited in the wild:

  • CVE-2023-21823: Successful exploitation of this vulnerability could allow a threat actor to perform remote code execution with SYSTEM privileges
  • CVE-2023-21715: Successful exploitation of this vulnerability could allow a threat actor to craft a document to bypass Office macro policies that block untrusted or malicious files
  • CVE-2023-23376: Successful exploitation of this vulnerability could allow a threat actor to gain SYSTEM privileges

Vulnerability Detection

Security patches for the vulnerabilities mentioned have been released by Microsoft. Previous versions (detailed below) therefore remain vulnerable to exploitation.

Affected Products

The following Microsoft products have been affected by the vulnerabilities reported on:

  • .NET Framework
  • Visual Studio
  • 3D Builder
  • Azure App Service
  • Azure Data Box Gateway
  • Azure DevOps
  • Azure Machine Learning
  • HoloLens
  • Internet Storage Name Service
  • Internet Storage Name Service
  • Mariner
  • Microsoft Defender for Endpoint
  • Microsoft Defender for IoT
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft PostScript Printer Driver
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Codecs Library
  • Power BI
  • SQL Server
  • Windows Active Directory
  • Windows ALPC
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows Distributed File System (DFS)
  • Windows Fax and Scan Service
  • Windows HTTP.sys
  • Windows Installer
  • Windows iSCSI
  • Windows Kerberos
  • Windows MSHTML Platform
  • Windows ODBC Driver
  • Windows Protected EAP (PEAP)
  • Windows SChannel
  • Windows Win32K

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products reported on. The patches can be found directly at the Microsoft Patch Tuesday February 2023 Release Note.

Indicators of Compromise

No specific Indicators of Compromise (IoC) are available at this time.

Threat Landscape

Last month, Microsoft published remediations for 98 security flaws in the January 2023 Patch Tuesday release. One actively-exploited zero-day vulnerability was included.

The leading attack vectors continue to be those of remote code execution and privilege escalation (accounting for a combined 64.9% of patched vulnerabilities). Moreover, information disclosure, denial of service and spoofing vulnerability cases continue to account for a similar proportion of reported security flaws, compared to January 2023.

Additionally, product coverage across the Microsoft suite was observed, similar to the January 2023 Patch Tuesday release.

Threat Group

No attribution to specific threat actors or groups have been identified at the time of writing.

Mitre Methodologies

TA0002 – Execution

TA0004 – Privilege Escalation

Discovery:

T1082 – System Information Discovery

Lateral Movement:

T1210 – Exploitation of Remote Services

Impact:

T1499 – Endpoint Denial of Service

Further Information

Bleeping Computer Article

Rapid7 Blog