Patch Tuesday – March 2023

Target Industry

Indiscriminate, opportunistic targeting.

 Overview

Microsoft Patch Tuesday for March 2023: Two exploited zero-day vulnerabilities were remediated as a part of 83 total security flaws addressed by Microsoft, nine of which were classified with a critical severity level.

The two exploited zero-day vulnerabilities have been classified as follows:

– CVE-2023-23397 (CVSSv3 base score of 9.8 – Critical Severity): Critical Elevation of Privilege vulnerability affecting Outlook for Windows
– CVE-2023-24880 (CVSSv3 base score of 5.4 – Medium Severity): Security Feature Bypass in Windows SmartScreen

Five critical Remote Code Execution (RCE) vulnerabilities were patched in Windows low-level components. Of note were:

– CVE-2023-21708 (CVSSv3 of 9.8 – Critical Severity), which is a Remote Procedure Call (RPC) flaw
– CVE-2023-23392 (CVSSv3 of 9.8 – Critical Severity): HTTP protocol stack RCE bug
– CVE-2023-23415 (CVSSv3 of 9.8 – Critical Severity): Security flaw in the Internet Control Message Protocol (ICMP).

The two remaining critical CVEs relating to RCE were CVE-2023-23404 and CVE-2023-23416.

Microsoft also addressed the following two security issues introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code:

– CVE-2023-1017 (CVSSv3 base score of 8.8 – Critical Severity): Out-of-bounds write
– CVE-2023-1018 (CVSSv3 base score of 8.8 – Critical Severity): Out-of-bounds read

 Impact

The following impact statements relate to the nine critical vulnerabilities:

– CVE-2023-23397: Successful exploitation of this vulnerability could allow a threat actor to use a specially crafted email to cause Outlook to send new technology LAN manager (NTLM) authentication messages to an attacker-controlled Server Message Block (SMB) share, which could subsequently be applied to authenticate against other services offering NTLM authentication
– CVE-2023-23392: A remote, unauthenticated threat actor could exploit this vulnerability by sending a specially crafted packet to a targeted server that uses the HTTP Protocol Stack. This could lead to the execution of code at SYSTEM level without any user interaction
– CVE-2023-23415: A threat actor could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine
– CVE-2023-23404: An unauthenticated threat actor could send a specially crafted connection request to a RAS server, which could lead to RCE on the RAS server machine
– CVE-2023-23416: A threat actor could upload a certificate to a service that processes or imports certificates, or they could convince an authenticated user to import a certificate on their system
– CVE-2023-21708: To exploit this vulnerability, an unauthenticated threat actor would be required to send a specially crafted RPC call to an RPC host. This could result in RCE on the server side with the same permissions as the RPC service
– CVE-2023-23411: Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host
– CVE-2023-1017 and CVE-2023-1018: By leveraging malicious TPM commands from a guest VM to a target running Hyper-V, a threat actor could cause an out-of-bounds write in the root partition.

Vulnerability Detection

Security patches for the vulnerabilities mentioned have been released by Microsoft. Previous versions (detailed below) therefore remain vulnerable to exploitation.

Affected Products

– CVE-2023-23397: Current self-hosted versions of Outlook, including Microsoft 365 Applications for Enterprise, are vulnerable to CVE-2023-23397. However, Microsoft-hosted online services (e.g., Microsoft 365) are not
– CVE-2023-24880: Windows 10 and 11, as well as Windows Server 2016 onwards
– CVE-2023-23392: Windows 11 and Windows Server 2022

Regarding the remainder of the addressed vulnerabilities, the following products are affected:

– Azure
– Client Server Run-time Subsystem (CSRSS)
– Internet Control Message Protocol (ICMP)
– Microsoft Bluetooth Driver
– Microsoft Dynamics
– Microsoft Edge (Chromium-based)
– Microsoft Graphics Component
– Microsoft Office Excel
– Microsoft Office Outlook
– Microsoft Office SharePoint
– Microsoft OneDrive
– Microsoft PostScript Printer Driver
– Microsoft Printer Drivers
– Microsoft Windows Codecs Library
– Office for Android
– Remote Access Service Point-to-Point Tunnelling Protocol
– Role: DNS Server
– Role: Windows Hyper-V
– Service Fabric
– Visual Studio
– Windows Accounts Control
– Windows Bluetooth Service
– Windows Central Resource Manager
– Windows Cryptographic Services
– Windows Defender
– Windows HTTP Protocol Stack
– Windows HTTP.sys
– Windows Internet Key Exchange (IKE) Protocol
– Windows Kernel
– Windows Partition Management Driver
– Windows Point-to-Point Protocol over Ethernet (PPPoE)
– Windows Remote Procedure Call
– Windows Remote Procedure Call Runtime
– Windows Resilient File System (ReFS)
– Windows Secure Channel
– Windows SmartScreen
– Windows TPM
– Windows Win32K

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products reported on. The patches can be found directly at the Microsoft Patch Tuesday March 2023 Release Note.

Notable, in terms of CVE-2023-21708, it is recommend that users block TCP port 135 at the perimeter as a mitigation strategy.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Last month, Microsoft published remediations for 77 security flaws in the February 2023 Patch Tuesday release, including three actively exploited zero-day vulnerabilities. The leading attack vectors continue to be those of RCE and privilege escalation (accounting for a combined 57.8% of patched vulnerabilities). Moreover, information disclosure, denial-of-service and spoofing vulnerability cases continue to account for a similar proportion of reported security flaws, compared to February 2023. Additionally, product coverage across the Microsoft suite was observed, similar to the February 2023 Patch Tuesday release.

In regards to CVE-2023-23397, considering the network attack vector, the prevalence of SMB shares, and the lack of user interaction required, a threat actor with an established foothold on a target network could consider this vulnerability as a prime option for lateral movement purposes.

Threat Group

In-the-wild exploitation of CVE-2023-23397 by a Russia-based threat actor (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear) has been detected as targeting government, military, and critical infrastructure entities in Europe.

Mitre Methodologies

Tactics:

TA0002 – Execution
TA0004 – Privilege Escalation

Technique – Lateral Movement:

T1210 – Exploitation of Remote Services

Technique – Impact:

T1499 – Endpoint Denial of Service

Further Information

Rapid7 Blog
Tenable Blog
Bleeping Computer Article
The Register Article