Multiple Critical & Actively Exploited Vulnerabilities Patched in Microsoft’s February Security Update

Share :

On 14 February 2023, Microsoft published its February 2023 Security Update and patched multiple high to critical vulnerabilities, with some of them being actively exploited in the wild. These vulnerabilities impact Windows systems and Exchange servers.  

Windows 

Impacted Products 
Windows Server 2022, 2019, 2016, 2012, 2012 R2, 2008 R2 Service Pack 1, 2008 Service Pack 2 
Windows 11 Version 21H2, 11 Version 22H2, 10 Version 20H2, 10 Version 21H2, 10 Version 22H2, 10 Version 1809, 10 Version 1607  

 

CVE-2023-21692 (CVSS 9.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Protected Extensible Authentication Protocol (PEAP). An unauthenticated attacker could attack a Microsoft PEAP Server by sending specially crafted malicious PEAP packets over the network. NOTE: Microsoft PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP. 

CVE-2023-21689 (CVSS 9.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could target the victim server’s accounts in an arbitrary or remote code execution and attempt to trigger malicious code in the context of the server’s account through a network call. The attacker does not require privileges or user interaction in order to execute. 

CVE-2023-21690 (CVSS 9.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Protected Extensible Authentication Protocol (PEAP). An unauthenticated attacker could attack a Microsoft PEAP Server by sending specially crafted malicious PEAP packets over the network. NOTE: Microsoft PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP. 

CVE-2023-23376 (CVSS 7.8): A Windows Common Log File System Driver Elevation of Privilege vulnerability. Threat actors could leverage this vulnerability after compromising a device to obtain SYSTEM-level privileges. Microsoft has indicated that this vulnerability has been exploited in the wild. 

Exchange Server 

Impacted Products 
Microsoft Exchange Server 2019, 2016, and 2013 

 

Arctic Wolf has seen Microsoft Exchange vulnerabilities similar to these being commonly exploited by ransomware actors. While there may be no active exploitation of these Exchange vulnerabilities being seen in the wild at this time, we expect ransomware actors to focus their efforts on developing an exploit for these in the near term. 

CVE-2023-21707 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to be authenticated as a regular user in order to attempt to trigger malicious code in the context of the server’s account through a network call. 

CVE-2023-21706 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to be authenticated as a regular user in order to attempt to trigger malicious code in the context of the server’s account through a network call. 

CVE-2023-21529 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to be authenticated as a regular user in order to attempt to trigger malicious code in the context of the server’s account through a network call. 

CVE-2023-21710 (CVSS 7.2): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to already be authenticated as an admin user in order to attempt to trigger malicious code in the context of the server’s account through a network call.  

Recommendations 

Recommendation #1: Apply Security Updates to Impacted Products 

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.  

Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact. 

Windows 

Product  CVE  Update 
Windows Server 2022  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022842 
Windows Server 2019  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022840 
Windows Server 2016  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022838 
Windows Server 2012 R2  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022899 – Monthly Rollup 

5022894 – Security Only 

Windows Server 2012  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022903 – Monthly Rollup 

5022895 – Security Only 

Windows Server 2008 R2 Service Pack 1  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022872 – Monthly Rollup 

5022874 – Security Only 

Windows Server 2008 Service Pack 2  CVE-2023-23376 

CVE-2023-21692 

5022890 – Monthly Rollup 

5022893 – Security Only 

Windows 11 Version 21H2  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022836 
Windows 11 Version 22H2  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022845 
Windows 10  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022858 
Windows 10 Version 20H2  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022834 
Windows 10 Version 21H2  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022834 
Windows 10 Version 22H2  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022834 
Windows 10 Version 1809  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022840 
Windows 10 Version 1607  CVE-2023-23376 

CVE-2023-21689 

CVE-2023-21690 

CVE-2023-21692 

5022838 

Exchange Server 

Product  CVE  Update  
Microsoft Exchange Server 2019, 2016, and 2013  CVE-2023-21706 

CVE-2023-21707 

CVE-2023-21529 

CVE-2023-21710 

5023038  

 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories