On 14 March 2023, Microsoft published their March 2023 Security Update and patched multiple high to critical vulnerabilities, with two of them being actively exploited prior to a patch being released. These vulnerabilities impact Microsoft Office products and Windows devices. Microsoft has observed active exploitation on two of these vulnerabilities, with CVE-2023-23397 being exploited by a threat group linked to the Russian military intelligence service GRU and CVE-2023-24880 being exploited to deliver Magniber ransomware.
Microsoft Office
Impacted Products |
Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Outlook 2019, 2016, 2013 RT Service Pack 1, 2013 Service Pack 1 |
According to a private threat analytics report shared by Microsoft, threat groups linked to the Russian military intelligence service GRU exploited CVE-2023-23397 as a zero-day between mid-April and December 2022. The GRU campaigns targeted European organisations in the energy, government, military, and transportation sectors. Security researchers published details on how to trigger successful exploitation, however, PoC exploit code has not been made publicly available.
CVE-2023-23397 (CVSS 9.8): An Elevation of Privilege (EoP) vulnerability impacting Microsoft Outlook. A threat actor can successfully exploit this vulnerability and escalate privileges without user interaction by sending specially crafted emails that will trigger automatically when they are retrieved and processed by an Outlook client.
Windows
Impacted Products |
Windows Server 2022, 2019, 2016, 2012, 2012 R2, 2008, 2008 R2 Service Pack 1, 2008 Service Pack 2 |
Windows 11 Version 21H2, 11 version 22H2, Windows 10, 10 Version 1607, 10 Version 1809 , 10 Version 20H2, 10 Version 21H2, 10 Version 22H2 |
Although the CVE severity ratings range from High to Critical, all except CVE-2023-24880, have a maximum severity of Critical.
CVE-2023-24880 (CVSS 5.4): Windows SmartScreen Security Feature Bypass Vulnerability. A threat actor could successfully exploit this vulnerability and evade Mark of the Web (MotW) tagging defenses by leveraging a specially crafted malicious file.
- This vulnerability was exploited as a zero-day vulnerability to deliver Magniber ransomware without security warnings, however, no public PoC exploit is currently available.
CVE-2023-1017 (CVSS 8.8): TPM2.0 Module Library EoP Vulnerability. A threat actor could successfully exploit this vulnerability and cause an out of bounds write in the root partition by leveraging malicious TPM commands from a guest virtual machine running Hyper-V.
CVE-2023-1018 (CVSS 8.8): TPM2.0 Module Library EoP Vulnerability. An out-of-bounds vulnerability that allows the reading of 2-byte data past the end of a TPM2.0 command. Successful exploitation of this vulnerability could lead to confidential data exposure and/or arbitrary code execution.
CVE-2023-21708 (CVSS 9.8): Remote Procedure Call Runtime RCE Vulnerability. An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution on the server side by sending a specially crafted RPC call to a vulnerable RPC host.
CVE-2023-23392 (CVSS 9.8): HTTP Protocol Stack RCE Vulnerability. A remote unauthenticated threat actor could successfully exploit this vulnerability by sending a malformed packet to a vulnerable server using the HTTP Protocol Stack (http.sys).
- The server is only vulnerable if the binding has HTTP/3 enabled and it uses buffered I/O.
CVE-2023-23404 (CVSS 8.1): Windows Point-to-Point (P2P) Tunneling Protocol RCE Vulnerability. An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution by sending a specially crafted connection request to a vulnerable remote access server (RAS).
CVE-2023-23411 (CVSS 6.5): Windows Hyper-V DoS Vulnerability. Successful exploitation of this vulnerability could allow a Hyper-V guest to impact the functionality of the Hyper-V host.
CVE-2023-23415 (CVSS 9.8) ICMP RCE Vulnerability. A threat actor could successfully exploit this vulnerability and obtain remote code execution by sending a malicious fragmented IP packet to a vulnerable Windows system.
CVE-2023-23416 (CVSS 8.4): Windows Cryptographic Services RCE Vulnerability. To successfully exploit CVE-2023-23416, a threat actor would need to import a malicious certificate to a vulnerable system. This could be accomplished by the threat actor uploading a certificate to a service that processes or imports certificates or by leveraging an authenticated user to import the certificate.
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.
Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
Windows
Product | CVE | Update |
Windows Server 2022 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-23392, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023705 |
Windows Server 2019 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023702 |
Windows Server 2016 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023697 |
Windows Server 2012 | CVE-2023-23416, CVE-2023-23404, CVE-2023-23415, CVE-2023-21708 | 5023756 |
Windows Server 2012 R2 | CVE-2023-23416, CVE-2023-23404, CVE-2023-23415, CVE-2023-21708 | 5023765 |
Windows Server 2008 | CVE-2023-23415 | 5023755 |
Windows Server 2008 R2 Service Pack 1 | CVE-2023-23415, CVE-2023-21708 | 5023769 |
Windows Server 2008 Service Pack 2 | CVE-2023-21708 | 5023755 |
Windows 11 version 21H2 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-23392, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023698 |
Windows 11 Version 22H2 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-23392, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023706 |
Windows 10 Version 22H2 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023696 |
Windows 10 Version 21H2 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023696 |
Windows 10 Version 20H2 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023696 |
Windows 10 Version 1809 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023702 |
Windows 10 Version 1607 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023697 |
Windows 10 | CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018 | 5023713 |
Microsoft Office
Product | CVE | Update |
Microsoft 365 Apps for Enterprise | CVE-2023-23397 | Release Notes |
Microsoft Office LTSC 2021 | CVE-2023-23397 | Release Notes |
Microsoft Office 2019 | CVE-2023-23397 | Release Notes |
Microsoft Outlook 2016 | CVE-2023-23397 | 5002254 |
Microsoft Outlook 2013 RT Service Pack 1 | CVE-2023-23397 | 5002265 |
Microsoft Outlook 2013 Service Pack 1 | CVE-2023-23397 | 5002265 |
Recommendation #2: Apply CVE Specific Workarounds
Consider applying these CVE specific workarounds if you’re not able to immediately patch the affected products.
CVE-2023-23397 (Microsoft Office)
- Blocking TCP port 445/SMB outbound from your network will prevent the sending of NTLM authentication messages to remote file shares, preventing successful exploitation of this vulnerability.
- Consider preventing the use of NTLM as an authentication mechanism for high value accounts, such as Domain Admins, by adding the users to the Protected Users Security Group.
- Microsoft created a PowerShell script that checks Exchange messaging items to see whether a property is populated with a UNC path. The script can be leveraged to clean up the property for items that are malicious or delete items permanently. The script can be found here: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md
CVE-2023-21708 (Windows)
- Blocking TCP port 135 at the perimeter firewall could reduce the likelihood of successful exploitation.
References
- CVE-2023-23397 Advisory
- CVE-2023-24880 Advisory
- CVE-2023-23415 Advisory
- CVE-2023-23404 Advisory
- CVE-2023-23411 Advisory
- CVE-2023-23416 Advisory
- CVE-2023-23392 Advisory
- CVE-2023-21708 Advisory
- CVE-2023-1017 Advisory
- CVE-2023-1018 Advisory
- CVE-2023-23397 Active Exploitation
- CVE-2023-24880 Active Exploitation
- Microsoft CVE-2023-23397 PowerShell Script