Multiple Vulnerabilities Patched With One Being Actively Exploited in Microsoft’s April Security Update

Share :

On 11 April, 2023, Microsoft published their April 2023 Security Update and patched multiple high to critical vulnerabilities, with one of them being actively exploited in ransomware campaigns prior to a patch being released.  

Windows 

Impacted Products 
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 
Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 20H2, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2 

 

CVE-2023-28252 (CVSS 7.2): An actively exploited Elevation of Privilege (EoP) vulnerability impacting the Windows Common Log File System (CLFS) driver, which could allow a threat actor to obtain SYSTEM level privileges after successful exploitation. This vulnerability was exploited as a zero-day during and was leveraged in Nokoyawa ransomware intrusions.  

CVE-2023-21554 (CVSS 8.5): A Remote Code Execution (RCE) vulnerability impacting Windows message queuing service. A threat actor can leverage this vulnerability by sending a specially crafted MSMQ packet to the MSMQ server, resulting in RCE capabilities.  

Note: The MSMQ service must be enabled for a system to be vulnerable. This can be checked by looking for a service running named “Message Queuing” and TCP port 1801 listening on the host machine. 

CVE-2023-28219 (CVSS 7.1): A layer 2 tunneling protocol RCE vulnerability impacting Windows systems with Remote Access Service (RAS). This vulnerability can be exploited by sending a specially crafted connection request to a vulnerable RAS server, allowing for RCE capabilities on the RAS server. 

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.  

CVE-2023-28220 (CVSS 7.1): A layer 2 tunneling protocol RCE vulnerability impacting Windows devices with Remote Access Service (RAS). This vulnerability can be exploited by sending a specially crafted connection request to a vulnerable RAS server, allowing for RCE capabilities on the RAS server. 

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.  

CVE-2023-28231 (CVSS 7.7): A DHCP Server service RCE vulnerability impacting Windows servers. An authenticated threat actor could exploit this vulnerability to perform RCE by leveraging a specially crafted RPC call to the DHCP service. 

  • Only impacts Windows Server products.  

Note: A threat actor must first gain access to the restricted network prior to exploiting this vulnerability. 

CVE-2023-28232 (CVSS 6.5): A Windows point-to-point tunneling protocol RCE vulnerability impacting Windows systems. This vulnerability could be triggered after a targeted user connects a Windows client to a malicious server to perform RCE on the victim’s environment. 

Note: A threat actor must perform additional unknown actions prior to successful exploit.  

CVE-2023-28250 (CVSS 8.5): A Windows Pragmatic General Multicast (PGM) RCE vulnerability impacting Windows devices. When the Windows Message Queuing service is enabled, a remote threat actor who successfully exploited this vulnerability could send a carefully crafted file to perform RCE on a targeted system and attempt to trigger malicious code. 

Note: For a system to be vulnerable, the MSMQ service must first be enabled. This can be checked by looking for a service running named “Message Queuing” and TCP port 1801 listening on the host machine. 

Recommendations 

Recommendation #1: Apply Security Updates to Impacted Products 

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. 

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact. 

Product  Vulnerability  Update 
Windows Server 2012 R2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025285 Monthly Rollup 

5025288 Security Only 

Windows Server 2012  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025287 Monthly Rollup 

5025272 Security Only 

Windows Server 2008 R2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025279 Monthly Rollup 

5025277 Security Only 

Windows Server 2008  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025271 Monthly Rollup 

5025273 Security Only 

Windows Server 2016  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025228 
Windows 10 Version 1607  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025228 
Windows 10  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025234 
Windows 10 Version 22H2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025221 
Windows 11 Version 22H2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025239 
Windows 10 Version 21H2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025221 
Windows 11 Version 21H2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025224 
Windows 10 Version 20H2  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025221 
Windows Server 2022  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025230 
Windows Server 2019  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231  5025229 
Windows 10 Version 1809  CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250  5025229 

 

Recommendation #2: Disable MSMQ if Not Required 

To be vulnerable, CVE-2023-21554 and CVE-2023-28250 require Windows messaging queuing service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.  

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.  

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources. 

References 

  1. CVE-2023-28252 Advisory
  2. CVE-2023-21554 Advisory
  3. CVE-2023-28219 Advisory
  4. CVE-2023-28220 Advisory
  5. CVE-2023-28231 Advisory 
  6. CVE-2023-28232 Advisory
  7. CVE-2023-28250 Advisory
  8. MSMQ Service Vulnerability 
  9. Nokoyawa Ransomware Attack 
James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories