On 9 May 2023, Microsoft published their May 2023 Security Update which includes two actively exploited vulnerabilities. This Security Update patched multiple high to critical vulnerabilities, with one of them being publicly disclosed before the patch.
Windows
| Impacted Products |
| Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 |
| Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 20H2, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2 |
CVE-2023-29336 (CVSS 7.8): An actively exploited Elevation of Privilege (EoP) vulnerability, which could allow a threat actor to obtain SYSTEM level privileges after successful exploitation. While Microsoft reports that the bug is actively exploited, there are no details on how it was abused.
CVE-2023-24932 (CVSS 6.7): An actively exploited Secure Boot Security Feature Bypass vulnerability. A threat actor must have physical access or admin rights to install an affected boot policy to the target system. Successful exploitation, which requires admin credentials on the device, could bypass Secure Boot. Microsoft disclosed that this vulnerability was used by threat actors to install the Black Lotus UEFI bootkit.
CVE-2023-24943 (CVSS 9.8): A Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability. When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve RCE and attempt to trigger malicious code.
Note: Only PGM Server is vulnerable to this vulnerability. To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server.
CVE-2023-24941 (CVSS 9.8): A Windows Network File System Remote Code Execution (RCE) Vulnerability. This vulnerability could trigger RCE if the threat actor successfully makes an unauthenticated, specially crafted call to a Network File System (NFS) service.
Note: This vulnerability is NOT exploitable in NFSV2.0 or NFSV3.0. The attack could be mitigated by disabling NFSV4.1, but could adversely impact your environment. You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates. Those updates address CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0.
CVE-2023-24903 (CVSS 8.1): A Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) vulnerability. This vulnerability could result in RCE on the server side if successfully exploited by sending a specially crafted malicious SSTP packet to a SSTP server.
Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.
CVE-2023-29325 (CVSS 8.1): A Windows OLE Remote Code Execution (RCE) vulnerability. This vulnerability could result in RCE if successfully exploited.
Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition and preparation of the environment. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to a victim.
CVE-2023-28283 (CVSS 7.2): A Windows LDAP Remote Code Execution (RCE) vulnerability. Successful exploitation could allow an unauthenticated threat actor to gain code execution through a specially crafted set of LDAP calls.
Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.
Microsoft SharePoint
| Impacted Products |
|
Microsoft SharePoint Server Subscription Edition Microsoft SharePoint Server 2019 Microsoft SharePoint Enterprise Server 2016 |
CVE-2023-24955 (CVSS 7.2): Microsoft SharePoint Server Remote Code Execution- An authenticated threat actor as a Site Owner could execute code remotely on the SharePoint Server if successfully exploited.
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.
Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
| Product | CVE | Update |
| Windows Server 2012 R2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 CVE-2023-24941 |
Monthly Rollup: 5026415 Security Only: 5026409 |
| Windows Server 2012 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 CVE-2023-24941 |
Monthly Rollup: 5026419 Security Only: 5026411 |
| Windows Server 2008 R2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 |
Monthly Rollup: 5026413 Security Only: 5026426 |
| Windows Server 2008 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 |
Monthly Rollup: 5026408 Security Only: 5026427 |
| Windows Server 2016 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 CVE-2023-24941 |
Security Update: 5026363 |
| Windows 10 Version 1607 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 |
Security Update: 5026363 |
| Windows 10 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-29336 |
Security Update: 5026382 |
| Windows 10 Version 22H2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 |
Security Update: 5026361 |
| Windows 11 Version 22H2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 |
Security Update: 5026372 |
| Windows 10 Version 21H2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 |
Security Update: 5026361 |
| Windows 11 Version 21H2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 |
Security Update: 5026368 |
| Windows 10 Version 20H2 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 |
Security Update: 5026361 |
| Windows Server 2022 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-24941 |
Monthly Rollup: 5026370 Security Hotpatch Update: 5026456 |
| Windows Server 2019 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 CVE-2023-24941 |
Security Update: 5026362 |
| Windows 10 Version 1809 |
CVE-2023-24932 CVE-2023-28283 CVE-2023-24903 CVE-2023-29325 CVE-2023-24943 |
Security Update: 5026362 |
| Microsoft SharePoint Server Subscription Edition | CVE-2023-24955 | Security Update: 5002390 |
| Microsoft SharePoint Server 2019 | CVE-2023-24955 | Security Update: 5002389 |
| Microsoft SharePoint Enterprise Server 2016 | CVE-2023-24955 | Security Update: 5002397 |
Recommendation #2: Additional Steps Required for Mitigation of CVE-2023-24932
Additional steps are required to mitigate CVE-2023-24932.
WARNING: The changes to Windows boot loader via this security update are permanent and could lead to your system no longer functioning if not installed correctly. Arctic Wolf recommends testing these changes in a dev environment before deploying to production to avoid operational impact.
Microsoft stated that the security update addresses the vulnerability by updating the Windows Boot Manager, but it is not enabled by default. Additional steps are required at this time to mitigate the vulnerability. Follow the steps here to determine impact on your environment: https://support.microsoft.com/help/5025885
