On February 14, 2023, Microsoft published its February 2023 Security Update and patched multiple high to critical vulnerabilities, with some of them being actively exploited in the wild. These vulnerabilities impact Windows systems and Exchange servers.
Windows
Impacted Products |
Windows Server 2022, 2019, 2016, 2012, 2012 R2, 2008 R2 Service Pack 1, 2008 Service Pack 2 |
Windows 11 Version 21H2, 11 Version 22H2, 10 Version 20H2, 10 Version 21H2, 10 Version 22H2, 10 Version 1809, 10 Version 1607 |
CVE-2023-21692 (CVSS 9.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Protected Extensible Authentication Protocol (PEAP). An unauthenticated attacker could attack a Microsoft PEAP Server by sending specially crafted malicious PEAP packets over the network. NOTE: Microsoft PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP.
CVE-2023-21689 (CVSS 9.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could target the victim server’s accounts in an arbitrary or remote code execution and attempt to trigger malicious code in the context of the server’s account through a network call. The attacker does not require privileges or user interaction in order to execute.
CVE-2023-21690 (CVSS 9.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Protected Extensible Authentication Protocol (PEAP). An unauthenticated attacker could attack a Microsoft PEAP Server by sending specially crafted malicious PEAP packets over the network. NOTE: Microsoft PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP.
CVE-2023-23376 (CVSS 7.8): A Windows Common Log File System Driver Elevation of Privilege vulnerability. Threat actors could leverage this vulnerability after compromising a device to obtain SYSTEM-level privileges. Microsoft has indicated that this vulnerability has been exploited in the wild.
Exchange Server
Impacted Products |
Microsoft Exchange Server 2019, 2016, and 2013 |
Arctic Wolf has seen Microsoft Exchange vulnerabilities similar to these being commonly exploited by ransomware actors. While there may be no active exploitation of these Exchange vulnerabilities being seen in the wild at this time, we expect ransomware actors to focus their efforts on developing an exploit for these in the near term.
CVE-2023-21707 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to be authenticated as a regular user in order to attempt to trigger malicious code in the context of the server’s account through a network call.
CVE-2023-21706 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to be authenticated as a regular user in order to attempt to trigger malicious code in the context of the server’s account through a network call.
CVE-2023-21529 (CVSS 8.8): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to be authenticated as a regular user in order to attempt to trigger malicious code in the context of the server’s account through a network call.
CVE-2023-21710 (CVSS 7.2): A Remote Code Execution (RCE) vulnerability impacting Microsoft Exchange Server. A threat actor would need to already be authenticated as an admin user in order to attempt to trigger malicious code in the context of the server’s account through a network call.
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.
Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
Windows
Product | CVE | Update |
Windows Server 2022 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022842 |
Windows Server 2019 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022840 |
Windows Server 2016 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022838 |
Windows Server 2012 R2 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022899 – Monthly Rollup
5022894 – Security Only |
Windows Server 2012 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022903 – Monthly Rollup
5022895 – Security Only |
Windows Server 2008 R2 Service Pack 1 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022872 – Monthly Rollup
5022874 – Security Only |
Windows Server 2008 Service Pack 2 | CVE-2023-23376
CVE-2023-21692 |
5022890 – Monthly Rollup
5022893 – Security Only |
Windows 11 Version 21H2 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022836 |
Windows 11 Version 22H2 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022845 |
Windows 10 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022858 |
Windows 10 Version 20H2 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022834 |
Windows 10 Version 21H2 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022834 |
Windows 10 Version 22H2 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022834 |
Windows 10 Version 1809 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022840 |
Windows 10 Version 1607 | CVE-2023-23376
CVE-2023-21689 CVE-2023-21690 CVE-2023-21692 |
5022838 |
Exchange Server
Product | CVE | Update |
Microsoft Exchange Server 2019, 2016, and 2013 | CVE-2023-21706
CVE-2023-21707 CVE-2023-21529 CVE-2023-21710 |
5023038 |