Multiple Critical & Actively Exploited Vulnerabilities Patched in Microsoft’s March Security Update

Share :

On March 14, 2023, Microsoft published their March 2023 Security Update and patched multiple high to critical vulnerabilities, with two of them being actively exploited prior to a patch being released. These vulnerabilities impact Microsoft Office products and Windows devices. Microsoft has observed active exploitation on two of these vulnerabilities, with CVE-2023-23397 being exploited by a threat group linked to the Russian military intelligence service GRU and CVE-2023-24880 being exploited to deliver Magniber ransomware. 

Microsoft Office 

Impacted Products 
Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Outlook 2019, 2016, 2013 RT Service Pack 1, 2013 Service Pack 1 

 

According to a private threat analytics report shared by Microsoft, threat groups linked to the Russian military intelligence service GRU exploited CVE-2023-23397 as a zero-day between mid-April and December 2022. The GRU campaigns targeted European organizations in the energy, government, military, and transportation sectors. Security researchers published details on how to trigger successful exploitation, however, PoC exploit code has not been made publicly available. 

CVE-2023-23397 (CVSS 9.8): An Elevation of Privilege (EoP) vulnerability impacting Microsoft Outlook. A threat actor can successfully exploit this vulnerability and escalate privileges without user interaction by sending specially crafted emails that will trigger automatically when they are retrieved and processed by an Outlook client.  

Windows 

Impacted Products 
Windows Server 2022, 2019, 2016, 2012, 2012 R2, 2008, 2008 R2 Service Pack 1, 2008 Service Pack 2 
Windows 11 Version 21H2, 11 version 22H2, Windows 10, 10 Version 1607, 10 Version 1809 , 10 Version 20H2, 10 Version 21H2, 10 Version 22H2 

 

Although the CVE severity ratings range from High to Critical, all except CVE-2023-24880, have a maximum severity of Critical.  

CVE-2023-24880 (CVSS 5.4): Windows SmartScreen Security Feature Bypass Vulnerability. A threat actor could successfully exploit this vulnerability and evade Mark of the Web (MotW) tagging defenses by leveraging a specially crafted malicious file.  

  • This vulnerability was exploited as a zero-day vulnerability to deliver Magniber ransomware without security warnings, however, no public PoC exploit is currently available.  

CVE-2023-1017 (CVSS 8.8): TPM2.0 Module Library EoP Vulnerability. A threat actor could successfully exploit this vulnerability and cause an out of bounds write in the root partition by leveraging malicious TPM commands from a guest virtual machine running Hyper-V.  

CVE-2023-1018 (CVSS 8.8): TPM2.0 Module Library EoP Vulnerability. An out-of-bounds vulnerability that allows the reading of 2-byte data past the end of a TPM2.0 command. Successful exploitation of this vulnerability could lead to confidential data exposure and/or arbitrary code execution. 

CVE-2023-21708 (CVSS 9.8): Remote Procedure Call Runtime RCE Vulnerability. An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution on the server side by sending a specially crafted RPC call to a vulnerable RPC host.  

CVE-2023-23392 (CVSS 9.8): HTTP Protocol Stack RCE Vulnerability. A remote unauthenticated threat actor could successfully exploit this vulnerability by sending a malformed packet to a vulnerable server using the HTTP Protocol Stack (http.sys).  

  • The server is only vulnerable if the binding has HTTP/3 enabled and it uses buffered I/O. 

CVE-2023-23404 (CVSS 8.1): Windows Point-to-Point (P2P) Tunneling Protocol RCE Vulnerability. An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution by sending a specially crafted connection request to a vulnerable remote access server (RAS).  

CVE-2023-23411 (CVSS 6.5): Windows Hyper-V DoS Vulnerability. Successful exploitation of this vulnerability could allow a Hyper-V guest to impact the functionality of the Hyper-V host.  

CVE-2023-23415 (CVSS 9.8) ICMP RCE Vulnerability. A threat actor could successfully exploit this vulnerability and obtain remote code execution by sending a malicious fragmented IP packet to a vulnerable Windows system.  

CVE-2023-23416 (CVSS 8.4): Windows Cryptographic Services RCE Vulnerability. To successfully exploit CVE-2023-23416, a threat actor would need to import a malicious certificate to a vulnerable system. This could be accomplished by the threat actor uploading a certificate to a service that processes or imports certificates or by leveraging an authenticated user to import the certificate.  

Recommendations 

Recommendation #1: Apply Security Updates to Impacted Products 

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.  

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact. 

Windows 

Product  CVE  Update 
Windows Server 2022  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-23392, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023705 
Windows Server 2019  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023702 
Windows Server 2016  CVE-2023-23416, CVE-2023-23411, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023697 
Windows Server 2012  CVE-2023-23416, CVE-2023-23404, CVE-2023-23415, CVE-2023-21708  5023756 
Windows Server 2012 R2  CVE-2023-23416, CVE-2023-23404, CVE-2023-23415, CVE-2023-21708  5023765 
Windows Server 2008  CVE-2023-23415  5023755 
Windows Server 2008 R2 Service Pack 1  CVE-2023-23415, CVE-2023-21708  5023769 
Windows Server 2008 Service Pack 2  CVE-2023-21708  5023755 
Windows 11 version 21H2  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-23392, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023698 
Windows 11 Version 22H2  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-23392, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023706 
Windows 10 Version 22H2   CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023696 
Windows 10 Version 21H2  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023696 
Windows 10 Version 20H2  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023696 
Windows 10 Version 1809   CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023702 
Windows 10 Version 1607  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-24880, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023697 
Windows 10  CVE-2023-23416, CVE-2023-23411, CVE-2023-23404, CVE-2023-23415, CVE-2023-21708, CVE-2023-1017, CVE-2023-1018  5023713 

Microsoft Office 

Product  CVE  Update  
Microsoft 365 Apps for Enterprise   CVE-2023-23397  Release Notes 
Microsoft Office LTSC 2021  CVE-2023-23397  Release Notes 
Microsoft Office 2019  CVE-2023-23397  Release Notes 
Microsoft Outlook 2016   CVE-2023-23397  5002254 
Microsoft Outlook 2013 RT Service Pack 1  CVE-2023-23397  5002265 
Microsoft Outlook 2013 Service Pack 1   CVE-2023-23397  5002265 

Recommendation #2: Apply CVE Specific Workarounds 

Consider applying these CVE specific workarounds if you’re not able to immediately patch the affected products. 

CVE-2023-23397 (Microsoft Office) 

  • Blocking TCP port 445/SMB outbound from your network will prevent the sending of NTLM authentication messages to remote file shares, preventing successful exploitation of this vulnerability.  
  • Consider preventing the use of NTLM as an authentication mechanism for high value accounts, such as Domain Admins, by adding the users to the Protected Users Security Group.  
  • Microsoft created a PowerShell script that checks Exchange messaging items to see whether a property is populated with a UNC path. The script can be leveraged to clean up the property for items that are malicious or delete items permanently. The script can be found here: https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md  

CVE-2023-21708 (Windows) 

  • Blocking TCP port 135 at the perimeter firewall could reduce the likelihood of successful exploitation.  

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter