Multiple Vulnerabilities Patched With Two Being Actively Exploited in Microsoft’s May Security Update

Share :

On May 9, 2023, Microsoft published their May 2023 Security Update which includes two actively exploited vulnerabilities. This Security Update patched multiple high to critical vulnerabilities, with one of them being publicly disclosed before the patch. 

Windows 

Impacted Products 
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 
Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 20H2, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2 

 

CVE-2023-29336 (CVSS 7.8): An actively exploited Elevation of Privilege (EoP) vulnerability, which could allow a threat actor to obtain SYSTEM level privileges after successful exploitation. While Microsoft reports that the bug is actively exploited, there are no details on how it was abused. 

CVE-2023-24932 (CVSS 6.7): An actively exploited Secure Boot Security Feature Bypass vulnerability. A threat actor must have physical access or admin rights to install an affected boot policy to the target system. Successful exploitation, which requires admin credentials on the device, could bypass Secure Boot. Microsoft disclosed that this vulnerability was used by threat actors to install the Black Lotus UEFI bootkit. 

CVE-2023-24943 (CVSS 9.8): A Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability. When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve RCE and attempt to trigger malicious code. 

Note: Only PGM Server is vulnerable to this vulnerability. To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server. 

CVE-2023-24941 (CVSS 9.8): A Windows Network File System Remote Code Execution (RCE) Vulnerability. This vulnerability could trigger RCE if the threat actor successfully makes an unauthenticated, specially crafted call to a Network File System (NFS) service. 

Note: This vulnerability is NOT exploitable in NFSV2.0 or NFSV3.0. The attack could be mitigated by disabling NFSV4.1, but could adversely impact your environment. You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates. Those updates address CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. 

CVE-2023-24903 (CVSS 8.1): A Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution (RCE) vulnerability. This vulnerability could result in RCE on the server side if successfully exploited by sending a specially crafted malicious SSTP packet to a SSTP server. 

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.  

CVE-2023-29325 (CVSS 8.1): A Windows OLE Remote Code Execution (RCE) vulnerability. This vulnerability could result in RCE if successfully exploited. 

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition and preparation of the environment. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to a victim. 

CVE-2023-28283 (CVSS 7.2): A Windows LDAP Remote Code Execution (RCE) vulnerability. Successful exploitation could allow an unauthenticated threat actor to gain code execution through a specially crafted set of LDAP calls. 

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.  

Microsoft SharePoint 

Impacted Products                                                                                                           

Microsoft SharePoint Server Subscription Edition 

Microsoft SharePoint Server 2019 

Microsoft SharePoint Enterprise Server 2016 

 

CVE-2023-24955 (CVSS 7.2): Microsoft SharePoint Server Remote Code Execution- An authenticated threat actor as a Site Owner could execute code remotely on the SharePoint Server if successfully exploited. 

Recommendations 

Recommendation #1: Apply Security Updates to Impacted Products 

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. 

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact. 

Product  CVE  Update 
Windows Server 2012 R2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

CVE-2023-24941 

Monthly Rollup: 5026415 

Security Only: 5026409 

Windows Server 2012 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

CVE-2023-24941 

Monthly Rollup: 5026419 

Security Only: 5026411 

Windows Server 2008 R2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

Monthly Rollup: 5026413 

Security Only: 5026426 

Windows Server 2008 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

Monthly Rollup: 5026408 

Security Only: 5026427 

Windows Server 2016 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

CVE-2023-24941 

Security Update: 5026363 
Windows 10 Version 1607 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

Security Update: 5026363 
Windows 10 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-29336 

Security Update: 5026382 
Windows 10 Version 22H2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

Security Update: 5026361 
Windows 11 Version 22H2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

Security Update: 5026372 
Windows 10 Version 21H2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

Security Update: 5026361 
Windows 11 Version 21H2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

Security Update: 5026368 
Windows 10 Version 20H2 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

Security Update: 5026361 
Windows Server 2022 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-24941 

Monthly Rollup: 5026370 

Security Hotpatch Update: 5026456 

Windows Server 2019 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

CVE-2023-24941 

Security Update: 5026362 
Windows 10 Version 1809 

CVE-2023-24932 

CVE-2023-28283 

CVE-2023-24903 

CVE-2023-29325 

CVE-2023-24943 

Security Update: 5026362 
Microsoft SharePoint Server Subscription Edition  CVE-2023-24955  Security Update: 5002390 
Microsoft SharePoint Server 2019  CVE-2023-24955  Security Update: 5002389 
Microsoft SharePoint Enterprise Server 2016  CVE-2023-24955  Security Update: 5002397 

  

Recommendation #2: Additional Steps Required for Mitigation of CVE-2023-24932 

Additional steps are required to mitigate CVE-2023-24932.  

WARNING: The changes to Windows boot loader via this security update are permanent and could lead to your system no longer functioning if not installed correctly. Arctic Wolf recommends testing these changes in a dev environment before deploying to production to avoid operational impact. 

Microsoft stated that the security update addresses the vulnerability by updating the Windows Boot Manager, but it is not enabled by default. Additional steps are required at this time to mitigate the vulnerability. Follow the steps here to determine impact on your environment: https://support.microsoft.com/help/5025885  

References 

Actively Exploited Vulnerabilities: 

Critical Vulnerabilities: 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter