On April 11, 2023, Microsoft published their April 2023 Security Update and patched multiple high to critical vulnerabilities, with one of them being actively exploited in ransomware campaigns prior to a patch being released.
Windows
Impacted Products |
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 |
Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 20H2, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2 |
CVE-2023-28252 (CVSS 7.2): An actively exploited Elevation of Privilege (EoP) vulnerability impacting the Windows Common Log File System (CLFS) driver, which could allow a threat actor to obtain SYSTEM level privileges after successful exploitation. This vulnerability was exploited as a zero-day during and was leveraged in Nokoyawa ransomware intrusions.
CVE-2023-21554 (CVSS 8.5): A Remote Code Execution (RCE) vulnerability impacting Windows message queuing service. A threat actor can leverage this vulnerability by sending a specially crafted MSMQ packet to the MSMQ server, resulting in RCE capabilities.
Note: The MSMQ service must be enabled for a system to be vulnerable. This can be checked by looking for a service running named “Message Queuing” and TCP port 1801 listening on the host machine.
CVE-2023-28219 (CVSS 7.1): A layer 2 tunneling protocol RCE vulnerability impacting Windows systems with Remote Access Service (RAS). This vulnerability can be exploited by sending a specially crafted connection request to a vulnerable RAS server, allowing for RCE capabilities on the RAS server.
Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.
CVE-2023-28220 (CVSS 7.1): A layer 2 tunneling protocol RCE vulnerability impacting Windows devices with Remote Access Service (RAS). This vulnerability can be exploited by sending a specially crafted connection request to a vulnerable RAS server, allowing for RCE capabilities on the RAS server.
Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition.
CVE-2023-28231 (CVSS 7.7): A DHCP Server service RCE vulnerability impacting Windows servers. An authenticated threat actor could exploit this vulnerability to perform RCE by leveraging a specially crafted RPC call to the DHCP service.
- Only impacts Windows Server products.
Note: A threat actor must first gain access to the restricted network prior to exploiting this vulnerability.
CVE-2023-28232 (CVSS 6.5): A Windows point-to-point tunneling protocol RCE vulnerability impacting Windows systems. This vulnerability could be triggered after a targeted user connects a Windows client to a malicious server to perform RCE on the victim’s environment.
Note: A threat actor must perform additional unknown actions prior to successful exploit.
CVE-2023-28250 (CVSS 8.5): A Windows Pragmatic General Multicast (PGM) RCE vulnerability impacting Windows devices. When the Windows Message Queuing service is enabled, a remote threat actor who successfully exploited this vulnerability could send a carefully crafted file to perform RCE on a targeted system and attempt to trigger malicious code.
Note: For a system to be vulnerable, the MSMQ service must first be enabled. This can be checked by looking for a service running named “Message Queuing” and TCP port 1801 listening on the host machine.
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.
Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
Product | Vulnerability | Update |
Windows Server 2012 R2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025285 Monthly Rollup
5025288 Security Only |
Windows Server 2012 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025287 Monthly Rollup
5025272 Security Only |
Windows Server 2008 R2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025279 Monthly Rollup
5025277 Security Only |
Windows Server 2008 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025271 Monthly Rollup
5025273 Security Only |
Windows Server 2016 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025228 |
Windows 10 Version 1607 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025228 |
Windows 10 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025234 |
Windows 10 Version 22H2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025221 |
Windows 11 Version 22H2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025239 |
Windows 10 Version 21H2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025221 |
Windows 11 Version 21H2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025224 |
Windows 10 Version 20H2 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025221 |
Windows Server 2022 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025230 |
Windows Server 2019 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250, CVE-2023-28231 | 5025229 |
Windows 10 Version 1809 | CVE-2023-28252, CVE-2023-21554, CVE-2023-28219, CVE-2023-28220, CVE-2023-28232, CVE-2023-28250 | 5025229 |
Recommendation #2: Disable MSMQ if Not Required
To be vulnerable, CVE-2023-21554 and CVE-2023-28250 require Windows messaging queuing service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.
Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.
If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.