
Microsoft addresses 75 CVEs as a part of this year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different zero-day vulnerabilities that are already being used in active attacks.
This month’s update includes patches for:
- .NET and Visual Studio
- .NET Framework
- 3D Builder
- Azure App Service
- Azure Data Box Gateway
- Azure DevOps
- Azure Machine Learning
- HoloLens
- Internet Storage Name Service
- Microsoft Defender for Endpoint
- Microsoft Defender for IoT
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office OneNote
- Microsoft Office Publisher
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft PostScript Printer Driver
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Power BI
- SQL Server
- Visual Studio
- Windows Active Directory
- Windows ALPC
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Distributed File System (DFS)
- Windows Fax and Scan Service
- Windows HTTP.sys
- Windows Installer
- Windows iSCSI
- Windows Kerberos
- Windows MSHTML Platform
- Windows ODBC Driver
- Windows Protected EAP (PEAP)
- Windows SChannel
- Windows Win32K
Windows Common Log File System Driver EoP Vulnerability –ZeroDay
CVE-2023-23376 is an EoP vulnerability in Windows operating systems receiving a CVSSv3 score of 7.8 that has been exploited in the wild. The vulnerability exists in the Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. This vulnerability can be exploited after an attacker has gained access to a vulnerable target to elevate to SYSTEM privileges.
Similarly last year, microsoft has patched two EoP vulnerabilities in CLFS, CVE-2022-37969 patched in April 2022 and CVE-2022-24521 patched in September 2022, that were also exploited in the wild.
Microsoft Exchange Server RCE Vulnerability
CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710 are RCE vulnerabilities in supported versions of Microsoft Exchange Server. CVE-2023-21710 received a CVSSv3 score of 7.2 while the other three CVEs were assigned CVSSv3 scores of 8.8. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call. CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 were given a rating of Exploitation More Likely.
CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 share similarities with CVE-2022-41082, an authenticated RCE publicly disclosed in September 2022 that was a part of the ProxyNotShell attack chain, a variant of the ProxyShell attack chain discovered in August 2021. Microsoft released mitigations in September to protect vulnerable servers until a patch was released in their November 2022 Patch Tuesday. A bypass of this mitigation, called OWASSRF (CVE-2022-41080), was then released in December 2022. Our recent blog on ProxyNotShell, OWASSRF and TabShell discusses these vulnerabilities in greater detail.
Microsoft Protected Extensible Authentication Protocol RCE Vulnerability
CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692 are RCE vulnerabilities in Windows operating systems and have been given a CVSSv3 score of 9.8. The flaw lies in the Protected Extensible Authentication Protocol (PEAP) server component, which is used to establish secure connections with wireless clients. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code. For a target to be vulnerable, it must be running Network Policy Server and configured with a network policy that allows PEAP. All three vulnerabilities were rated as Exploitation More Likely
An additional RCE affecting PEAP, CVE-2023-21695, has also been patched this month. However, exploitation for this flaw does require authentication. All four of these CVEs could be exploited using a crafted PEAP packet sent to an unpatched host.
Windows Graphics Component EoP Vulnerability –ZeroDay
CVE-2023-21823 is an EoP vulnerability in the Microsoft Windows Graphics Component. It received a CVSSv3 score of 7.8 and was exploited in the wild as a zero day. Exploitation of this flaw requires an attacker to log onto a vulnerable system and execute a specially crafted application. Successful exploitation would grant an attacker the ability to run processes in an elevated context.
Microsoft Office Security Feature Bypass Vulnerability –ZeroDay
CVE-2023-21715 is a security feature bypass vulnerability in Microsoft Office that was given a CVSSv3 score of 7.3 and was exploited in the wild. To be exploited, the vulnerability requires a local, authenticated user to download and open an attacker-created file on a vulnerable system. An attacker would need to entice the user to download and execute the file to successfully exploit this flaw.
Microsoft Word RCE Vulnerability
CVE-2023-21716 is a RCE vulnerability in several versions of Microsoft Word, Sharepoint, 365 Apps and Office for Mac with a CVSSv3 score of 9.8. Although the vulnerable component is not specified, Microsoft states that the Preview Pane in these applications is an attack vector. The vulnerability can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which when opened, allows for command execution. The Microsoft advisory for this CVE links to MS08-026 and KB922849 for guidance on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy.
Summary of February 2023 patch release
CVE ID | CVE Title | Severity | CVSS Score | Is Exploitable |
CVE-2023-21808 | .NET and Visual Studio Remote Code Execution Vulnerability | Critical | 8.4 | No |
CVE-2023-21716 | Microsoft Word Remote Code Execution Vulnerability | Critical | 9.8 | No |
CVE-2023-21718 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability | Critical | 7.8 | No |
CVE-2023-21815 | Visual Studio Remote Code Execution Vulnerability | Critical | 8.4 | No |
CVE-2023-23381 | Visual Studio Remote Code Execution Vulnerability | Critical | 8.4 | No |
CVE-2023-21803 | Windows iSCSI Discovery Service Remote Code Execution Vulnerability | Critical | 9.8 | No |
CVE-2023-21692 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical | 9.8 | No |
CVE-2023-21690 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical | 9.8 | No |
CVE-2023-21689 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Critical | 9.8 | No |
CVE-2023-21722 | .NET Framework Denial of Service Vulnerability | Important | 4.4 | No |
CVE-2023-23390 | 3D Builder Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-23377 | 3D Builder Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-23378 | Print 3D Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-21777 | Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability | Important | 8.7 | No |
CVE-2023-21703 | Azure Data Box Gateway Remote Code Execution Vulnerability | Important | 6.5 | No |
CVE-2023-21564 | Azure DevOps Server Cross-Site Scripting Vulnerability | Important | 7.1 | No |
CVE-2023-21553 | Azure DevOps Server Remote Code Execution Vulnerability | Important | 7.5 | No |
CVE-2023-23382 | Azure Machine Learning Compute Instance Information Disclosure Vulnerability | Important | 6.5 | No |
CVE-2023-21699 | Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability | Important | 5.3 | No |
CVE-2023-21697 | Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability | Important | 6.2 | No |
CVE-2023-21809 | Microsoft Defender for Endpoint Security Feature Bypass Vulnerability | Important | 7.8 | No |
CVE-2023-23379 | Microsoft Defender for IoT Elevation of Privilege Vulnerability | Important | 6.4 | No |
CVE-2023-21807 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.8 | No |
CVE-2023-21573 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No |
CVE-2023-21571 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No |
CVE-2023-21572 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 6.5 | No |
CVE-2023-21778 | Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability | Important | 8.3 | No |
CVE-2023-21570 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 5.4 | No |
CVE-2023-21710 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 7.2 | No |
CVE-2023-21707 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21706 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21529 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21804 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-21823 | Windows Graphics Component Remote Code Execution Vulnerability | Important | 7.8 | Yes |
CVE-2023-21714 | Microsoft Office Information Disclosure Vulnerability | Important | 5.5 | No |
CVE-2023-21721 | Microsoft OneNote Spoofing Vulnerability | Important | 6.5 | No |
CVE-2023-21715 | Microsoft Publisher Security Features Bypass Vulnerability | Important | 7.3 | Yes |
CVE-2023-21717 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Important | 8.8 | No |
CVE-2023-21693 | Microsoft PostScript Printer Driver Information Disclosure Vulnerability | Important | 5.7 | No |
CVE-2023-21801 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-21684 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21686 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21685 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21799 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21802 | Windows Media Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-21806 | Power BI Report Server Spoofing Vulnerability | Important | 8.2 | No |
CVE-2023-21713 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21528 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-21705 | Microsoft SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21568 | Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability | Important | 7.3 | No |
CVE-2023-21704 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-21566 | Visual Studio Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-21567 | Visual Studio Denial of Service Vulnerability | Important | 5.6 | No |
CVE-2023-21816 | Windows Active Directory Domain Services API Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21688 | NT OS Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-23376 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | Yes |
CVE-2023-21812 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-21813 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21819 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21820 | Windows Distributed File System (DFS) Remote Code Execution Vulnerability | Important | 7.4 | No |
CVE-2023-21694 | Windows Fax Service Remote Code Execution Vulnerability | Important | 6.8 | No |
CVE-2023-21687 | HTTP.sys Information Disclosure Vulnerability | Important | 5.5 | No |
CVE-2023-21800 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-21700 | Windows iSCSI Discovery Service Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21702 | Windows iSCSI Service Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21811 | Windows iSCSI Service Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21817 | Windows Kerberos Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-21805 | Windows MSHTML Platform Remote Code Execution Vulnerability | Important | 7.8 | No |
CVE-2023-21797 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21798 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important | 8.8 | No |
CVE-2023-21695 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Important | 7.5 | No |
CVE-2023-21701 | Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21691 | Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability | Important | 7.5 | No |
CVE-2023-21818 | Windows Secure Channel Denial of Service Vulnerability | Important | 7.5 | No |
CVE-2023-21822 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No |
CVE-2023-21794 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | Low | 4.3 | No |
CVE-2023-21720 | Microsoft Edge (Chromium-based) Tampering Vulnerability | Low | 5.3 | No |
CVE-2023-23374 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | Moderate | 8.3 | No |