Microsoft Valentine Patch Tuesday -February 2023

Microsoft addresses 75 CVEs as a part of this year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different zero-day vulnerabilities that are already being used in active attacks.

This month’s update includes patches for:

• .NET and Visual Studio
• .NET Framework
• 3D Builder
• Azure App Service
• Azure Data Box Gateway
• Azure DevOps
• Azure Machine Learning
• HoloLens
• Internet Storage Name Service
• Microsoft Defender for Endpoint
• Microsoft Defender for IoT
• Microsoft Dynamics
• Microsoft Edge (Chromium-based)
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office OneNote
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft PostScript Printer Driver
• Microsoft WDAC OLE DB provider for SQL
• Microsoft Windows Codecs Library
• Power BI
• SQL Server
• Visual Studio
• Windows Active Directory
• Windows ALPC
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows Distributed File System (DFS)
• Windows Fax and Scan Service
• Windows HTTP.sys
• Windows Installer
• Windows iSCSI
• Windows Kerberos
• Windows MSHTML Platform
• Windows ODBC Driver
• Windows Protected EAP (PEAP)
• Windows SChannel
• Windows Win32K

Windows Common Log File System Driver EoP Vulnerability –ZeroDay

CVE-2023-23376 is an EoP vulnerability in Windows operating systems receiving a CVSSv3 score of 7.8 that has been exploited in the wild. The vulnerability exists in the Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. This vulnerability can be exploited after an attacker has gained access to a vulnerable target to elevate to SYSTEM privileges.

Similarly last year, microsoft has patched two EoP vulnerabilities in CLFS, CVE-2022-37969 patched in April 2022 and CVE-2022-24521 patched in September 2022, that were also exploited in the wild.

Microsoft Exchange Server RCE Vulnerability

CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710 are RCE vulnerabilities in supported versions of Microsoft Exchange Server. CVE-2023-21710 received a CVSSv3 score of 7.2 while the other three CVEs were assigned CVSSv3 scores of 8.8. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call. CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 were given a rating of Exploitation More Likely.

CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 share similarities with CVE-2022-41082, an authenticated RCE publicly disclosed in September 2022 that was a part of the ProxyNotShell attack chain, a variant of the ProxyShell attack chain discovered in August 2021. Microsoft released mitigations in September to protect vulnerable servers until a patch was released in their November 2022 Patch Tuesday. A bypass of this mitigation, called OWASSRF (CVE-2022-41080), was then released in December 2022. Our recent blog on ProxyNotShell, OWASSRF and TabShell discusses these vulnerabilities in greater detail.

Microsoft Protected Extensible Authentication Protocol RCE Vulnerability

CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692 are RCE vulnerabilities in Windows operating systems and have been given a CVSSv3 score of 9.8. The flaw lies in the Protected Extensible Authentication Protocol (PEAP) server component, which is used to establish secure connections with wireless clients. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code. For a target to be vulnerable, it must be running Network Policy Server and configured with a network policy that allows PEAP. All three vulnerabilities were rated as Exploitation More Likely

An additional RCE affecting PEAP, CVE-2023-21695, has also been patched this month. However, exploitation for this flaw does require authentication. All four of these CVEs could be exploited using a crafted PEAP packet sent to an unpatched host.

Windows Graphics Component EoP Vulnerability –ZeroDay

CVE-2023-21823 is an EoP vulnerability in the Microsoft Windows Graphics Component. It received a CVSSv3 score of 7.8 and was exploited in the wild as a zero day. Exploitation of this flaw requires an attacker to log onto a vulnerable system and execute a specially crafted application. Successful exploitation would grant an attacker the ability to run processes in an elevated context.

Microsoft Office Security Feature Bypass Vulnerability –ZeroDay

CVE-2023-21715 is a security feature bypass vulnerability in Microsoft Office that was given a CVSSv3 score of 7.3 and was exploited in the wild. To be exploited, the vulnerability requires a local, authenticated user to download and open an attacker-created file on a vulnerable system. An attacker would need to entice the user to download and execute the file to successfully exploit this flaw.

Microsoft Word RCE Vulnerability

CVE-2023-21716 is a RCE vulnerability in several versions of Microsoft Word, Sharepoint, 365 Apps and Office for Mac with a CVSSv3 score of 9.8. Although the vulnerable component is not specified, Microsoft states that the Preview Pane in these applications is an attack vector. The vulnerability can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which when opened, allows for command execution. The Microsoft advisory for this CVE links to MS08-026 and KB922849 for guidance on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy.

Summary of February 2023 patch release