Microsoft Patch Tuesday – May 2023

Microsoft patched 38 CVEs in its May 2023 Patch Tuesday Release, with six rated as critical and 32 rated as important.

This month’s update includes patches for:

• Microsoft Bluetooth Driver
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Office Word
• Microsoft Teams
• Microsoft Windows Codecs Library
• Reliable Multicast Transport Driver (RMCAST)
• Remote Desktop Client
• SysInternals
• Visual Studio Code
• Windows Backup Engine
• Windows Installer
• Windows iSCSI Target Service
• Windows Kernel
• Windows LDAP – Lightweight Directory Access Protocol
• Windows MSHTML Platform
• Windows Network File System
• Windows NFS Portmapper
• Windows NTLM
• Windows OLE
• Windows RDP Client
• Windows Remote Procedure Call Runtime
• Windows Secure Boot
• Windows Secure Socket Tunneling Protocol (SSTP)
• Windows SMB
• Windows Win32K

Win32k Elevation of Privilege Vulnerability – Zeroday Exploited in Wild

CVE-2023-29336 is an EoP vulnerability in Microsoft’s Win32k, a core kernel-side driver used in Windows with a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. Exploitation of this vulnerability would allow an attacker to gain SYSTEM level privileges on an affected host.

Over the last few years, we have seen multiple Win32k EoP zero days exploited in the wild. In the January 2022, Microsoft patched CVE-2022-21882. CVE-2022-21882 was reportedly a patch bypass for CVE-2021-1732, another Win32k EoP zero-day vulnerability from February 2021. In October 2021, Microsoft patched CVE-2021-40449, another Win32k EoP zero day linked to a remote access trojan known as Mystery Snail and was reportedly a patch bypass for CVE-2016-3309

Secure Boot Security Feature Bypass Vulnerability – Zeroday Exploited in Wild

CVE-2023-24932 is a security feature bypass vulnerability in Secure Boot in Windows operating systems, with a CVSSv3 score of 6.7, which allows for running of untrusted software during the boot up process. It was publicly disclosed and exploited in the wild as a zero-day prior to a patch being available. Exploitation of this vulnerability requires an attacker to have administrative rights or physical access to the vulnerable device, so Microsoft has rated this as Exploitation Less Likely

As a part of mitigation additional steps must be taken. These steps are outlined in KB5025885 which specifies that the May 9, 2023, Windows security updates must be installed first. The KB article notes that this update and the associated mitigation steps are necessary due to the publicly disclosed bypass being used by the BlackLotus UEFI bootkit.

CVE-2023-24932 is the fourth security feature bypass vulnerability disclosed in 2023 in either Windows Boot Manager or Secure, Microsoft addressed CVE-2023-28269 and CVE-2023-28249 in April 2023, and CVE-2023-21560.in January 2023

Windows OLE Remote Code Execution Vulnerability -Zero Day Not Exploited in Wild

CVE-2023-29325 is a RCE in the Windows Object Linking and Embedding (OLE) mechanism of Windows operating systems that was publicly disclosed and with a CVSSv3 score of 8.1. Windows OLE is a technology that allows the creation of documents that contain objects from several applications. The vulnerability lies in the processing of RTF documents and emails. Microsoft said that the Preview Pane feature in Microsoft Outlook and Office is a vector for exploitation.

An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability has been given a high complexity as successful exploitation requires the attacker to win a race condition and the target to be prepared for exploitation.

Microsoft has provided mitigation advice to prevent users from opening RTF documents or emails in Outlook and Office to reduce the risk of exploitation where immediate patching is not possible.

Windows Network File System Remote Code Execution Vulnerability

CVE-2023-24941 is a critical RCE vulnerability affecting supported versions of Windows Server with a CVSSv3 score of 9.8. The affected component is the Network File System (NFS) service, which is used for file sharing between Unix and Windows Server systems. The vulnerability affects NFSV4.1, but not NFSV2.0 or NFSV3.0. CVE-2023-24941 can be exploited by a remote, unauthenticated attacker sending a malicious call to a vulnerable server.

Microsoft provided mitigation guidance for organizations where immediate patching is not possible, which involves disabling NFSV4.1. However, this mitigation should not be applied if the server has not applied the May 2022 patch, as that release addressed a similar vulnerability, CVE-2022-26937, in NFSV2 and NFSV3.

Windows 10  EOL

Microsoft announced that Windows 10 20H2 has reached its end of life for Enterprise, Education, IoT Enterprise, and Enterprise multi-session editions. This means that users of these versions of Windows 10 20H2 will no longer receive security updates and should upgrade as soon as possible. Plugin ID 161921 can be used to identify hosts that have unsupported installations of Windows 10 version 20H2.

Windows 10 21H2 will reach end of life for Home, Pro, Pro Education and Pro for Workstations editions during June month patch Tuesday.

Patch Summary