Microsoft have warned users of four new critical severity vulnerabilities in their products that could result in remote code execution (RCE). These flaws with a CVSS base score of 9.8/10 were patched in this week’s patch Tuesday update along with other RCE flaws, and three high severity zero-day vulnerabilities with publicly disclosed exploits. Microsoft have chosen to focus on these four vulnerabilities in their warnings to users as they have been rated ‘Exploitation more likely’ on the Microsoft Exploitability Index, meaning users should treat the patches for these flaws as a higher priority than the other ‘Exploitation less likely’ critical issues fixed in the recent updates.
Vulnerabilities CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692 affect the Microsoft Protected Extensible Authentication Protocol (PEAP) in Windows 10 and 11, and Windows Servers 2008, 2012, 2016, 2019, and 2022. An unauthorised remote attacker can perform an exploit of these vulnerabilities without any need for user interaction. For an exploit to take place an attacker would need to craft malicious PEAP packets to then send over the target network stack where the vulnerability is present. This can result in remote code execution on the server accounts through the network call, where the attacker can also possibly gain access to files, the ability to modify files, and could even trigger a denial of service on the impacted component. As well as the new patch released in the form of a security update, users can mitigate these vulnerabilities by configuring their network policies to stop using PEAP. Users can configure their allowed EAP types to not include PEAP in their network policy so that an exploit of these vulnerabilities is no longer possible.
The other critical RCE vulnerability included in the warning occurs in Microsoft Word, and also affects other Office products, Enterprise apps, and SharePoint. CVE-2023-21716 is similar to the other critical flaws in that no conditions are needed to be met for an attacker to perform an exploit, meaning they can be remote, unauthorised, and can proceed without any user interaction. The attack vector for an exploit of this flaw is the Preview Pane, which is targeted when an attacker sends a malicious email containing a rich text format (RTF) payload to the target. Previously this attack would likely have utilised the macros on Office documents, however these are now blocked by Microsoft by default. Implementing the Microsoft Office Block Policy to stop Office applications opening RTF documents from unknown or untrusted sources is a suggested workaround to prevent this form of attack.
For most of the affected products the Microsoft Security Update Guide can be used to locate the version you need to upgrade to based on the product you use. However, for customers running SharePoint Enterprise Server 2013 Service Pack 1 needing to patch CVE-2023-21716 there are multiple upgrade routes available involving different updates that need to be applied. Either customers can apply the cumulative update, which includes all necessary patches, or two separate security updates can be applied sts2013 and wdsrvloc2013. These two separate security updates are the same as those available to users running SharePoint Foundation 2013 Service Pack 1, for which there is no cumulative update option available.
The other critical RCE vulnerability included in this month’s patch Tuesday update affects Windows 10 and Windows Server 2008. This flaw is tracked as CVE-2023-21803 and found in the Windows iSCSI Discovery Service, a service that is used to give non-SMB Clients access to storage on a Windows host. An unauthenticated and remote attacker can exploit this vulnerability without the need for user interaction by sending a malicious DHCP (Dynamic Host Configuration Protocol) discovery request to the vulnerable iSCSI Discovery Service. This exploit only affects x86 and 32-bit Windows machines, however if successful it would result in the attacker gaining the ability to execute arbitrary code on the target system. The iSCSI Initiator client application is disabled by default, so only systems who have chosen to enable this will be vulnerable to attack. Users can disable the iSCSI client application as a mitigation step to prevent an attack until the upgrade to the patched version can be applied.
Three high severity zero-day vulnerabilities with known publicly disclosed exploits were also patched on Tuesday. The first of these is CVE-2023-21823, a Windows Graphics Component RCE vulnerability. An attacker must have access to basic user privileges in order to carry out an exploit of this flaw, but once this has taken place the attacker can gain SYSTEM level privileges and execute arbitrary code with these. The Windows graphics component is present across multiple Windows apps, which will automatically update from the Microsoft Store, however affected Android apps will need manually updating from the Google Play store. Windows 10 and 11, Windows Servers 2008, 2012, 2016, 2019, and 2022, and Microsoft Office can all be updated through the patch Tuesday releases to resolve this vulnerability.
The second zero-day vulnerability also involves elevation of privileges, from a basic user to SYSTEM level privileges. This actively exploited Windows Common Log File System Driver vulnerability is tracked as CVE-2023-23376 and affects Windows 10 and 11, and Windows Servers 2008, 2012, 2016, 2019, and 2022. Despite this vulnerability being known to be exploited in the wild, Microsoft have not released details of how this exploit takes place. The final zero-day flaw is CVE-2023-21715, found in Microsoft 365 Apps for Enterprise. This is a Microsoft Publisher Security Features Bypass vulnerability that can only be exploited by an attacker with basic user privileges and some user interaction on the target device. An attacker could either carry out this exploit locally or use social engineering to convince a user to download and open a malicious document from a website. The security feature bypassed in an exploit of this vulnerability is the default blocking of macros in Office documents from the internet. Bypassing this feature means further attacks using malicious files could take place on the affected device.
Other vulnerabilities to be aware of that have been patched in these new updates include RCE flaws CVE-2023-21815 and CVE-2023-23381 which affect Microsoft Visual Studio. An unauthorised attacker can perform an exploit of this flaw either locally or remotely, but if the attacker is remote interaction is needed from the victim on the local machine to execute code. A local attacker does not need any user interaction to exploit this flaw and result in arbitrary code execution on the target device. Similarly CVE-2023-21808 has the same attack requirements and outcomes, but this vulnerability is found not only in Visual Studio, but also in .NET. An exploit of this vulnerability is dependent on the victim’s device reading and parsing symbols, and therefore must be performed differently on each target. An attack on .NET requires manual interaction to query a symbol as .NET only uses symbols present on the disk, however Visual Studio can automatically query symbol servers so can be attacked remotely.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)