According to a recent article by Tenable, Microsoft patched 76 CVEs in its March 2023 Patch Tuesday release.
Among these 76 CVEs, three critical CVEs with a common vulnerability scoring system (CVSS) score of 9.8/10 (Highly Critical) were found. “CVE-2023-23397”, one of the three critical CVEs, allows a hacker to “gain control” of a user’s computer just by sending out an email; without the user having to open the email or click on any attachments or links.
It is hence imperative that organizations close these gaps immediately and improve their overall cyber security posture.
Everything You Need to Know About This Threat
In its March 2023 Patch Tuesday Release, the 76 CVEs that were patched had the following severity breakdown: 9 critical, 66 important, and 1 moderate.
This month’s update included patches for:
- Client Server Run-time Subsystem (CSRSS)
- Internet Control Message Protocol (ICMP)
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft OneDrive
- Microsoft PostScript Printer Driver
- Microsoft Printer Drivers
- Microsoft Windows Codecs Library
- Office for Android
- Remote Access Service Point-to-Point Tunnelling Protocol
- Role: DNS Server
- Role: Windows Hyper-V
- Service Fabric
- Visual Studio
- Windows Accounts Control
- Windows Bluetooth Service
- Windows Central Resource Manager
- Windows Cryptographic Services
- Windows Defender
- Windows HTTP Protocol Stack
- Windows HTTP.sys
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Partition Management Driver
- Windows Point-to-Point Protocol over Ethernet (PPPoE)
- Windows Remote Procedure Call
- Windows Remote Procedure Call Runtime
- Windows Resilient File System (ReFS)
- Windows Secure Channel
- Windows SmartScreen
- Windows TPM
- Windows Win32K
Vulnerabilities You Should Be Aware of:
- CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft Outlook’s elevation of privilege vulnerability known as CVE-2023-23397, which has a CVSSv3 score of 9.8 has been exploited in the wild. This vulnerability can be exploited by sending a harmful email to a vulnerable version of Outlook, which can establish a connection to an attacker-controlled device, allowing the Net-NTLMv2 hash of the email recipient to leak. This hash can be used to launch an NTLM relay attack by the attacker to authenticate as the victim recipient. According to Microsoft, this attack can occur even before the email is viewed in the Preview Pane, which means the victim recipient does not need to interact for a successful attack.
The Computer Emergency Response Team of Ukraine (CERT-UA) and Microsoft research teams are credited with discovering this vulnerability. On March 14, Microsoft released a blog post acknowledging the vulnerability and stated that they believe a "Russia-based threat actor" used this vulnerability in "targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe." Microsoft has also published a script that can be utilized to determine if an organization has been targeted by this vulnerability.
In short, NTLMv2 hash means that the hacker can gain the user’s credentials just by sending the user an email. Once they have the credentials, they can do an NTLM relay attack which utilizes the user’s credentials to gain access to the servers.
Recommended Solution: Perform a Microsoft Office update.
- CVE-2023-23415 | Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
The vulnerability known as CVE-2023-23415 is a Remote Code Execution (RCE) vulnerability found in Windows operating systems, which has been assigned a CVSSv3 score of 9.8. This vulnerability occurs when an application on a Windows host, which is susceptible to the vulnerability, is connected to a raw socket, and the operating system mishandles ICMP packets. A harmful fragmented IP packet is sent to the target, leading to arbitrary code execution. Microsoft has rated this vulnerability with a higher likelihood of exploitation, which is indicated by the "Exploitation More Likely" rating on the Microsoft Exploitability Index.
In essence, a hacker can hack a computer remotely by sending remote code to the servers once they exploited this vulnerability.
Recommended Solution: Perform a Microsoft Windows update.
- CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability
The RCE vulnerability identified as CVE-2023-23392 affects Microsoft operating systems, and it has a CVSSv3 score of 9.8 and is rated as "Exploitation More Likely." This vulnerability can be found in the HTTP.sys component of Windows operating systems. Exploiting this vulnerability requires an unauthenticated remote attacker to send a malicious packet to the target server. To be vulnerable, a server must have HTTP/3 enabled and use buffered I/O. According to the Microsoft advisory, HTTP/3 support is a newly introduced feature in Windows Server 2022, and it must be enabled using a registry key.
In short, this Remote Code Execution (RCE) vulnerability will cause a hacker to hack into the user’s computer remotely by sending a malicious packet to the server.
Recommended Solution: Perform a Microsoft Windows update.
Adventus As Your Cyber Security Solutions & Services Provider
Adventus is a top Cyber Security Solutions & Services Provider with our own Security Operations Centre (SOC). Our efficient SOC team is diligently monitoring, detecting, and responding to any cyber security risks or threats in our customers’ environments.
To counter this cyber security vulnerability, Adventus Patch Management Services have solutions that help ease the ever-tedious Patch Management process. Instead of having to manually read up on articles and keep up-to-date with the latest patches, Adventus can automate the Patch Management process. Furthermore, we can also automatically push the latest patches out to all the devices within an organization. This not only saves time but also provides peace of mind to all our customers with Adventus Patch Management Services. To enhance your organization's cyber security, reach out to us today!