It’s the second Tuesday of the month, which means Adobe and Microsoft (and others) have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for April 2023
For April, Adobe released six bulletins addressing 56 CVEs in Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension. A total of 47 of these CVEs were reported by ZDI vulnerability researchers Mat Powell and Michael DePlante. The update for Reader is likely the most important. It corrects 16 different CVEs, and 14 of these could lead to arbitrary code execution if a threat actor can get a user to open a specially crafted PDF with an affected version of Reader. This update also includes four CVEs from Abdul-Aziz Hariri of Haboob SA that were a part of his successful demonstration at the recent Pwn2Own Vancouver.
The patch for Adobe Digital Edition corrects a single Critical-rated code execution bug. The fix for InCopy also addresses a lone Critical-rated code execution issue. The other updates are noticeably larger. The update for Substance 3D Designer addresses nine bugs, all of which are rated Critical. The fix for Substance 3D Stager corrects 14 vulnerabilities, 10 of which are rated Critical and could lead to arbitrary code execution. The final patch from Adobe covers Adobe Dimension and corrects 15 unique bugs. A total of 14 of these bugs could lead to arbitrary code execution with the other being a memory leak.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Apple Patches for April 2023
Apple had a couple of CVEs patched last week and yesterday covering two bugs under active attack. CVE-2023-28205 is a UAF in WebKit and can be found in Safari, macOS, and iOS. It can lead to code execution at the level of the logged-on user. It would need to be paired with a privilege escalation to take over a system. The second bug patched by Apple does just that. CVE-2023-28206 is a privilege escalation in the IOSurfaceAccelerator component in macOS and iOS. Apple doesn’t expressly state these were used in conjunction, but they were reported by the same researchers at the same time, so their combined use makes sense.
Microsoft Patches for April 2023
This month, Microsoft released 97 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Windows Defender; SharePoint Server; Windows Hyper-V; PostScript Printer; and Microsoft Dynamics. This is in addition to three Edge (Chromium-based) CVEs previously released and being documented today. That brings today’s total CVE count to an even 100. Six of these bugs came were submitted through the ZDI program.
Of the patches released today, seven are rated Critical and 90 are rated Important in severity. While this volume does seem to be in line with past years, the number of remote code execution (RCE) bugs makes up nearly half the release. It’s unusual to see that many RCE fixes in a single month. Also, note that none of the bugs disclosed over Teams during Pwn2Own Vancouver are being addressed by Microsoft this month.
One of the new CVEs is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
– CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the one bug under active attack this month, and if it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago. To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly.
– CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability
This is a CVSS 9.8 bug and receives Microsoft’s highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update.
– CVE-2023-23384 – Microsoft SQL Server Remote Code Execution Vulnerability
This is a silent patch released by Microsoft in February and is just now being documented. The problem of silent patching has already been well documented, so I won’t rehash it here. The patch fixes an OOB Write bug in the SQLcmd tool that could allow a remote, unauthenticated attacker to exploit code with elevated privileges. While not listed in the CVSS, the attack complexity seems high since the attacker can only control a few bytes at a time. A server crash is much more likely. If you’re running SQL server, read the Cumulative Update table to ensure you have both the February and April updates installed.
– CVE-2013-3900 – WinVerifyTrust Signature Validation Vulnerability
That’s no mistake on the CVE number – this is a 10-year-old patch being reissued. And if this bug sounds familiar, it’s because it was used by a threat actor in the recent 3CX attacks. This was an “opt-in” fix in the past, meaning admins had to opt-in to get this fix. With this revision, add fixes for additional platforms and adds further recommendations for enterprises. Definitely take the time to review all of the recommendations, including the information on the Microsoft Trusted Root Program, and take the actions needed to protect your environment.
Here’s the full list of CVEs released by Microsoft for April 2023:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2023-28252
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
Yes
EoP
CVE-2023-28231
DHCP Server Service Remote Code Execution
Vulnerability
Critical
8.8
No
No
RCE
CVE-2023-28219
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-28220
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21554
Microsoft Message Queuing Remote Code
Execution Vulnerability
Critical
9.8
No
No
RCE
CVE-2023-28291
Raw Image Extension Remote Code Execution
Vulnerability
Critical
8.4
No
No
RCE
CVE-2023-28232
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
7.5
No
No
RCE
CVE-2023-28250
Windows Pragmatic General Multicast (PGM)
Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE
CVE-2023-28260
.NET DLL Hijacking Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28312
Azure Machine Learning Information
Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-28300
Azure Service Connector Security Feature
Bypass Vulnerability
Important
7.5
No
No
SFB
CVE-2023-24860
Microsoft Defender Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28309
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
7.6
No
No
XSS
CVE-2023-28314
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
6.1
No
No
XSS
CVE-2023-28313
Microsoft Dynamics 365 Customer Voice
Cross-Site Scripting Vulnerability
Important
6.1
No
No
XSS
CVE-2023-21769
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28302
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28285
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2023-24883
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24884
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24885
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24886
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24887
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24924
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24925
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24926
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24927
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24928
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24929
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-28243
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-28287
Microsoft Publisher Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28295
Microsoft Publisher Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28288
Microsoft SharePoint Server Spoofing
Vulnerability
Important
6.5
No
No
Spoofing
CVE-2023-23375
Microsoft SQL Server Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-23384
Microsoft SQL Server Remote Code Execution
Vulnerability
Important
7.3
No
No
RCE
CVE-2023-28304
Microsoft SQL Server Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28275
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-28311
Microsoft Word Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28268
Netlogon RPC Elevation of Privilege
Vulnerability
Important
8.1
No
No
EoP
CVE-2023-28292
Raw Image Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28267
Remote Desktop Protocol Client Information
Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-21729
Remote Procedure Call Runtime Information
Disclosure Vulnerability
Important
4.3
No
No
Info
CVE-2023-21727
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24893
Visual Studio Code Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28262
Visual Studio Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28263
Visual Studio Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2023-28296
Visual Studio Remote Code Execution
Vulnerability
Important
8.4
No
No
RCE
CVE-2023-28299
Visual Studio Spoofing Vulnerability
Important
5.5
No
No
Spoofing
CVE-2023-24914
Win32k Elevation of Privilege
Vulnerability
Important
7
No
No
EoP
CVE-2023-28223
Windows
Domain Name Service Remote Code Execution Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28216
Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-28218
Windows Ancillary Function Driver for
WinSock Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-28227
Windows Bluetooth Driver Remote Code
Execution Vulnerability
Important
7.5
No
No
RCE
CVE-2023-28249
Windows Boot Manager Security Feature Bypass
Vulnerability
Important
6.6
No
No
SFB
CVE-2023-28269
Windows Boot Manager Security Feature Bypass
Vulnerability
Important
6.8
No
No
SFB
CVE-2023-28273
Windows Clip Service Elevation of Privilege
Vulnerability
Important
7
No
No
EoP
CVE-2023-28229
Windows CNG Key Isolation Service Elevation
of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-28266
Windows Common Log File System Driver
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2023-28277
Windows DNS Server Information Disclosure
Vulnerability
Important
4.9
No
No
Info
CVE-2023-28254
Windows DNS Server Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE
CVE-2023-28255
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28256
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28278
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28305
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28306
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28307
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28308
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE
CVE-2023-28226
Windows Enroll Engine Security Feature
Bypass Vulnerability
Important
5.3
No
No
SFB
CVE-2023-28221
Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-24912
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28276
Windows Group Policy Security Feature Bypass
Vulnerability
Important
4.4
No
No
SFB
CVE-2023-28238
Windows Internet Key Exchange (IKE) Protocol
Extensions Remote Code Execution Vulnerability
Important
7.5
No
No
RCE
CVE-2023-28244
Windows Kerberos Elevation of Privilege
Vulnerability
Important
8.1
No
No
EoP
CVE-2023-28298
Windows Kernel Denial of Service
Vulnerability
Important
5.5
No
No
DoS
CVE-2023-28222
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP
CVE-2023-28236
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28248
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28272
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28293
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28253
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2023-28271
Windows Kernel Memory Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2023-28237
Windows Kernel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-28235
Windows Lock Screen Security Feature Bypass
Vulnerability
Important
6.8
No
No
SFB
CVE-2023-28270
Windows Lock Screen Security Feature Bypass
Vulnerability
Important
6.8
No
No
SFB
CVE-2023-28217
Windows Network Address Translation (NAT)
Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28247
Windows Network File System Information
Disclosure Vulnerability
Important
7.5
No
No
Info
CVE-2023-28240
Windows Network Load Balancing Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-28225
Windows NTLM Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28224
Windows Point-to-Point Protocol over
Ethernet (PPPoE) Remote Code Execution Vulnerability
Important
7.1
No
No
RCE
CVE-2023-28246
Windows Registry Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28297
Windows Remote Procedure Call Service
(RPCSS) Elevation of Privilege Vulnerability
Important
8.8
No
No
EoP
CVE-2023-24931
Windows Secure Channel Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28233
Windows Secure Channel Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28234
Windows Secure Channel Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28241
Windows Secure Socket Tunneling Protocol
(SSTP) Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-28228
Windows Spoofing Vulnerability
Important
5.5
No
No
Spoofing
CVE-2023-28274
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-28284 *
Microsoft Edge (Chromium-based) Security
Feature Bypass Vulnerability
Moderate
4.3
No
No
SFB
CVE-2023-24935 *
Microsoft Edge (Chromium-based) Spoofing
Vulnerability
Low
N/A
No
No
Spoofing
CVE-2023-28301 *
Microsoft Edge (Chromium-based) Tampering
Vulnerability
Low
4.2
No
No
Tampering
* Indicates this CVE had been released prior to today.
Looking at the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that’s similar to the MSMQ bug already discussed. However, this bug is listed as not exploitable as the Messaging Queue vulnerability. There’s a bug in the DHCP server, but it may not be as severe as it initially seems. It requires a network adjacent attacker to send an affected DHCP server a specially crafted RPC call. DHCP is not a routable protocol (or a secure one), so external threat actors can’t take advantage of this vulnerability. There are a couple of Critical-rated bugs in the Layer 2 Tunneling Protocol and the Point-to-Point Tunneling Protocol. We’ve seen plenty of similar bugs receive fixes over the last few months, but none have ever been reported as being exploited in the wild. The final Critical-rated bug impacts the Raw Image Extension. Viewing a specially-crafted file could allow code execution.
Moving on to the other code execution bugs, the first thing that jumps out are the 11 different patches for the PostScript and PCL6 Class Printer driver. It seems printers will continue to be a security issue for Microsoft for some time to come. There are also eight patches for DNS server to go along with the one already mentioned. These are less severe as they require the attacker to have elevated privileges. There’s a fix for RPC Runtime, but the description is confusing. While the CVSS state low permissions are needed, the description states an unauthenticated attacker could exploit this bug. There’s a patch for the Internet Key Exchange (IKE) protocol, but it requires the IKE and AuthIP IPsec Keying Modules to be running. Note that disabling either of these will adversely impact IPSec functionality, so if you are running these, patch rather than disable services. There’s an RCE bug in the Network Load Balancer that leave it open to network adjacent attackers. In this case, it’s recommended to upgrade to the newer Software Load Balancing service, which is listed as not affected. The Bluetooth component receives a patch that would require an attacker to be in close physical proximity to a target. Most of the remaining patches fix open-and-own bugs, including a rare Windows kernel RCE. Most kernel bugs are privilege escalations, so it’s interesting to see a RCE bug in the component.
There are roughly half as many elevation of privilege (EoP) patches as there are RCE patches, and the vast majority of these require an authenticated user to run specially crafted code to elevate to SYSTEM. There are a couple of exceptions worth noting. Both the Kerberos and the Netlogon RPC bugs require a man-in-the-middle (MiTM) attacker. The Kerberos bug could lead to a downgrade of a client’s encryption to the RC4-md4 cypher. An attacker could use this to compromise the user’s Kerberos session key to elevate privileges. Similarly, an MiTM attacker could intercept Netlogon RPC messages to modify Netlogon protocol traffic to elevate their privileges.
Seven different security feature bypass (SFB) bugs receive patches this month, and this continues the trend of increasing SFB bugs in each release. The first in the Azure Service Connector could allow attackers to bypass internal firewall restrictions. There are two different bugs in the Lock Screen that could allow it to by bypassed, but both of these would require physical access. That’s the same for the two bugs in the Windows Boot Manager. The bug in Group Policy is interesting as it would prevent an admin from updating group policies under certain circumstances. The patch for the Windows Enroll Engine fixes a bug that could bypass certificate validation during the account enrollment process. The final SFB bug is in the Driver Revocation List. As the name would imply, the bypass allows an attacker to modify the revocation list, thus allowing drivers to load that are otherwise banned.
Moving on to the information disclosure bugs receiving fixes this month, and almost all of them simply result in info leaks consisting of unspecified memory contents. While this may be useful when chaining bugs for an exploit, they aren’t very interesting on their own. The lone exception this month is the info disclosure bug in the Azure Machine Learning component. An attacker could use this bug to read (but not modify) system logs. Instead of a patch, you will need to upgrade your instance of Azure Machine Learning Compute to address the vulnerability.
There are three spoofing-related fixes in the April release. The first is in SharePoint and was reported by ZDI vulnerability researcher Piotr Bazydło. The bug allows a low-privileged attacker with site creation permissions to perform an NTLM relay exploit on affected SharePoint servers. There’s no real information on what the spoofing bugs in Visual Studio and Windows could lead to, but Microsoft does note the Windows spoofing bug require a target user to open a specially-crafted HTML application (HTA) file designed to appear as a signed Windows Imaging Format (WIM) file.
Looking at the denial-of-service (DoS) fixes for April, most of these have no additional information or documentation from Microsoft. The bugs in the Windows Secure Channel only impact devices running TLS version 1.3. The bug in the Network Address Translation (NAT) service is limited to attacker traffic inside the NAT firewall. Finally, the DoS bug in Microsoft Defender may already be remediated on your systems as the Malware Protection Engine is updated frequently. However, if you are in an isolated environment, you will need to manually apply the fix. Also note that Microsoft says the patch also includes “defense-in-depth updates to help improve security-related features,” but doesn’t document what those changes may be.
Finally, there are three cross-site scripting (XSS) bugs in Dynamics 365, which breaks the streak of five XSS bugs in Dynamics seen in the last two months. That’s we call a combo breaker.
No new advisories were released this month.
Looking Ahead
The next Patch Tuesday will be on May 9, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Blog post Zero Day Initiative – Blog
