Welcome to the first patch Tuesday of the new year. As expected, Adobe and Microsoft have released their latest fixes and updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.
Adobe Patches for January 2023
For January, Adobe released four patches addressing 29 CVEs in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. A total of 22 of these bugs were submitted through the ZDI program. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity. The most severe of these would allow arbitrary code execution if an affected system opened a specially crafted file. The patch for InDesign fixes six bug, four of which are rated Critical. Similar to the Reader patch, opening a malicious file could result in code execution. That’s also true for InCopy, which also received fixes for six CVEs. The update for Dimension only addresses two CVEs, but the fix also includes an update for dependencies in SketchUp. The old version has February 22 timestamp, while the version shipped today is stamped November 9.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for January 2023
This month, Microsoft released 98 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; .NET Core and Visual Studio Code, 3D Builder, Azure Service Fabric Container, Windows BitLocker, Windows Defender, Windows Print Spooler Components, and Microsoft Exchange Server. A total of 25 of these CVEs were submitted through the ZDI program.
Of the 98 new patches released today, 11 are rated Critical and 87 are rated Important in severity. This volume is the largest we’ve seen from Microsoft for a January release in quite some time. It will be interesting to see if this volume of fixes continues throughout the year.
One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:
– CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
This is the one bug listed as under active attack for this month. It allows a local attacker to escalate privileges from sandboxed execution inside Chromium to kernel-level execution and full SYSTEM privileges. Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here.
– CVE-2023-21743 – Microsoft SharePoint Server Security Feature Bypass Vulnerability
You rarely see a Critical-rated Security Feature Bypass (SFB), but this one seems to qualify. This bug could allow a remote, unauthenticated attacker to make an anonymous connection to an affected SharePoint server. Sysadmins need to take additional measures to be fully protected from this vulnerability. To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update. Full details on how to do this are in the bulletin. Situations like this are why people who scream “Just patch it!” show they have never actually had to patch an enterprise in the real world.
– CVE-2023-21763/CVE-2023-21764 – Microsoft Exchange Server Elevation of Privilege Vulnerability
These bugs were found by ZDI researcher Piotr Bazydło and result from a failed patch of CVE-2022-41123. As such, these vulnerabilities were reported under our new timelines for bugs resulting from incomplete patches. Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM. A recent report showed nearly 70,000 unpatched Exchange servers that were accessible from the internet. If you’re running Exchange on-prem, please test and deploy all the Exchange fixes quickly, and hope that Microsoft fixed these bugs correctly this time.
Here’s the full list of CVEs released by Microsoft for January 2023:
CVE
Title
Severity
CVSS
Public
Exploited
Tupe
CVE-2023-21674
Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important
8.8
No
Yes
EoP
CVE-2023-21549
Windows Workstation Service Elevation of
Privilege Vulnerability
Important
8.8
Yes
No
EoP
CVE-2023-21561
Microsoft Cryptographic Services Elevation
of Privilege Vulnerability
Critical
8.8
No
No
EoP
CVE-2023-21551
Microsoft Cryptographic Services Elevation
of Privilege Vulnerability
Critical
7.8
No
No
EoP
CVE-2023-21743
Microsoft SharePoint Server Security Feature
Bypass Vulnerability
Critical
8.2
No
No
SFB
CVE-2023-21730
Windows Cryptographic Services Remote Code
Execution Vulnerability
Critical
7.8
No
No
EoP
CVE-2023-21543
Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21546
Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21555
Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21556
Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21679
Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21535
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21548
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-21538
.NET Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21780
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21781
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21782
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21784
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21786
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21791
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21793
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21783
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21785
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21787
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21788
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21789
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21790
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21792
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21531
Azure Service Fabric Container Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-21563
BitLocker Security Feature Bypass
Vulnerability
Important
6.8
No
No
SFB
CVE-2023-21536
Event Tracing for Windows Information
Disclosure Vulnerability
Important
4.7
No
No
Info
CVE-2023-21753
Event Tracing for Windows Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2023-21547
Internet Key Exchange (IKE) Protocol Denial
of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21724
Microsoft DWM Core Library Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21764
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21763
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21761
Microsoft Exchange Server Information
Disclosure Vulnerability
Important
7.5
No
No
Info
CVE-2023-21762
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing
CVE-2023-21745
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing
CVE-2023-21537
Microsoft Message Queuing (MSMQ) Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21732
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2023-21734
Microsoft Office Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21735
Microsoft Office Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21741
Microsoft Office Visio Information
Disclosure Vulnerability
Important
7.1
No
No
Info
CVE-2023-21736
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21737
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-21738
Microsoft Office Visio Remote Code Execution
Vulnerability
Important
7.1
No
No
RCE
CVE-2023-21744
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-21742
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-21681
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-21725
Microsoft Windows Defender Elevation of
Privilege Vulnerability
Important
6.3
No
No
EoP
CVE-2023-21779
Visual Studio Code Remote Code Execution
Vulnerability
Important
7.3
No
No
RCE
CVE-2023-21768
Windows Ancillary Function Driver for
WinSock Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21539
Windows Authentication Remote Code Execution
Vulnerability
Important
7.5
No
No
RCE
CVE-2023-21752
Windows Backup Service Elevation of
Privilege Vulnerability
Important
7.1
No
No
EoP
CVE-2023-21733
Windows Bind Filter Driver Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-21739
Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-21560
Windows Boot Manager Security Feature Bypass
Vulnerability
Important
6.6
No
No
SFB
CVE-2023-21726
Windows Credential Manager User Interface
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21540
Windows Cryptographic Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2023-21550
Windows Cryptographic Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2023-21559
Windows Cryptographic Services Information
Disclosure Vulnerability
Important
6.2
No
No
Info
CVE-2023-21525
Windows Encrypting File System (EFS) Denial
of Service Vulnerability
Important
5.9
No
No
DoS
CVE-2023-21558
Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21552
Windows GDI Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21532
Windows GDI Elevation of Privilege
Vulnerability
Important
7
No
No
EoP
CVE-2023-21542
Windows Installer Elevation of Privilege
Vulnerability
Important
7
No
No
EoP
CVE-2023-21683
Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21677
Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21758
Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21527
Windows iSCSI Service Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21755
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21754
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21747
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21748
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21749
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21772
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21773
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21774
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21675
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21750
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP
CVE-2023-21776
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2023-21757
Windows Layer 2 Tunneling Protocol (L2TP)
Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21557
Windows Lightweight Directory Access
Protocol (LDAP) Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21676
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-21524
Windows Local Security Authority (LSA)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21771
Windows Local Session Manager (LSM)
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-21728
Windows Netlogon Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2023-21746
Windows NTLM Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21767
Windows Overlay Filter Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21766
Windows Overlay Filter Information
Disclosure Vulnerability
Important
4.7
No
No
Info
CVE-2023-21682
Windows Point-to-Point Protocol (PPP)
Information Disclosure Vulnerability
Important
5.3
No
No
Info
CVE-2023-21760
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP
CVE-2023-21765
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21678
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21759
Windows Smart Card Resource Management
Server Security Feature Bypass Vulnerability
Important
3.3
No
No
SFB
CVE-2023-21541
Windows Task Scheduler Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-21680
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
Looking at the remaining Critical-rated fixes, I already mentioned the other two patches for Cryptographic Services, but these are privilege escalations rather than RCEs. There are five patches for the Layer 2 Tunneling Protocol (L2TP), which was introduced back in Windows 2000. An unauthenticated attacker could send a specially crafted connection request to a RAS server to get code execution. Microsoft lists exploit complexity as high due to the exploit needing to win a race condition, but you should not rely on that mitigation. The same is true for the two bugs in Secure Socket Tunneling Protocol (SSTP).
Moving to the other 25 code execution bugs fixed in this release, there are 14 fixes for the 3D Builder component reported by ZDI researcher Mat Powell. All of these require the user to open a maliciously crafted file to get code execution at the level of the logged-on user. That’s also true for the other Visual Studio and Office-related bugs, including two of the Visio bugs, which were also reported by Mr. Powell. There’s a fix for an LDP bug, which normally would concern me. However, in this case, it’s listed as requiring authentication. There’s an RCE bug in Windows Authentication, but the description is confusing. According to Microsoft, “An attacker must already have access and the ability to run code on the target system.” Hopefully, the researchers who reported the bug will provide more information. There are two fixes for SharePoint for RCE bugs that require authentication. However, every user by default has the permissions required to exploit these bugs. There are a couple of SQL-related fixes. The first is in the ODBC driver. An attacker can execute code if they can convince an authenticated user into attempting to connect to a malicious SQL server via ODBC. It’s a similar scenario for the WDAC OLE DB provider for SQL component.
Including those already mentioned, there are a total of 38 Elevation of Privilege (EoP) bugs receiving patches this month. The vast majority of these require the attacker to execute their code on a target in order to escalate privileges – typically to SYSTEM. However, there are a few that stand out. The publicly-know bug in the Workstation Service could actually be hit remotely through RPC. If successful, they could run RPC functions that are normally restricted to local clients only. However, it only hits on systems with less than 3.5 GB of RAM, so feel free to use this as justification to buy more RAM. There are three fixes for the Print Spooler, and one of these was reported by the National Security Agency. One of the escalations in LSA leads to executing code with the group Managed Service Account (gMSA), an exception to the SYSTEM escalations. The bug in the Backup Service could allow for either privilege escalation or data deletion. The same goes for the vulnerability in Defender. Finally, the fix for the Azure Service fabric addresses a vulnerability that impacts Service Fabric clusters orchestrated by Docker. To be protected from this, you need to manually update your Service Fabric and enable and configure the “BlockAccessToWireServer” feature flag.
There are fixes for 11 different information disclosure bugs this month, and seven of these merely result in info leaks consisting of unspecified memory contents. The others are much more interesting. To start, there are three bugs in the Cryptographic Service that result in disclosing “Windows cryptographic secrets.” One of these bugs was reported by Canada’s Communications Security Establishment – similar to the USA’s NSA. I would think they know a thing or two about crypto. There’s an info disclosure bug in Exchange, but Microsoft simply states that it could result in disclosing “sensitive information.”
Looking at the security feature bypasses, there are patches for three more in addition to the SharePoint bug already mentioned above. One is for BitLocker and could allow a physical attacker to gain access to encrypted data. Physical access is also a requirement for the SFB in the Boot Manager. If you’re relying on these to protect systems from theft and other physical attacks, make sure you get these patches. The bypass in Smart Card Resource Management Server could allow an attacker to gain access to data related to FIDO keys managed on an affected system.
The January release fixes 10 different Denial-of-Service (DoS) bugs. Microsoft provides no real detail about these bugs, so it isn’t clear if successful exploitation results in the service stopping or the system crashing. I would be most concerned about the bugs in the Netlogon and LDAP services as a successful DoS attack on these components would significantly impact an enterprise.
Finally, there are two spoofing bugs in the Exchange server receiving fixes, although the descriptions imply a different impact. One notes that successful exploitation could disclose NTLM hashes, which I would describe as info disclosure. The other notes an authenticated attacker could achieve exploitation given a Powershell remoting session to the server, which would probably classify as privilege escalation. Regardless, make sure you update your Exchange server to ensure you remediate the multiple bugs being fixed this month.
No new advisories were released this month.
Looking Ahead
The next Patch Tuesday of 2023 will be on February 14, which also happens to be a pretty romantic holiday – the first day of Pwn2Own Miami! We’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Blog post Zero Day Initiative – Blog
