March 2023 Security Update – Happy Pi Day, and welcome to the third patch Tuesday of 2023 and the final patch Tuesday before Pwn2Own Vancouver. Take a break from your regularly scheduled activities and join us as we review the details of the latest security offerings from Microsoft and Adobe.
Adobe Patches for March 2023
For March, Adobe released eight patches addressing 105 CVEs in Adobe Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. A total of 77 of these bugs were reported through the ZDI program. This is the largest Adobe update in quite some time. The patch for Cold Fusion is listed as under active exploit. It fixes three bugs, including a Critical-rate code execution bug that rates a CVSS 9.8. This patch receives a deployment priority of 1 from Adobe as well.
The patch for Dimension is the largest of the bunch, with nearly 60 CVEs addressed by that patch alone. The update for Substance 3D Stager is also heft with 16 bugs fixed, many of which could lead to arbitrary code execution. The Experience Manager patch fixes 18 bugs including several cross-site scripting (XSS) and open redirects.
The patch for Commerce includes a fix for an unauthenticated file system read. If you’re using the platform, a disclosure like this could prove costly. The updates for Photoshop and Illustrator address many open-and-own bugs that could lead to code execution at the level of the current user. The patch for Creative Cloud fixes a single, Critical-rated code execution bug.
None of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. With the exception of Cold Fusion, Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for March 2023
This month, Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure. This is in addition to four Github and two TPM CVEs that were previously released and are now being shipped for Microsoft products. Two of these CVEs were submitted through the ZDI program.
Of the patches released today, six are rated Critical and 67 are rated Important, and one is rated Moderate in severity. This volume seems to be the “new normal” for Microsoft releases. However, like we saw last month, remote code execution (RCE) bugs continue to dominate the release.
Two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs under active attack:
– CVE-2023-23397 – Microsoft Outlook Spoofing Vulnerability
Although technically a spoofing bug, I would consider the result of this vulnerability to be authentication bypass. The bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system. This hash could then be used in a relay attack to impersonate the user, thus effectively bypassing authentication. Before you ask about the Preview Pane, know that this bug hits before the e-mail is even viewed by the Preview Pane, so disabling that feature has no impact. No information is provided regarding how widespread these attacks may be, but definitely test and deploy this fix quickly.
– CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other bug listed as under active attack, although this one is much less exciting. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen.
– CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability
This CVSS 9.8 bug could allow a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. That combination makes this bug wormable – at least through systems that meet the target requirements. The target system needs to have HTTP/3 enabled and set to use buffered I/O. However, this is a relatively common configuration. Note that only Windows 11 and Windows Server 2022 are affected, which means this is a newer bug and not legacy code.
– CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
Will ICMP fragmentation bugs ever completely go away? I hope not, because I think they are neat. Here’s another potentially wormable bug resulting from an error message containing a fragmented IP packet in its header. It’s also a CVSS 9.8. The only caveat here is that an application on the target system must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. There are some that block ICMP at their perimeter, but doing this has some negative side effects – especially for remote troubleshooting.
Here’s the full list of CVEs released by Microsoft for March 2023:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2023-23397
Microsoft Outlook Spoofing
Vulnerability
Important
9.1
No
Yes
Spoofing
CVE-2023-24880
Windows SmartScreen Security Feature Bypass
Vulnerability
Moderate
5.4
Yes
Yes
SFB
CVE-2023-23392
HTTP Protocol Stack Remote Code Execution
Vulnerability
Critical
9.8
No
No
RCE
CVE-2023-23415
Internet Control Message Protocol (ICMP)
Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE
CVE-2023-21708
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Critical
9.8
No
No
RCE
CVE-2023-23416
Windows Cryptographic Services Remote Code
Execution Vulnerability
Critical
8.4
No
No
RCE
CVE-2023-23411
Windows Hyper-V Denial of Service
Vulnerability
Critical
6.5
No
No
DoS
CVE-2023-23404
Windows Point-to-Point Tunneling Protocol
Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2023-1017 *
CERT/CC: TPM2.0 Module Library Elevation of
Privilege Vulnerability
Critical
8.8
No
No
EoP
CVE-2023-1018 *
CERT/CC: TPM2.0 Module Library Elevation of
Privilege Vulnerability
Critical
8.8
No
No
EoP
CVE-2023-23394
Client Server Run-Time Subsystem (CSRSS)
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2023-23409
Client Server Run-Time Subsystem (CSRSS)
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2023-22490 *
GitHub: CVE-2023-22490 Local clone-based
data exfiltration with non-local transports
Important
5.5
No
No
Info
CVE-2023-22743 *
GitHub: CVE-2023-22743 Git for Windows
Installer Elevation of Privilege Vulnerability
Important
7.2
No
No
EoP
CVE-2023-23618 *
GitHub: CVE-2023-23618 Git for Windows
Remote Code Execution Vulnerability
Important
8.6
No
No
RCE
CVE-2023-23946 *
GitHub: CVE-2023-23946 Git path traversal
vulnerability
Important
6.2
No
No
EoP
CVE-2023-23389
Microsoft Defender Elevation of Privilege
Vulnerability
Important
6.3
No
No
EoP
CVE-2023-24892
Microsoft Edge (Chromium-based) Webview2
Spoofing Vulnerability
Important
7.1
No
No
Spoofing
CVE-2023-24919
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
5.4
No
No
XSS
CVE-2023-24879
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
5.4
No
No
XSS
CVE-2023-24920
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
5.4
No
No
XSS
CVE-2023-24891
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
5.4
No
No
XSS
CVE-2023-24921
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
4.1
No
No
XSS
CVE-2023-24922
Microsoft Dynamics 365 Information
Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-23396
Microsoft Excel Denial of Service
Vulnerability
Important
5.5
No
No
DoS
CVE-2023-23399
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-23398
Microsoft Excel Security Feature Bypass
Vulnerability
Important
7.1
No
No
SFB
CVE-2023-24923
Microsoft OneDrive for Android Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2023-24882
Microsoft OneDrive for Android Information
Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2023-24890
Microsoft OneDrive for iOS Security Feature
Bypass Vulnerability
Important
4.3
No
No
SFB
CVE-2023-24930
Microsoft OneDrive for MacOS Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-24864
Microsoft PostScript and PCL6 Class Printer
Driver Elevation of Privilege Vulnerability
Important
8.8
No
No
EoP
CVE-2023-24856
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24857
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24858
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24863
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24865
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24866
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24906
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24870
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-24911
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info
CVE-2023-23403
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-23406
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-23413
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24867
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24907
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24868
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24909
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24872
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24913
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-24876
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-23391
Office for Android Spoofing
Vulnerability
Important
5.5
No
No
Spoofing
CVE-2023-23405
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Important
8.1
No
No
RCE
CVE-2023-24908
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Important
8.1
No
No
RCE
CVE-2023-24869
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Important
8.1
No
No
RCE
CVE-2023-23383
Service Fabric Explorer Spoofing
Vulnerability
Important
8.2
No
No
Spoofing
CVE-2023-23395
SharePoint Open Redirect Vulnerability
Important
3.1
No
No
Spoofing
CVE-2023-23412
Windows Accounts Picture Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23388
Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important
8.8
No
No
EoP
CVE-2023-24871
Windows Bluetooth Service Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE
CVE-2023-23393
Windows BrokerInfrastructure Service
Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-23400
Windows DNS Server Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE
CVE-2023-24910
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-24861
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-23410
Windows HTTP.sys Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-24859
Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2023-23420
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23421
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23422
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23423
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23401
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-23402
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2023-23417
Windows Partition Management Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23385
Windows Point-to-Point Protocol over
Ethernet (PPPoE) Elevation of Privilege Vulnerability
Important
7
No
No
EoP
CVE-2023-23407
Windows Point-to-Point Protocol over
Ethernet (PPPoE) Remote Code Execution Vulnerability
Important
7.1
No
No
RCE
CVE-2023-23414
Windows Point-to-Point Protocol over
Ethernet (PPPoE) Remote Code Execution Vulnerability
Important
7.1
No
No
RCE
CVE-2023-23418
Windows Resilient File System (ReFS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-23419
Windows Resilient File System (ReFS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2023-24862
Windows Secure Channel Denial of Service
Vulnerability
Important
5.5
No
No
DoS
CVE-2023-23408
Azure
Apache Ambari Spoofing Vulnerability
Important
4.5
No
No
Spoofing
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Taking a look at the remaining Critical-rated patches, there’s CVSS 9.8 bug in RPC Runtime that has some wormable potential. However, unlike ICMP, it is a good idea to block RPC traffic (specifically TCP port 135) at the perimeter. This bug is much less likely to be widely exploited. Rounding out the Critical-rated Hyper-V bugs is a denial of service that could allow a guest OS to “affect the functionality of the Hyper-V host.” It’s not clear if that means a guest OS can shut off the whole server or just disable pieces, but best to patch rather than learn the hard way. There’s a Critical-rated bug in the cryptographic services that requires a malicious certificate needs to be imported into an affected system. That seems like it would require some social engineering at a minimum. Finally, there’s a fix for a bug in Point-to-Point Tunneling Protocol (PPTP) that’s technically wormable between RAS servers, but I don’t see that as being very likely.
Moving on to the other code execution bugs, the first that stand out are 10 different RCEs in the PostScript and PCL6 Class Printer Driver. These all seem to require some level of authentication, but as we’ve seen with other print-related bugs in the past, they still could be used by threat actors. There are three additional RCE bugs in the RPC Runtime, but these are listed as attack complexity high, which lowers their CVSS score. There’s a bug in the DNS Server that looks frightening at first glance, but a closer look reveals it needs high privileges to exploit. The vulnerability in the Bluetooth service seems interesting. An attacker could get RCE on a connected Bluetooth component, but Microsoft notes they would need access to “the restricted network” to run the exploit. It’s not clear if that means physical proximity to the target or some other connection to an affected system. There are a couple of “open-and-own” bugs in Excel and the Windows Media Player. Finally, there are two patches for PPPoE, but a threat actor would need to be network adjacent to exploit these bugs.
In addition to the SmartScreen bug already discussed, there are two Security Feature Bypass (SFB) vulnerabilities receiving fixes this month. The first is for Excel. If an attacker is able to convince a user to click “Enable Content”, Excel would not scan for malicious data as it normally would. With that level of social engineering and user interaction, it’s almost hard to consider this a true bypass, but kudos to Microsoft for fixing it anyway. The other SFB is in OneDrive for iOS. An attacker could use this to view files stored in a locked vault, however, it does require some form of authentication to exploit.
There’s a fair amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges – typically to SYSTEM. The privilege escalation in http.sys was submitted to the ZDI by an anonymous researcher. It’s an integer overflow that could allow an attacker to escalate to SYSTEM. The escalation bug in the graphics component was reported to the ZDI by Marcin Wiązowski. It uses a use-after-free (UAF) vulnerability to get to SYSTEM. The vulnerability in Bluetooth looks intriguing since it would allow an attacker to escape AppContainer isolation. There’s an update for Defender, but you likely received that automatically. However, if you’re running isolated systems, you will need to manually apply the fix. Speaking of offline patches, the update for OneDrive for macOS is found in the app store. If you don’t have automatic downloads for apps set up, you’ll need to get the patch from the store.
Looking at the information disclosure vulnerabilities receiving patches this month, the vast majority simply result in info leaks consisting of unspecified memory contents. There are a couple of exceptions. The bug in Microsoft Dynamics 365 could leak a verbose error message that attackers could use to create malicious payloads. The two bugs in OneDrive for Android could leak certain Android/local URIs that OneDrive can access. Again, you’ll need to get this patch from the Google Play store if you haven’t configured automatic app updates.
In addition to the Outlook spoofing bug already mentioned, five other spoofing vulns received fixes this month. The first is in the alliteratively-named Azure Apache Ambari, but Microsoft provides no further details about the bug. The bug in the Service Fabric could allow an attacker to escape the web client and execute their code on the target’s browser. However, Microsoft notes the user would need to click through a “sequence of multiple events” for exploitation. Also, note that you may need to manually update this component if you haven’t specifically enabled auto-updates. User interaction is also required for the SharePoint spoofing bug, but in this case, it’s just clicking a link. If an attacker can convince a user to follow a malicious link, the target could be redirected to a crafted site designed to look like a legitimate website. A similar bug is getting patched in the Edge (Chromium-based) browser. The final spoofing bug getting fixed this month also requires a target clicking a link – this time in Office for Android. The vulnerability allows an attacker to create a malicious link, application, or file and mask it as a non-threatening resource.
There are three additional DoS fixes released this month. There’s no additional info about the patches for Windows Secure Channel or the Internet Key Exchange (IKE) Extension. However, I would expect a successful exploit of these bugs to interfere with authentication processes. The DoS bug in Excel is different. I usually equate DoS bugs in Office apps to just killing the app when opening a crafted file. That’s not the case here. This bug would cause a resource exhaustion on the system when opening a malicious file. It’s not clear if this exhaustion would eventually clear or if a reboot would be required.
Finally, there are five cross-site scripting (XSS) bugs in Dynamics 365. There were also five XSS bugs in last month’s release, which makes this either a weird pattern or a weird coincidence.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The next Patch Tuesday will be on April 11, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Blog post Zero Day Initiative – Blog
