The May 2023 Security Update Review

It’s patch Tuesday once again, and Adobe and Microsoft have released their monthly batch of security updates. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for May 2023

 For May, Adobe released a single bulletin for Substance 3D Painter addressing 11 Critical-rated and 3 Important-rated vulnerabilities. All of these bugs were found and reported by ZDI vulnerability researcher Mat Powell. The most severe of these issues would allow an attacker to execute arbitrary code on an affected system if they can convince a user to open a specially-crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for May 2023

This month, Microsoft released 38 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Microsoft Edge (Chromium-based); SharePoint Server; Visual Studio; SysInternals; and Microsoft Teams. This in addition to 11 CVEs in Chromium that were previously released for Edge and are now being documented in the Security Updates Guide.

A total of four of these bugs came were submitted through the ZDI program. This includes three SharePoint fixes that were reported during the most recent Pwn2Own Vancouver competition. However, none of the other bugs reported at that event have yet to be addressed by Microsoft.

Of the new patches released today, seven are rated Critical and 31 are rated Important in severity. May tends to be a smaller month for fixes historically, but this month’s volume is the lowest since August 2021. However, considering just the number of ZDI cases waiting to be patched, this number is expected to rise in the coming months.

One of the new CVEs is listed as under active attack and two are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the one bug under active attack:

–       CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability
This is the one bug listed as being under active attack at the time of release, and you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack. This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here. As always, Microsoft offers no information about how widespread these attacks may be.

–       CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
While the title says OLE, when it comes to this bug, the real component to worry about is Outlook. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. And while Outlook is the more likely exploit vector, other Office applications are also impacted. This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly.

–       CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability
This bug has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. No user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. The better idea is to test and deploy this month’s fix instead.

–       CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This bug was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. While this specific bug requires authentication, during the contest, it was combined with an authentication bypass. This is what would happen in real-world scenarios as well. Although there are other SharePoint fixes being released this month, additional patches will be required to fully address what was disclosed. Hopefully, we’ll see the remaining Pwn2Own fixes in the coming months.

Here’s the full list of CVEs released by Microsoft for May 2023:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2023-29336
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
Yes
EoP

CVE-2023-29325
Windows OLE Remote Code Execution
Vulnerability
Critical
8.1
Yes
No
RCE

CVE-2023-24932
Secure Boot Security Feature Bypass
Vulnerability
Important
6.7
Yes
No
SFB

CVE-2023-24955
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
7.2
No
No
RCE

CVE-2023-28283
Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-29324
Windows MSHTML Platform Elevation of
Privilege Vulnerability
Critical
7.5
No
No
EoP

CVE-2023-24941
Windows Network File System Remote Code
Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-24943
Windows Pragmatic General Multicast (PGM)
Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-24903
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-29340
AV1 Video Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-29341
AV1 Video Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-29333
Microsoft Access Denial of Service
Vulnerability
Important
3.3
No
No
DoS

CVE-2023-29350
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Important
7.5
No
No
EoP

CVE-2023-24953
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-29344
Microsoft Office Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-24954
Microsoft SharePoint Server Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-24950
Microsoft SharePoint Server Spoofing
Vulnerability
Important
6.5
No
No
Spoofing

CVE-2023-24881
Microsoft Teams Information Disclosure
Vulnerability
Important
6.5
No
No
Info

CVE-2023-29335
Microsoft Word Security Feature Bypass
Vulnerability
Important
7.5
No
No
SFB

CVE-2023-24905
Remote Desktop Client Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-28290
Remote Desktop Protocol Client Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-24942
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-24939
Server for NFS Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-29343
SysInternals Sysmon for Windows Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-29338
Visual Studio Code Information Disclosure
Vulnerability
Important
5
No
No
Info

CVE-2023-24902
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-24946
Windows Backup Service Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-24948
Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important
7.4
No
No
EoP

CVE-2023-24944
Windows Bluetooth Driver Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-24947
Windows Bluetooth Driver Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-28251
Windows Driver Revocation List Security
Feature Bypass Vulnerability
Important
5.5
No
No
SFB

CVE-2023-24899
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-24904
Windows Installer Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP

CVE-2023-24945
Windows iSCSI Target Service Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-24949
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-24901
Windows NFS Portmapper Information
Disclosure Vulnerability
Important
7.5
No
No
Info

CVE-2023-24900
Windows NTLM Security Support Provider
Information Disclosure Vulnerability
Important
5.9
No
No
Info

CVE-2023-24940
Windows Pragmatic General Multicast (PGM)
Denial of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-24898
Windows SMB Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-29354
Microsoft Edge (Chromium-based) Security
Feature Bypass Vulnerability
Moderate
4.7
No
No
SFB

CVE-2023-2459 *
Chromium: CVE-2023-2459 Inappropriate
implementation in Prompts
Medium
N/A
No
No
RCE

CVE-2023-2460 *
Chromium: CVE-2023-2460 Insufficient
validation of untrusted input in Extensions
Medium
N/A
No
No
RCE

CVE-2023-2462 *
Chromium: CVE-2023-2462 Inappropriate
implementation in Prompts
Medium
N/A
No
No
RCE

CVE-2023-2463 *
Chromium: CVE-2023-2463 Inappropriate
implementation in Full Screen Mode
Medium
N/A
No
No
RCE

CVE-2023-2464 *
Chromium: CVE-2023-2464 Inappropriate
implementation in PictureInPicture
Medium
N/A
No
No
RCE

CVE-2023-2465 *
Chromium: CVE-2023-2465 Inappropriate
implementation in CORS
Medium
N/A
No
No
RCE

CVE-2023-2466 *
Chromium: CVE-2023-2466 Inappropriate
implementation in Prompts
Low
N/A
No
No
RCE

CVE-2023-2467 *
Chromium: CVE-2023-2467 Inappropriate
implementation in Prompts
Low
N/A
No
No
RCE

CVE-2023-2468 *
Chromium: CVE-2023-2468 Inappropriate
implementation in PictureInPicture
Low
N/A
No
No
RCE

* Indicates this CVE had been released prior to today.

 

Looking at the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that looks identical to PGM bug patched last month. This could indicate a failed patch or, more likely, a wide attack surface in PGM that is just starting to be explored. There are patches for Critical-rated bugs in the LDAP and SSTP protocols. Finally, there’s an intriguing bug in MSHTML that could allow a remote attacker to escalate to administrator privileges. Microsoft doesn’t provide details here, but they do note some level of privileges are required. As written, it reads as though an authenticated user could browse to a site and gain administrative rights. 

Moving on to the other code execution bugs fixed this month, there are the standard open-and-own bugs in Office products. There are a couple of fixes for the AV1 Video Extensions, which are not installed by default. These updates are available from the Windows Store, so if you’re in a disconnected environment, you’ll need to manually apply these fixes. The code execution bug in RDP is somewhat troubling, but it’s client not server, so that lessens the severity a bit. The bug in Bluetooth requires the attacker to be in close physical proximity. The final RCE patch for May fixes a bug in the NuGet package manager client. Microsoft provides no details on the attack scenario, but it’s likely a client would need to connect to a specially crafted .NET project to be exploited.

In addition to the two already mentioned, there are eight other elevation of privilege (EoP) bugs being fixed this month. Most of these require an authenticated user to run specially crafted code, resulting in code execution at the level of SYSTEM. Like the Bluetooth RCE, the EoP in Bluetooth requires close proximity. The bug in Windows Installer only allows an attacker to delete targeted files rather than escalate to SYSTEM.

There are four security feature bypass (SFB) vulnerabilities being patched this month, including a publicly known bypass of the Secure Boot feature. As is typical, Microsoft does not provide information on where this vulnerability is public, however, they do provide some additional information about some additional configuration guidance resulting from this change. The bypass in Word would allow attackers to evade Office Protected View. The fix for Edge addresses a bug that could allow an iFrame sandbox escape, but not a full browser sandbox escape. The bug in the Driver Revocation List would allow an attacker to bypass the revocation list feature by modifying it and thus impact the integrity of that list.

The May release contains eight fixes for information disclosure bugs, including a SharePoint bug that was disclosed as a part of Pwn2Own. It was another piece of the SharePoint exploit chain mentioned above. For the most part, the remaining info disclosure bugs merely result in info leaks consisting of unspecified memory contents. There are some notable exceptions. The info disclosure in RDP Client could allow the recovery of plaintext information from TLS-protected data. The vulnerability in Teams could allow an attacker to disclose various “sensitive data,” including a user’s full trust token. Although not specified, it’s possible this token could be replayed to impersonate a user. The last info disclosure fix is for Visual Studio. This bug allows attackers to disclose NTLM hashes. Again, it’s possible these hashes could be passed to impersonate other users.

There are five fixes for denial-of-service (DoS) bugs in the release, and four of these are mostly unremarkable. The fifth, however, impacts only the hotpatch version of Windows Server 2022. It also impacts SMB over QUIC, which is a rather interesting VPN-like functionality for SMB. Apart from the DoS in Access, it’s unclear if any of these bugs blue screen the system or merely interrupt service operations. The bug in Access impacts the database connectivity but doesn’t fully deny service.

Finally, there is a spoofing bug in SharePoint receiving a patch this month. It was reported through the ZDI program by an anonymous researcher and could allow an authenticated attacker to cause the server to leak its NTLM hash. Any user on the SharePoint site has the needed permissions.

No new advisories were released this month, but there was a patch re-release of note. CVE-2022-26928 was re-released to add security updates for all affected versions of Microsoft Windows. Microsoft indicates these new updates are needed to “fully address” the bug, which sounds like the original fix from last year was incomplete. Regardless, ensure you don’t miss applying this update to your systems – again.

Looking Ahead

The next Patch Tuesday will be on June 13, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

   Blog post Zero Day Initiative – Blog 

More To Explore