As we enter the first second Tuesday of the year, Microsoft has released its latest security updates and fixes. We invite you to join us as we review and discuss the particulars of these essential security patches.
Microsoft Patches for January 2023
Microsoft has released 98 new patches addressing vulnerabilities in a wide range of products, including Windows and Windows Components, Office and Office Components, 3D Builder, Windows Print Spooler Components, Microsoft Exchange Server, .NET Core and Visual Studio Code, Azure Service Fabric Container, Windows Defender, and Windows BitLocker.
Out of 98 patches, 11 are rated critical, and 87 are rated important. This large volume of patches is unusual for a January release from Microsoft, and it is momentous to see if this trend continues throughout the year 2023. Additionally, one of the newly addressed vulnerabilities is known to be public, and one is known to be actively exploited at the time of release.
Microsoft End-of-Support Product
Windows 7, Windows Server 2008, and Windows Server 2008 R2 have reached the end of their Extended support from Microsoft, which means that the company will no longer provide frequent updates or security patches for these operating systems. This signifies that users of these systems will no longer be protected against new security vulnerabilities and may be at increased risk of malware and further cyber-attacks.
Users of these systems must upgrade to a newer version of Windows or Windows Server as soon as possible to ensure persistent security and stability.
Users who cannot upgrade their systems instantly can consider limiting system access to the internet for specific trusted tasks and regularly backing up important data to a separate location.
Note that some software built for the older version of windows may have a problem running on the newer version of windows, so it’s essential to check the compatibility of the software before upgrading.
We have already implemented QIDs in production that cover EOL systems, regardless of whether they are EUS or not, and there is no need for further updates to the signatures.
Here is the list of QID that can be used:
- 105793: EOL/Obsolete Operating System: Microsoft Windows 7 Detected
- 105858: EOL/Obsolete Operating System: Microsoft Windows Server 2008 Detected
- 105859: EOL/Obsolete Operating System: Microsoft Windows Server 2008 R2 Detected
Microsoft plans to retire or end supporting more products in 2023. Once these products reach retirement or end of support, users will no longer receive any new security updates, non-security updates, free or paid assisted support options, or online technical content updates.
It is vital to note that the lack of security updates and support can leave systems and devices using these products vulnerable to security threats and potential vulnerabilities. It is crucial to promptly upgrade to the more recent version of products and/or alternative solutions to ensure ongoing security and stability.
For more information on these products and their end-of-support schedule, please visit the Microsoft lifecycle page at https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2023
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.
The January 2023 Microsoft vulnerabilities are classified as follows:
|Elevation of Privilege Vulnerability||39||Important: 36
|Remote Code Execution Vulnerability||33||Important: 26
|Information Disclosure Vulnerability||10||Important: 10|
|Security Feature Bypass Vulnerability||4||Critical: 1
|Denial of Service Vulnerability||10||Important: 10|
|Spoofing Vulnerability||2||Important: 2|
Notable and Critical Microsoft Vulnerabilities Patched
CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
The vulnerability identified as CVE-2023-21674 is a Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Attackers are actively exploiting this vulnerability to gain kernel-level execution and SYSTEM privileges. It allows a local attacker to escalate privileges from sandboxed execution inside Chromium. This nature’s vulnerability is frequently leveraged in tandem with malware or ransomware delivery. This vulnerability was reported to Microsoft by researchers from Avast, indicating a potential risk of such malicious activity.
CVE-2023-21743 – Microsoft SharePoint Server Security Feature Bypass Vulnerability
The recently discovered vulnerability, designated as CVE-2023-21743, affects the security features of the Microsoft SharePoint Server and has been rated as critical. An unauthenticated, remote attacker may exploit this vulnerability to launch and establish an anonymous connection to the concerned SharePoint server, thereby bypassing security criteria.
As a result, it is highly advised that system administrators take prompt action to mitigate this vulnerability and upgrade the affected SharePoint Server using the update provided.
CVE-2023-21763, CVE-2023-21764 – Microsoft Exchange Server Elevation of Privilege Vulnerability
The vulnerability designated as CVE-2023-21763 and CVE-2023-21764 in Microsoft Exchange Server has been identified as an Elevation of Privilege vulnerability. This vulnerability arises from failing to patch a previously identified issue, designated as CVE-2022-41123 properly. Due to a hard-coded file path, a local attacker may be able to load their own DLL and execute code with SYSTEM-level privileges. It is strongly recommended that users running Exchange tests deploy all necessary Exchange fixes promptly to mitigate this vulnerability.
CVE-2023-21730, CVE-2023-21561, CVE-2023-21551 – Microsoft Cryptographic Services Elevation of Privilege Vulnerability
The vulnerabilities designated as CVE-2023-21730, CVE-2023-21561, and CVE-2023-21551 in Microsoft Cryptographic Services have been recognized as Elevation of Privilege vulnerabilities. These vulnerabilities can be exploited by a locally authenticated attacker who sends specially crafted data to the local CSRSS service. This allows attackers to elevate their privileges from an AppContainer environment to SYSTEM-level access.
It is important to note that these bugs have not yet been publicly disclosed and currently do not have any known exploitation in the wild, making the likelihood of successful exploitation relatively low. However, it is still crucial to take necessary protection to ensure that the system is secured.
AppContainer is considered a secure boundary, and any process that can bypass this boundary means a change in scope. An attacker who successfully exploits these vulnerabilities would be able to execute code or access resources at a higher integrity level than the AppContainer execution environment.
To exploit this vulnerability, an attacker would require valid credentials and must be able to log on locally to a targeted system. An attacker who successfully exploits this vulnerability could gain SYSTEM-level privileges.
CVE-2023-21679, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556, CVE-2023-21543 – Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
These vulnerabilities in Windows Layer 2 Tunneling Protocol (L2TP) have been identified as Remote Code Execution vulnerabilities.
These vulnerabilities can be exploited by an unauthenticated attacker who sends a specially crafted connection request to a RAS (Remote Access Server) server. This could lead to remote code execution (RCE) on the RAS server machine. It is essential to mention that successfully exploiting these vulnerabilities requires an attacker to take additional actions to prepare the target environment and win a race condition.
While these vulnerabilities have been discovered and reported, there has been no indication that these vulnerabilities have been actively exploited.
CVE-2023-21535, CVE-2023-21548 – Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
These vulnerabilities in Windows Secure Socket Tunneling Protocol (SSTP) are identified as Remote Code Execution vulnerabilities. These vulnerabilities can be exploited by an attacker who sends a specially crafted malicious SSTP packet to an SSTP server. This could result in remote code execution on the server side.
It is essential to note that successfully exploiting these vulnerabilities requires the attacker to win a race condition. While Microsoft has listed the exploit complexity as high due to this requirement, it is vital to rely on something other than that mitigation. It is advised to apply patches. Additionally, monitoring for suspicious activity on the affected systems and implementing network segmentation can also help to limit the potential impact of an exploitation attempt.
Other Microsoft Vulnerability Highlights
For the SharePoint platform, there are two fixes for remote code execution (RCE) bugs, but both require authentication. However, these bugs can be exploited by any user with default permissions.
There are also several fixes for SQL-related vulnerabilities. One is in the ODBC driver, where an attacker can execute code to convince an authenticated user to connect to a malicious SQL server via ODBC.
There are 14 fixes for vulnerabilities found in the 3D Builder component. These vulnerabilities can be exploited by opening a maliciously crafted file, allowing an attacker to gain code execution at the same level as the logged-in user. The same is true for other bugs related to Visual Studio and Office, including two in Visio.
This month, 38 patches are released for Elevation of Privilege (EoP) vulnerabilities. Most of these bugs require an attacker to execute code on a target machine to escalate privileges, generally to the SYSTEM level.
One publicly known bug in the Workstation Service can be exploited remotely through Remote Procedure Call (RPC), allowing attackers to run restricted RPC functions on systems with less than 3.5 GB of RAM.
One of the privilege escalation bugs in the Local Security Authority (LSA) leads to executing code with the Managed Service Account (gMSA) group, an exception to the typical SYSTEM escalation.
The fix for the Azure Service Fabric addresses a vulnerability impacting Service Fabric clusters orchestrated by Docker. To be protected from this, you must manually update your Service Fabric and enable and configure the “BlockAccessToWireServer” feature flag.
The vulnerability in the Backup Service could result in either privilege escalation or data deletion, and the same is true for the bug in Windows Defender.
Three patches are being released for the Print Spooler, one of which was reported by the National Security Agency.
This month, seven different bugs were found that could result in the disclosure of unspecified memory contents. Three of these bugs were found in the Cryptographic Service and could lead to the leaking of “Windows cryptographic secrets.” Additionally, a vulnerability in BitLocker was identified that, if exploited, could allow an attacker with physical access to the device to gain access to encrypted data. A similar vulnerability was also discovered in the Boot Manager’s SFB, which requires physical access to exploit. Lastly, an issue with Smart Card Resource Management Server could allow an attacker to access data associated with FIDO keys on the affected system.
This month, several Denial-of-Service (DoS) bugs were discovered, but the information provided by Microsoft is not clear enough to determine the full extent of the vulnerabilities and if successful exploitation outcomes in the system crashing or the service shutting down. The particular concern is bugs uncovered in the Netlogon and LDAP services, as a successful DoS attack on these components could significantly impact the businesses.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions that are affected, including, but not limited to, 3D Builder, Visual Studio Code, Windows Virtual Registry Provider, Windows Local Session Manager (LSM),Windows Ancillary Function Driver for WinSock, Windows Overlay Filter,Windows Print Spooler Components, Microsoft Exchange Server, Windows Smart Card, Windows IKE Extension, Windows Remote Access Service L2TP Driver, Windows Kernel, Windows Management Instrumentation, Windows Backup Engine, Windows NTLM, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Bluetooth Driver, Microsoft Office, Windows Bind Filter Driver, Windows ODBC Driver, Windows Cryptographic Services, Microsoft Local Security Authority Server (lsasrv), Windows Credential Manager, Windows Malicious Software Removal Tool, Windows DWM Core Library, Windows Point-to-Point Tunneling Protocol, Microsoft WDAC OLE DB provider for SQL, Microsoft Graphics Component, Windows Layer 2 Tunneling Protocol, Windows LDAP – Lightweight Directory Access Protocol, Windows ALPC, Windows BitLocker, Windows Boot Manager, Windows Error Reporting, Windows Workstation Service, Windows Secure Socket Tunneling Protocol (SSTP), Windows Internet Key Exchange (IKE) Protocol, Windows Installer, Windows Task Scheduler, Windows Authentication Methods, .NET Core, Microsoft Message Queuing, Windows Event Tracing, Azure Service Fabric Container, Windows iSCSI, Windows RPC API, Windows Local Security Authority (LSA), Windows Certificates.
Downloads include Cumulative Updates, Monthly Rollups, Security Only, and Security updates.
Visit the January 2022 Security Updates page to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their network with QIDs 110424, 110425, 377884, 50124, 91969, 91970, and 91971 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.