Microsoft has released its monthly security update for March 2023. This month’s updates addressed various vulnerabilities in different products. Let’s go through this month’s Patch Tuesday details and discuss the security updates.
Microsoft Patches for March 2023
Microsoft has addressed 101 vulnerabilities in the month of March, including 22 Microsoft Edge (Chromium-based) vulnerabilities. Microsoft has also addressed two zero-day vulnerabilities known to be exploited in the wild. CISA has also added those two vulnerabilities, CVE-2023-24880 and CVE-2023-23397, to its Known Exploitable Vulnerabilities Catalog after Microsoft released this month’s Patch Tuesday update.
Out of these 101 vulnerabilities, nine are rated as critical, 70 as important, and one as moderate. This month’s Patch Tuesday edition includes updates for vulnerabilities in Microsoft Office and Components; Microsoft Dynamics, Microsoft OneDrive, Microsoft Windows Codecs Library, Client Server Runtime Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft PostScript Printer Driver.
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.
The March 2023 Microsoft vulnerabilities are classified as follows:
|Denial of Service Vulnerability
|Elevation of Privilege Vulnerability
|Information Disclosure Vulnerability
|Remote Code Execution Vulnerability
|Security Feature Bypass Vulnerability
|Microsoft Edge (Chromium-based)
Zero-day Vulnerabilities Patched in March Patch Tuesday Edition
CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability
Microsoft is aware of the active exploitation of this vulnerability that could allow an attacker to access a user’s Net-NTLMv2 hash. The hash can be leveraged to carry out an NTLM Relay attack against another service to authenticate as the user.
The vulnerability can be exploited in a low-complexity attack by specially crafted emails sent by an attacker to connect the victim to an external attacker’s control UNC location. The mail will be triggered automatically when retrieved and processed by the Outlook client. This could result in exploitation BEFORE the email is viewed in the Preview Pane.
Ukraine’s Computer Emergency Response Team (CERT-UA) discovered the flaw and notified Microsoft about it, perhaps after observing it being utilized in attacks on the company’s services. As per Microsoft, the vulnerability was exploited in targeted attacks against a number of European companies in the military, transportation, energy, and government sectors.
The threat actor APT28 is thought to be responsible for the attacks. APT28 has been connected to the Main Directorate of the General Staff of the Military Forces of the Russian Federation (GRU).
CVE-2023-23397 has been used in attacks against up to 15 companies, with the most recent incident taking place in December of last year.
CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft has mentioned in the advisory that this vulnerability is being exploited in the wild. To exploit this vulnerability, an attacker must craft a malicious file to bypass the Mark of the Web (MOTW) defenses.
Mark of the Web (MOTW) is a Windows feature that protects users from downloading files from unreliable sources. Windows adds a hidden tag called the mark to files obtained from the Internet. The capability and usage of files with the MOTW tag are restricted.
Other Critical Severity Vulnerabilities Patched in March Patch Tuesday Edition
CVE-2023-1017 and CVE-2023-1018 – TPM2.0 Module Library Elevation of Privilege Vulnerability
These vulnerabilities were discovered and addressed earlier this month by the upstream vendor TCG in the advisory TCGVRT0007.
TPM (Trusted Platform Module) is a hardware-based technology that helps improve PC security. A TPM chip is widely used as a secure cryptoprocessor that provides hardware security through integrated cryptographic keys.
Implementing improper length checks may lead to buffer overflow; the buffer passed to the ExecuteCommand() entry point faces this overflow condition.
CVE-2023-1017 is an out-of-bounds write vulnerability that could allow an attacker to write 2 bytes past the end of that buffer with attacker-specified values. User-mode applications can trigger this vulnerability by sending malicious commands to TPM 2.0. An attacker can cause an out-of-bounds write to the root partition on a target running Hyper-V using malicious TPM commands from a guest VM.
CVE-2023-1018 is an out-of-bound read vulnerability that may allow an attacker to read 2 bytes past the end of that buffer.
Successful exploitation of these vulnerabilities may result in local information disclosure or elevation of privileges.
CVE-2023-21708 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
Microsoft has put this vulnerability in the less likely to be exploited category. With a specially crafted RPC call to an RPC host, an attacker may exploit this vulnerability. An unauthenticated attacker may exploit this vulnerability to perform remote code execution on the server side with the same privileges as the RPC service.
CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability
The critical severity vulnerability affects Windows 11 Systems and Windows Server 2022.
A server is vulnerable to the flaw if the following two conditions are met:
- Sever must use buffered I/O
- Binding has HTTP/3 enabled
A server that uses the HTTP Protocol Stack (HTTP.sys) to handle packets could be exploited by an unauthenticated attacker by sending a specially crafted packet to the server.
CVE-2023-23404 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Point-to-Point Tunneling Protocol enables secure data transmission from a remote client to a private enterprise server with the help of a virtual private network (VPN) across TCP/IP-based data networks.
The vulnerability requires an attacker to win a race condition to exploit this vulnerability. An unauthenticated attacker may send a specially crafted connection request to a RAS server that will lead to remote code execution on the RAS Server machine.
CVE-2023-23411 – Windows Hyper-V Denial of Service Vulnerability
An attacker can locally exploit this vulnerability in a low-complexity attack to affect the functionality of Hyper-V hosts as a Hyper-V.
Hyper-V provides hardware virtualization and allows the creation of virtual hard drives and virtual switches.
CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
The vulnerability affects the Internet Control Message Protocol (ICMP) network layer protocol. The protocol is used by multiple network devices to detect network communication issues.
To exploit this vulnerability, an attacker must send a low-level protocol error with a fragmented IP packet inside another ICMP packet in its header to the target system. An application on the target must be bound to a raw socket to execute the vulnerable code path.
CVE-2023-23416 – Windows Cryptographic Services Remote Code Execution Vulnerability
An affected system must import a malicious certificate to exploit this vulnerability successfully. An attacker may encourage an authenticated user to import a certificate on their system, upload it to a service that processes or imports certificates, or both.
Other Microsoft Vulnerability Highlights
- CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer.
- CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation.
- CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability.
- CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions that are affected, including, but not limited to, Azure, Microsoft Bluetooth Driver, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office SharePoint, Microsoft PostScript Printer Driver, Microsoft Printer Drivers, Office for Android, Remote Access Service Point-to-Point Tunneling Protocol, Service Fabric, Visual Studio, Windows Accounts Control, Windows Bluetooth Service, Windows Central Resource Manager, Windows Cryptographic Services, Windows Defender, Windows HTTP Protocol Stack, Windows HTTP.sys, Windows Internet Key Exchange (IKE) Protocol, Windows Kernel, Windows Partition Management Driver, Windows Point-to-Point Protocol over Ethernet (PPPoE), Windows Remote Procedure Call, Windows Remote Procedure Call Runtime, Windows Resilient File System (ReFS), Windows Secure Channel, Windows SmartScreen, Windows TPM, Windows Win32K.
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. Source
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:
CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability
This vulnerability has a CVSSv3.1 9.8/10.
Policy Compliance Control IDs (CIDs):
- 24717 Status of the ‘HTTP/3’ service
CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability
This vulnerability has a CVSSv3.1 9.8/10
Policy Compliance Control IDs (CIDs):
- 17220 Status of the ‘Active Directory Protected Users Security Group’ setting
- 14028 List of ‘Outbound Rules’ configured in Windows Firewall with Advanced Security via GPO
Visit the March 2023 Security Updates page to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their network with QIDs 110428, 110429, 110430, 378067, 378074, 91990, 91991, 91992, 91993, and 91995 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.