The March 2023 Security Update Review

March 14, 2023 | Dustin Childs

Happy Pi Day, and welcome to the third patch Tuesday of 2023 and the final patch Tuesday before Pwn2Own Vancouver. Take a break from your regularly scheduled activities and join us as we review the details of the latest security offerings from Microsoft and Adobe.

Adobe Patches for March 2023

For March, Adobe released eight patches addressing 105 CVEs in Adobe Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. A total of 77 of these bugs were reported through the ZDI program. This is the largest Adobe update in quite some time. The patch for Cold Fusion is listed as under active exploit. It fixes three bugs, including a Critical-rate code execution bug that rates a CVSS 9.8. This patch receives a deployment priority of 1 from Adobe as well.

The patch for Dimension is the largest of the bunch, with nearly 60 CVEs addressed by that patch alone. The update for Substance 3D Stager is also heft with 16 bugs fixed, many of which could lead to arbitrary code execution. The Experience Manager patch fixes 18 bugs including several cross-site scripting (XSS) and open redirects.

The patch for Commerce includes a fix for an unauthenticated file system read. If you’re using the platform, a disclosure like this could prove costly. The updates for Photoshop and Illustrator address many open-and-own bugs that could lead to code execution at the level of the current user. The patch for Creative Cloud fixes a single, Critical-rated code execution bug.

None of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. With the exception of Cold Fusion, Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2023

This month, Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure. This is in addition to four Github and two TPM CVEs that were previously released and are now being shipped for Microsoft products. Two of these CVEs were submitted through the ZDI program.

Of the patches released today, six are rated Critical and 67 are rated Important, and one is rated Moderate in severity. This volume seems to be the “new normal” for Microsoft releases. However, like we saw last month, remote code execution (RCE) bugs continue to dominate the release.

Two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs under active attack:

-       CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability
Although technically a spoofing bug, I would consider the result of this vulnerability to be authentication bypass. The bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system. This hash could then be used in a relay attack to impersonate the user, thus effectively bypassing authentication. Before you ask about the Preview Pane, know that this bug hits before the e-mail is even viewed by the Preview Pane, so disabling that feature has no impact. No information is provided regarding how widespread these attacks may be, but definitely test and deploy this fix quickly.

 -       CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability
This is the other bug listed as under active attack, although this one is much less exciting. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen.

-       CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability
This CVSS 9.8 bug could allow a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. That combination makes this bug wormable – at least through systems that meet the target requirements. The target system needs to have HTTP/3 enabled and set to use buffered I/O. However, this is a relatively common configuration. Note that only Windows 11 and Windows Server 2022 are affected, which means this is a newer bug and not legacy code.

 -       CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
Will ICMP fragmentation bugs ever completely go away? I hope not, because I think they are neat. Here’s another potentially wormable bug resulting from an error message containing a fragmented IP packet in its header. It’s also a CVSS 9.8. The only caveat here is that an application on the target system must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. There are some that block ICMP at their perimeter, but doing this has some negative side effects – especially for remote troubleshooting.

 Here’s the full list of CVEs released by Microsoft for March 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-23397 Microsoft Outlook Elevation of Privilege Vulnerability Important 9.1 No Yes Spoofing
CVE-2023-24880 Windows SmartScreen Security Feature Bypass Vulnerability Moderate 5.4 Yes Yes SFB
CVE-2023-23392 HTTP Protocol Stack Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-23415 Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-21708 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-23416 Windows Cryptographic Services Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2023-23411 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2023-23404 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-1017 * CERT/CC: TPM2.0 Module Library Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2023-1018 * CERT/CC: TPM2.0 Module Library Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2023-23394 Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-23409 Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-22490 * GitHub: CVE-2023-22490 Local clone-based data exfiltration with non-local transports Important 5.5 No No Info
CVE-2023-22743 * GitHub: CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-23618 * GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability Important 8.6 No No RCE
CVE-2023-23946 * GitHub: CVE-2023-23946 Git path traversal vulnerability Important 6.2 No No EoP
CVE-2023-23389 Microsoft Defender Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2023-24892 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2023-24919 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-24879 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-24920 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-24891 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-24921 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 4.1 No No XSS
CVE-2023-24922 Microsoft Dynamics 365 Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-23396 Microsoft Excel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-23399 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-23398 Microsoft Excel Security Feature Bypass Vulnerability Important 7.1 No No SFB
CVE-2023-24923 Microsoft OneDrive for Android Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-24882 Microsoft OneDrive for Android Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-24890 Microsoft OneDrive for iOS Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2023-24930 Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24864 Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-24856 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24857 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24858 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24863 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24865 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24866 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24906 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24870 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24911 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-23403 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-23406 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-23413 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24867 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24907 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24868 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24909 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24872 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24913 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24876 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-23391 Office for Android Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2023-23405 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2023-24908 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2023-24869 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2023-23383 Service Fabric Explorer Spoofing Vulnerability Important 8.2 No No Spoofing
CVE-2023-23395 SharePoint Open Redirect Vulnerability Important 3.1 No No Spoofing
CVE-2023-23412 Windows Accounts Picture Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23388 Windows Bluetooth Driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-24871 Windows Bluetooth Service Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-23393 Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-23400 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-24910 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24861 Windows Graphics Component Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-23410 Windows HTTP.sys Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24859 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-23420 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23421 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23422 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23423 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23401 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-23402 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-23417 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23385 Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-23407 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2023-23414 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2023-23418 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-23419 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24862 Windows Secure Channel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-23408 Azure Apache Ambari Spoofing Vulnerability Important 4.5 No No Spoofing

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

 

Taking a look at the remaining Critical-rated patches, there’s CVSS 9.8 bug in RPC Runtime that has some wormable potential. However, unlike ICMP, it is a good idea to block RPC traffic (specifically TCP port 135) at the perimeter. This bug is much less likely to be widely exploited. Rounding out the Critical-rated Hyper-V bugs is a denial of service that could allow a guest OS to “affect the functionality of the Hyper-V host.” It’s not clear if that means a guest OS can shut off the whole server or just disable pieces, but best to patch rather than learn the hard way. There’s a Critical-rated bug in the cryptographic services that requires a malicious certificate needs to be imported into an affected system. That seems like it would require some social engineering at a minimum. Finally, there’s a fix for a bug in Point-to-Point Tunneling Protocol (PPTP) that’s technically wormable between RAS servers, but I don’t see that as being very likely.

Moving on to the other code execution bugs, the first that stand out are 10 different RCEs in the PostScript and PCL6 Class Printer Driver. These all seem to require some level of authentication, but as we’ve seen with other print-related bugs in the past, they still could be used by threat actors. There are three additional RCE bugs in the RPC Runtime, but these are listed as attack complexity high, which lowers their CVSS score. There’s a bug in the DNS Server that looks frightening at first glance, but a closer look reveals it needs high privileges to exploit. The vulnerability in the Bluetooth service seems interesting. An attacker could get RCE on a connected Bluetooth component, but Microsoft notes they would need access to “the restricted network” to run the exploit. It’s not clear if that means physical proximity to the target or some other connection to an affected system. There are a couple of “open-and-own” bugs in Excel and the Windows Media Player. Finally, there are two patches for PPPoE, but a threat actor would need to be network adjacent to exploit these bugs.

In addition to the SmartScreen bug already discussed, there are two Security Feature Bypass (SFB) vulnerabilities receiving fixes this month. The first is for Excel. If an attacker is able to convince a user to click “Enable Content”, Excel would not scan for malicious data as it normally would. With that level of social engineering and user interaction, it’s almost hard to consider this a true bypass, but kudos to Microsoft for fixing it anyway. The other SFB is in OneDrive for iOS. An attacker could use this to view files stored in a locked vault, however, it does require some form of authentication to exploit.

There’s a fair amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges – typically to SYSTEM. The privilege escalation in http.sys was submitted to the ZDI by an anonymous researcher. It’s an integer overflow that could allow an attacker to escalate to SYSTEM. The escalation bug in the graphics component was reported to the ZDI by Marcin Wiązowski. It uses a use-after-free (UAF) vulnerability to get to SYSTEM. The vulnerability in Bluetooth looks intriguing since it would allow an attacker to escape AppContainer isolation. There’s an update for Defender, but you likely received that automatically. However, if you’re running isolated systems, you will need to manually apply the fix. Speaking of offline patches, the update for OneDrive for macOS is found in the app store. If you don’t have automatic downloads for apps set up, you’ll need to get the patch from the store. 

Looking at the information disclosure vulnerabilities receiving patches this month, the vast majority simply result in info leaks consisting of unspecified memory contents. There are a couple of exceptions. The bug in Microsoft Dynamics 365 could leak a verbose error message that attackers could use to create malicious payloads. The two bugs in OneDrive for Android could leak certain Android/local URIs that OneDrive can access. Again, you’ll need to get this patch from the Google Play store if you haven’t configured automatic app updates.

In addition to the Outlook spoofing bug already mentioned, five other spoofing vulns received fixes this month. The first is in the alliteratively-named Azure Apache Ambari, but Microsoft provides no further details about the bug. The bug in the Service Fabric could allow an attacker to escape the web client and execute their code on the target’s browser. However, Microsoft notes the user would need to click through a “sequence of multiple events” for exploitation. Also, note that you may need to manually update this component if you haven’t specifically enabled auto-updates. User interaction is also required for the SharePoint spoofing bug, but in this case, it’s just clicking a link. If an attacker can convince a user to follow a malicious link, the target could be redirected to a crafted site designed to look like a legitimate website. A similar bug is getting patched in the Edge (Chromium-based) browser. The final spoofing bug getting fixed this month also requires a target clicking a link – this time in Office for Android. The vulnerability allows an attacker to create a malicious link, application, or file and mask it as a non-threatening resource.

There are three additional DoS fixes released this month. There’s no additional info about the patches for Windows Secure Channel or the Internet Key Exchange (IKE) Extension. However, I would expect a successful exploit of these bugs to interfere with authentication processes. The DoS bug in Excel is different. I usually equate DoS bugs in Office apps to just killing the app when opening a crafted file. That’s not the case here. This bug would cause a resource exhaustion on the system when opening a malicious file. It’s not clear if this exhaustion would eventually clear or if a reboot would be required.

Finally, there are five cross-site scripting (XSS) bugs in Dynamics 365. There were also five XSS bugs in last month’s release, which makes this either a weird pattern or a weird coincidence.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday will be on April 11, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!