Microsoft’s Patch Tuesday security update for April 2023 contains patches for 97 CVEs, including one zero-day bug under active exploit in ransomware attacks, another that’s a reissue of a fix for a flaw from 2013 that a threat actor recently exploited in a supply chain attack on 3CX, and a wormable bug rated critical in severity.
Microsoft identified a total of seven of the bugs it fixed this month as being of critical severity, which typically means organizations need to make them a top priority from a patch implementation standpoint.
Zero-Day Used in Ransomware Attacks
Nearly half, or 45, of the vulnerabilities in the April update enable remote code execution (RCE), a significant uptick from the average of 33 RCE bugs that Microsoft has reported in each of the previous three months. Even so, the company rated nearly 90% of the CVEs in the latest batch as bugs that cyberattackers are less likely to exploit — just 9% are characterized as flaws that threat actors are more likely to exploit.
The zero-day bug, tracked as CVE-2023-28252, is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) that affects all supported versions of Windows 10 and Windows Server. It is the second CLFS zero day in recent months — the other was CVE-2022-37969 — and it gives adversaries who already have access to the platform a way to gain highly privileged system-level privileges.
“This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system,” said Gina Geisel, a security researcher at Automox. To exploit the flaw, an attacker would need to log in to a system and then execute a malicious binary to elevate privileges.
“Automox recommends patch deployment within 24 hours since this is an actively exploited zero-day,” Geisel said in emailed comments to Dark Reading.
In a blog post issued in tandem with Microsoft’s update, Kaspersky said its researchers had observed a threat actor exploiting CVE-2023-28252 to deliver Nokoyawa ransomware on systems belonging to small and midsized organizations in North America, the Middle East, and Asia. The security vendor’s analysis shows that the exploits are similar to already-known driver exploits targeting CLFS.
“The exploit was highly obfuscated with more than 80% of its code being ‘junk’ elegantly compiled into the binary,” according to the analysis. Kaspersky researchers said they reported the bug to Microsoft after observing an adversary using it in ransomware attacks in February.
A Patch From the Past
Another patch in Microsoft’s April update that researchers are recommending organizations pay attention to is CVE-2013-3900, a 10-year-old signature validation vulnerability in the Windows WinVerifyTrust function. A threat actor — believed to be North Korea’s Lazarus Group — recently exploited the flaw in a supply-chain attack on 3CX that resulted in malware landing on systems belonging to users of the company’s video-conferencing software.
When Microsoft released the patch in 2013, the company had decided to make it an opt-in patch because of the potential for the fix to cause problems for some organizations. With the April security update, Microsoft has made the fix available for more platforms and provide more recommendations for organizations on how to address the issue.
“Definitely take the time to review all of the recommendations, including the information on the Microsoft Trusted Root Program, and take the actions needed to protect your environment,” Dustin Childs, researcher with Trend Micro’s Zero Day Initiative (ZDI) said in a blog post.
A Slew of RCE Vulnerabilities
Researchers identified two of the critical vulnerabilities in April’s batch as needing immediate action. One of them is CVE-2023-21554.
The bug affects Microsoft Message Queuing (MSMQ) technology and gives attackers a way to gain RCE by sending a specially crafted MSMQ packet to a MSMQ server. The vulnerability affects Windows 10, 11, and Server 2008-2022 systems that have the message queuing feature enabled on their systems, Automox researcher Peter Pflaster said in emailed comments. Administrators should consider applying Microsoft patch for the issue ASAP, since the company has noted that threat actors are more likely to exploit the vulnerability.
That’s just one of two critical vulnerabilities affecting the Windows Message Queuing system that Microsoft fixed this week. The other is CVE-2023-28250, a vulnerability in Windows Pragmatic Multicast that, like CVE-2023-21554, has a base score of 9.8 and is potentially wormable.
“This patch Tuesday MSFT fixed some critical flaws, of which we would recommend organizations to prioritize patching vulnerabilities those that are actively being exploited and wormable,” said Bharat Jogi, director of vulnerability and threat Research, at Qualys.
The other critical vulnerability that needs immediate fixing is CVE-2023-28231, a RCE bug in the DHCP Server service. Microsoft has assessed the bug as another issue that attackers are more likely to try and weaponize. To exploit the bug, an attacker would need prior access on a network. But once on it, the adversary could initiate remote code execution on the DHCP server, according to Kevin Breen, director of cyber threat research at Immersive Labs.
“Microsoft recommends that DHCP services are not installed on Domain Controllers, however, smaller organizations will commonly see DC and DHCP services co-located. In this instance the impact could be a lot higher,” Breen warned in emailed comments. Attackers that have control over DHCP servers could wreak considerable havoc on the network including stealing credentials for software-as-a-service (SaaS) products, or to carry out machine-in-the-middle (MITM) attacks, he noted.
