It’s the second Tuesday of every month, and Microsoft has released a series of security updates to fix a total of 97 flaws affecting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs were rated Critical and 90 were rated Critical in severity. Interestingly, 45 of the flaws were remote code execution flaws, followed by 20 of the privilege vulnerability upgrades. The update also follows fixes for 26 vulnerabilities in the Edge browser released over the past month.
A security flaw that is under active exploitation is CVE-2023-28252 (CVSS Score: 7.8), privilege escalation bug in Windows Common Log File System (CLFS) Driver.
“An attacker who successfully exploits this vulnerability may gain SYSTEM privileges,” Microsoft said in an advisory, which commended researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.
CVE-2023-28252 is the fourth privilege escalation flaw in a CLFS component that has been actively abused in the past year alone following CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS score: 7.8 ). At least 32 vulnerabilities have been identified in CLFS since 2018.
According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by cybercrime groups to spread Nokoyawa ransomware against small and medium businesses in the Middle East, North America, and Asia.
“CVE-2023-28252 is an out-of-bounds write (upgrade) vulnerability that can be exploited when the system attempts to expand metadata blocks,” Larin said. “The vulnerability was triggered by basic log file manipulation.”
Given the ongoing exploitation of the flaw, CISA added Windows zero-day to Known Exploited Vulnerabilities catalog (KEV), ordered the Federal Civilian Executive Branch (FCEB) to secure their systems by May 2, 2023.
Also patched are critical remote code execution flaws affecting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extensions, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).
MSMQ bug, tracked as CVE-2023-21554 (CVSS Score: 9.8) and dubbed QueueJumper by Check Point, can lead to unauthorized code execution and take over servers by sending specially crafted malicious MSMQ packets to MSMQ servers.
“The CVE-2023-21554 vulnerability allowed an attacker to potentially execute code remotely and without authorization by reaching TCP port 1801,” Check Point researcher Haifei Li said. “In other words, an attacker can control the process through only one packet to port 1801/tcp with an exploit, triggering the vulnerability.”
Two other weaknesses were found in MSMQ, CVE-2023-21769 And CVE-2023-28302 (CVSS score: 7.5), can be exploited to cause denial-of-service (DoS) conditions such as service crashes and Windows Blue Screen of Death (BSODs).
Microsoft has also updated its advisory for CVE-2013-3900WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions –
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x65-based System Service Pack 2
- Windows Server 2008 R2 for x64-based System Services 1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019, and
- Windows Server 2022
The development comes as North Korea-linked threat actors have been observed exploiting a weakness to insert encrypted shell code into legitimate libraries without invalidating Microsoft-issued signatures.
Microsoft Releases Guide to BlackLotus Bootkit Attack
Along with the update, the tech giant has also issued a guide for CVE-2022-21894 (aka Baton Drop), a now-fixed Secure Boot bypass flaw that was exploited by threat actors using a newly born Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus to establish persistence on hosts.
Several compromise indicators (IoCs) including newly created and locked bootloader files on the EFI system partition (ESP), existence of the staging directory “ESP:/system32/,” modification of the registry key “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity,” and event logs related to Microsoft Defender Antivirus deprecation.
“UEFI bootkits are especially dangerous because they run during computer startup, prior to operating system loading, and therefore can interfere with or disable various operating system (OS) security mechanisms,” Microsoft’s Incident Response team said.
Microsoft further recommends that the compromised device be removed from the network for inspection for evidence of continued activity, reformatting, or restoring the machine from a known clean backup that includes the EFI partition, keeping credentials clean, and applying the principle of least privilege (POLP).
Software Patches from Other Vendors
Apart from Microsoft, security updates have also been released by other vendors in recent weeks to fix several vulnerabilities, including —