Microsoft’s March Patch Tuesday
On Tuesday, March 14, Microsoft released mixes for nearly 75 security issues. Two of the vulnerabilities addressed in the updates are being actively exploited. One of the flaws, a privilege elevation vulnerability in Outlook that has reportedly been used by Russian hackers in attacks on government, military, and energy sector organizations in Europe.
In addition to the widely covered vulnerabilities, some of which are already exploited, I would like to point out CVE-2023-23415. This vulnerability is at least interesting, even if it may not be easy to exploit. A single ICMP error packet leading to remote code execution shouldn't be underestimated, and yet again proves how we are not done finding vulnerabilities in 30+ year old TCP/IP stacks.
The different exploit groups have been out on the internet discussing various ways to exploit this vulnerability. I would look at what folks over at MDSec ActiveBreach and a few others have discussed about various methods to abuse this Outlook feature.
It’s been 20 years since MSFT moved to a monthly patch cycle (aka Patch Tuesday). By now organizations should have ‘well oiled’ processes to handle these monthly patch updates. This batch includes a number of remote code execution as well as two ‘zero days’ being actively used. Exercise your patch process and remediate these vulnerabilities first.
If one critical infrastructure entity is being targeted, assume others in the same business (energy) will also be targets. Moreover CVE-2023-23397 is rather deceptive. While labeled a privilege escalation flaw, it is used to capture NTLM hashes for a pass the hash attack. But it only works for self-hosted exchange. At some point reacting to flaws relating to self-hosted Exchange is going to surpass the cost of using a hosted version, if upsurge not there already. Don’t forget to incorporate Adobe updates as they’ve also released a bunch this week.
Read more in
Krebs on Security: Microsoft Patch Tuesday, March 2023 Edition
Dark Reading: Microsoft Zero-Day Bugs Allow Security Feature Bypass