Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.

IT teams should prioritize the patching of two zero-day vulnerabilities, one in Microsoft Outlook's authentication mechanism and another that's a Mark of the Web bypass, security experts said today. The two are part of a cache of 74 security bugs that Microsoft disclosed in its March Patch Tuesday security update.

In a blog post, researchers from Automox recommended that organizations patch both vulnerabilities within 24 hours since attackers are exploiting them in the wild. 

In addition, several of the critical flaws in the March update enable remote code execution (RCE), making them a high priority for patching as well. 

Vendors had slightly different takes on the total number of new critical vulnerabilities in Microsoft's March update — likely because of differences in what they included in the count. Trend Micro's Zero-Day Initiative (ZDI), for instance, identified six of the vulnerabilities in Microsoft's March update as critical, while Tenable and Action1 pegged the number at nine.

**Privilege Escalation Zero-Day**

One of the zero-days is a critical privilege escalation vulnerability in Microsoft Outlook tracked as CVE-2023-23397, which allows an attacker to access the victim's Net-NTLMv2 challenge-response authentication hash and then impersonate the user. 

What makes the bug dangerous is that an attacker could trigger it simply by sending a specially crafted email that Outlook retrieves and processes before the user even views it in the Preview Pane.

"This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email," said Satnam Narang, senior staff research engineer at Tenable in an emailed comment. An attacker could use the victim's Net-NLMv2 hash to conduct an attack that exploits the NTLM challenge-response mechanism and allows the adversary to authenticate as the user.

That makes the bug more of an authentication bypass vulnerability than an privilege escalation issue, added ZDI researcher Dustin Childs, in a blog post that summarized the most important flaws in Microsoft's March Patch Tuesday update. Disabling the Preview Pane option will not mitigate the threat because the bug gets triggered even before that, he wrote.

Microsoft attributed the bug's discovery to researchers from Ukraine's Computer Emergency Response Team (CERT) as well as one of its own researchers.

Organizations that cannot patch CVE-2023-23397 immediately should consider implementing Microsoft's mitigation for the flaw, which prevents the use of NTLM as an authentication mechanism, Automox said.

**Actively Exploited Security Feature Bypass Flaw**

Microsoft identified the second zero-day bug as CVE-2023-24880, a Windows SmartScreen security feature bypass issue than at attacker could use to bypass the Mark of the Web designation that Microsoft uses to identify files that a user might download from the Internet. 

The feature is designed to warn users about potentially unsafe content. CVE-2023-24880 affects all desktop systems running Windows 10 and above and systems running Windows Server 2016, 2019, and 2022.

Chris Goettl, vice president of security products at Ivanti, cautioned administrators not to be lulled into a sense of false security by Microsoft's relatively low severity rating for the flaw. 

"The CVSSv3.1 score is only 5.4, which may avoid notice by many organizations," Goettl said in a statement. On its own, the CVE may not be all that threatening, "but it was likely used in an attack chain with additional exploits," he warned.

**Other Security Bugs at High Patching Priority**

One of the RCE flaws to make a special note of is CVE-2023-23415, which exists in the Internet Control Message Protocol (ICMP) that network devices use to diagnose communications issues. 

"An attacker can remotely exploit this vulnerability through the use of a low-level protocol error containing a fragmented IP packet in its header that is sent to the target machine," Microsoft said. The vulnerability affects multiple Microsoft products, including Windows 10, Windows 11, Windows Server 2008, 2012, 2016, 2019, and 2022.

ZDI, Automox, and Action1 also all identified a RCE vulnerability with a near maximum severity of 9.8 on the CVSS scale in the HTTP Protocol Stack as another issue that organizations might want to prioritize. 

The vulnerability (CVE-2023-23392) allows an unauthenticated attacker to send a specially crafted packet to a server that uses the HTTP Protocol Stack leading to RCE. "The vulnerability affects Windows Server 2022 and Windows 11, and has a low-complexity attack vector that requires no privileges or user interaction," Action1 warned. Because of this, Microsoft has assessed the vulnerability as one that threat actors are more likely to exploit than other flaws.

Automox also recommended that organizations address CVE-2023-23416, a RCE bug in the Windows Cryptographic Services protocol, within 72 hours. That's because, among other things, it affects all versions of desktops Windows 10 and above, and all Windows server editions from Server 2012 on.

In addition to patches for new vulnerabilities, Microsoft also issued updates for four older flaws — all from 2022 — in its March patch cycle. The update expands the number of Microsoft software and applications affected by the vulnerabilities and provides a patch for them, Ivanti said. The security vendor identified the four updated patches as CVE-2022-43552, CVE-2022-23257, CVE-2022-23825, and CVE-2022-23816.

Microsoft Zero-Day Bugs Allow Security Feature Bypass

Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.

Tuesday, March 14, 2023 16:03

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.

Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue.

In all, eight of the issues disclosed this month are critical, while the remainder — outside of one — is “important.”

A moderate-severity vulnerability that’s already being exploited in the wild is CVE-2023-24880, a security feature bypass vulnerability in Windows SmartScreen, a cloud-based anti-phishing and anti-malware feature included in several Microsoft products. An attacker could exploit this vulnerability to craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. This, in theory, could allow the attacker to pass a malicious file through without it being detected.

The other zero-day included this month is CVE-2023-23397, a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary.

To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server.

Three of the other critical vulnerabilities Microsoft is patching have a CVSS severity score of 9.8 out of 10: CVE-2023-21708, CVE-2023-23392 and CVE-2023-23415.

CVE-2023-21708 is a remote code execution vulnerability in Microsoft Remote Call Procedure (RCP). To exploit this vulnerability, an unauthenticated attacker could send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

The attacker would need to have access to TCP port 135 on the remote host, so Microsoft considers this vulnerability “less likely” to be exploited, especially from an outside network perimeter. But an attacker who already have a foothold on an internal network could use this vulnerability to compromise other machines in the same domain if the target doesn’t block this port.

Another remote code execution vulnerability exists on the HTTP protocol stack on Windows 11 and Windows Server 2022. An attacker could exploit CVE-2023-23392 by sending a specially crafted packet to a targeted server that utilizes the HTTP Protocol Stack to process packets. For a server to be vulnerable, it must already have HTTP/3 enabled and use buffered I/O. HTTP/3 support for services is a new feature of Windows Server 2022. Another escalation of privilege vulnerability in the same component (CVE-2023-23410) may allow an attacker to elevate privileges to SYSTEM.

CVE-2023-23415 is the only vulnerability among the three with 9.8 CVSS scores that is “more likely” to be exploited, according to Microsoft. An attacker could exploit this vulnerability in the Internet Control Message Protocol (ICMP) to gain the ability to execute remote code with SYSTEM-level privileges.

An attacker could send fragmented ICMP error messages to a remote target and cause a read past the fragment buffer end. This could cause a BSOD if the read crosses a page boundary or give the attacker remote code execution abilities.

The other critical vulnerabilities are:

*   CVE-2023-23404, a remote code execution vulnerability in Windows point-to-point tunneling protocol
*   CVE-2023-23411, a denial-of-service vulnerability in Windows Hyper-V
*   CVE-2023-23416, a remote code execution vulnerability in Windows cryptographic services

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61464 - 61467. The Snort 3 SIDs are 300460 and 300461.

Microsoft Patch Tuesday for March 2023 — Snort rules and prominent vulnerabilities

An agency team will identify vulnerabilities being exploited by ransomware groups and alert organizations ahead of attacks, CISA says.

An anti-ransomware project launched by the Cybersecurity and Infrastructure Security Agency (CISA) will proactively track common vulnerabilities being exploited by ransomware gangs, and alert exposed organizations to the risks to help them mitigate the threat before a cyberattack occurs.

The Ransomware Vulnerability Warning Pilot (RVWP) program started out by alerting 93 organizations open to the recent Microsoft Exchange Service "ProxyNotShell" vulnerability, which was under open attack by ransomware operators in the wild, the CISA announcement explained. The intention is for the RVWP to replicate the model on a larger scale and help critical infrastructure organizations stave off future ransomware attacks.

"Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource poor entities like many school districts and hospitals," Eric Goldstein, executive assistant director for cybersecurity at CISA, said about the program in CISA's announcement. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA Trials Ransomware Warning System for Critical Infrastructure Orgs

One researcher thinks trust is broken in AD. Microsoft disagrees that there's a security vulnerability. But enterprise IT environments should be aware of an authentication gap either way.

An access control gap in Microsoft's Active Directory (AD) service may allow users within Windows environments to access domains beyond those for which they are authenticated, all while IT admins are none the wiser.

AD, Microsoft's catchall identity management service for authenticating computers, printers, users, or really anything participating in an IT environment, is built into most Windows domain-type networks. Tens of thousands of organizations use the service, including 90% of Global Fortune 1000 companies, according to Frost & Sullivan.

Network administrators use AD to manage authentication across a domain, ensuring that intended users — _only_ intended users — can access the resources they're allotted — _only_ those they're allotted.

In a report published March 14, however, Charlie Clark, security researcher at Semperis, detailed how a user can escape the guardrails within AD, and access domains for which they were not explicitly granted permission.

"It massively increases the attack surface for an attacker," he explains, "and obviously, the larger the attack surface, the more likely it is that an attacker can find an exploitable bug."

**MSFT AD's "Transitive Trust" Problem**

According to the transitive property of mathematics, if a = b and b = c, then a = c.

In AD, if domain A connects to domain B, and domain B connects to domain C, domains A and C may or may not be able to access one another, depending on whether they share a "transitive trust." As stated in Microsoft's documentation, "transitivity determines whether a trust can be extended outside of the two domains with which it was formed."

Two domains belonging to two different organizations might bear an "external trust" — a form of trust that's set up manually in AD, which is nontransitive. However, herein lies the issue that Clark found: that external trust can be used by one company to access sister domains within the same group (what Microsoft calls a "forest") as the second, for which no official external trust has been established, Clark says.

"If what we thought about non-transitive trusts were true," Clark explains, an authenticated user from one domain would "only be able to target the specific domain they've got a trust with. They wouldn't be able to move around the forest to other domains."

Instead, "any account within the trusted domain will be able to authenticate against any domain within the entire forest in which the trusting domain resides," he wrote in his analysis.

A malicious user who figures out how to burrow around a forest at will can access resources, reach accounts, and find data they otherwise should not.

"It allows an attacker to have a much larger attack surface from any low-privileged account on a trusted domain," Clark reasons, because "if you manage to take over a single domain within a forest, it's very easy to take over the whole forest."

Clark first reported his findings to Microsoft on May 4, 2022. On Sept. 29, Microsoft wrote in an email that "we have determined that this submission does not meet the definition of a security vulnerability for servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering." With that, the company closed the case.

“We provide many mechanisms for limiting resource access when using external trusts in a forest trust environment," a Microsoft spokesperson explained. "For example, by applying an authentication policy to resources at any granularity to allow or deny authentication based on any security descriptor. Customers can also set a deny-by-default posture which only allows those users to authenticate to accounts where the user has the allowed-to-authenticate right. We are continuously researching ways to improve security for future releases. More information is available in our authentication policy documentation.”

**Why Trust Matters**

Clark worked as a systems administrator for over 15 years, and a pen tester for six. "Every medium to large business or infrastructure that I've worked with has had external trusts," he claims. By that logic, most of AD's clients are likely at risk right now, he alleges, if additional protections haven't been put in place.

Microsoft's recommendations aside, to protect against this form of access control abuse, Clark recommends that admins remove all external trusts. If this is not possible, then monitoring which users are accessing what is the next best thing.

The most important thing, in the end, is awareness. Otherwise, admins may fall prey to a false sense of security. They "can see that a trusted domain is a higher risk. So they may apply greater security to that domain," Clark explains, but "they might not apply the same level of security to the rest of the domains within the forest," despite the similar risk.

"I think the main thing is to make system admins aware that this is possible," Clark concludes. By knowing this, "they can harden the rest of the domain sufficiently."

Access Control Gap in Microsoft Active Directory Widens Enterprise Attack Surface

Microsoft Outlook Elevation of Privilege Vulnerability

CVE-2023-23397

Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

CVE-2023-23413

Microsoft Excel Denial of Service Vulnerability

CVE-2023-23396

CVE-2023-23398

Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

Tag

#microsoft