The March 2023 Security Update Review
2023-3-15 01:29:47 Author: www.thezdi.com(查看原文) 阅读量:54 收藏

Happy Pi Day, and welcome to the third patch Tuesday of 2023 and the final patch Tuesday before Pwn2Own Vancouver. Take a break from your regularly scheduled activities and join us as we review the details of the latest security offerings from Microsoft and Adobe.

Adobe Patches for March 2023

For March, Adobe released eight patches addressing 105 CVEs in Adobe Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. A total of 77 of these bugs were reported through the ZDI program. This is the largest Adobe update in quite some time. The patch for Dimension is the largest of the bunch, with nearly 60 CVEs addressed by that patch alone. The update for Substance 3D Stager is also heft with 16 bugs fixed, many of which could lead to arbitrary code execution. The Experience Manager patch fixes 18 bugs including several cross-site scripting (XSS) and open redirects.

The patch for Commerce includes a fix for an unauthenticated file system read. If you’re using the platform, a disclosure like this could prove costly. The updates for Photoshop and Illustrator address many open-and-own bugs that could lead to code execution at the level of the current user. The patch for Creative Cloud fixes a single, Critical-rated code execution bug. Finally, the fix for Cold Fusion fixes three bugs, including a Critical-rate code execution bug that rates a CVSS 9.8. This patch receives a deployment priority of 1 from Adobe as well.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. With the exception of Cold Fusion, Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2023

This month, Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure. This is in addition to four Github and two TPM CVEs that were previously released and are now being shipped for Microsoft products. Two of these CVEs were submitted through the ZDI program.

Of the patches released today, six are rated Critical and 67 are rated Important, and one is rated Moderate in severity. This volume seems to be the “new normal” for Microsoft releases. However, like we saw last month, remote code execution (RCE) bugs continue to dominate the release.

Two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs under active attack:

-       CVE-2023-23397 - Microsoft Outlook Spoofing Vulnerability
Although technically a spoofing bug, I would consider the result of this vulnerability to be authentication bypass. The bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system. This hash could then be used in a relay attack to impersonate the user, thus effectively bypassing authentication. Before you ask about the Preview Pane, know that this bug hits before the e-mail is even viewed by the Preview Pane, so disabling that feature has no impact. No information is provided regarding how widespread these attacks may be, but definitely test and deploy this fix quickly.

 -       CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability
This is the other bug listed as under active attack, although this one is much less exciting. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen.

-       CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability
This CVSS 9.8 bug could allow a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. That combination makes this bug wormable – at least through systems that meet the target requirements. The target system needs to have HTTP/3 enabled and set to use buffered I/O. However, this is a relatively common configuration. Note that only Windows 11 and Windows Server 2022 are affected, which means this is a newer bug and not legacy code.

 -       CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
Will ICMP fragmentation bugs ever completely go away? I hope not, because I think they are neat. Here’s another potentially wormable bug resulting from an error message containing a fragmented IP packet in its header. It’s also a CVSS 9.8. The only caveat here is that an application on the target system must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. There are some that block ICMP at their perimeter, but doing this has some negative side effects – especially for remote troubleshooting.

 Here’s the full list of CVEs released by Microsoft for March 2023:

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Taking a look at the remaining Critical-rated patches, there’s CVSS 9.8 bug in RPC Runtime that has some wormable potential. However, unlike ICMP, it is a good idea to block RPC traffic (specifically TCP port 135) at the perimeter. This bug is much less likely to be widely exploited. Rounding out the Critical-rated Hyper-V bugs is a denial of service that could allow a guest OS to “affect the functionality of the Hyper-V host.” It’s not clear if that means a guest OS can shut off the whole server or just disable pieces, but best to patch rather than learn the hard way. There’s a Critical-rated bug in the cryptographic services that requires a malicious certificate needs to be imported into an affected system. That seems like it would require some social engineering at a minimum. Finally, there’s a fix for a bug in Point-to-Point Tunneling Protocol (PPTP) that’s technically wormable between RAS servers, but I don’t see that as being very likely.

Moving on to the other code execution bugs, the first that stand out are 10 different RCEs in the PostScript and PCL6 Class Printer Driver. These all seem to require some level of authentication, but as we’ve seen with other print-related bugs in the past, they still could be used by threat actors. There are three additional RCE bugs in the RPC Runtime, but these are listed as attack complexity high, which lowers their CVSS score. There’s a bug in the DNS Server that looks frightening at first glance, but a closer look reveals it needs high privileges to exploit. The vulnerability in the Bluetooth service seems interesting. An attacker could get RCE on a connected Bluetooth component, but Microsoft notes they would need access to “the restricted network” to run the exploit. It’s not clear if that means physical proximity to the target or some other connection to an affected system. There are a couple of “open-and-own” bugs in Excel and the Windows Media Player. Finally, there are two patches for PPPoE, but a threat actor would need to be network adjacent to exploit these bugs.

In addition to the SmartScreen bug already discussed, there are two Security Feature Bypass (SFB) vulnerabilities receiving fixes this month. The first is for Excel. If an attacker is able to convince a user to click “Enable Content”, Excel would not scan for malicious data as it normally would. With that level of social engineering and user interaction, it’s almost hard to consider this a true bypass, but kudos to Microsoft for fixing it anyway. The other SFB is in OneDrive for iOS. An attacker could use this to view files stored in a locked vault, however, it does require some form of authentication to exploit.

There’s a fair amount of Elevation of Privilege (EoP) bugs receiving patches this month, and the majority of these require the attacker to execute their code on a target to escalate privileges – typically to SYSTEM. The privilege escalation in http.sys was submitted to the ZDI by an anonymous researcher. It’s an integer overflow that could allow an attacker to escalate to SYSTEM. The escalation bug in the graphics component was reported to the ZDI by Marcin Wiązowski. It uses a use-after-free (UAF) vulnerability to get to SYSTEM. The vulnerability in Bluetooth looks intriguing since it would allow an attacker to escape AppContainer isolation. There’s an update for Defender, but you likely received that automatically. However, if you’re running isolated systems, you will need to manually apply the fix. Speaking of offline patches, the update for OneDrive for macOS is found in the app store. If you don’t have automatic downloads for apps set up, you’ll need to get the patch from the store. 

Looking at the information disclosure vulnerabilities receiving patches this month, the vast majority simply result in info leaks consisting of unspecified memory contents. There are a couple of exceptions. The bug in Microsoft Dynamics 365 could leak a verbose error message that attackers could use to create malicious payloads. The two bugs in OneDrive for Android could leak certain Android/local URIs that OneDrive can access. Again, you’ll need to get this patch from the Google Play store if you haven’t configured automatic app updates.

In addition to the Outlook spoofing bug already mentioned, five other spoofing vulns received fixes this month. The first is in the alliteratively-named Azure Apache Ambari, but Microsoft provides no further details about the bug. The bug in the Service Fabric could allow an attacker to escape the web client and execute their code on the target’s browser. However, Microsoft notes the user would need to click through a “sequence of multiple events” for exploitation. Also, note that you may need to manually update this component if you haven’t specifically enabled auto-updates. User interaction is also required for the SharePoint spoofing bug, but in this case, it’s just clicking a link. If an attacker can convince a user to follow a malicious link, the target could be redirected to a crafted site designed to look like a legitimate website. A similar bug is getting patched in the Edge (Chromium-based) browser. The final spoofing bug getting fixed this month also requires a target clicking a link – this time in Office for Android. The vulnerability allows an attacker to create a malicious link, application, or file and mask it as a non-threatening resource.

There are three additional DoS fixes released this month. There’s no additional info about the patches for Windows Secure Channel or the Internet Key Exchange (IKE) Extension. However, I would expect a successful exploit of these bugs to interfere with authentication processes. The DoS bug in Excel is different. I usually equate DoS bugs in Office apps to just killing the app when opening a crafted file. That’s not the case here. This bug would cause a resource exhaustion on the system when opening a malicious file. It’s not clear if this exhaustion would eventually clear or if a reboot would be required.

Finally, there are five cross-site scripting (XSS) bugs in Dynamics 365. There were also five XSS bugs in last month’s release, which makes this either a weird pattern or a weird coincidence.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday will be on April 11, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!


文章来源: https://www.thezdi.com/blog/2023/3/14/the-march-2023-security-update-review
如有侵权请联系:admin#unsafe.sh