That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

The vulnerability–tracked as CVE-2023-27997–is a heap-based overflow flaw that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests, says the Sunnyvale, Calif.-based firewall and endpoint security firm.

According to Fortinet, its Product Security Incident Response Team, following a previous incident from January also impacting FortiOS SSL VPN with exploitation, initiated a code audit of the SSL-VPN module, leading to the identification of issues that have been remediated in the company’s patch.

The investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases.”

In the company’s blog, Fortinet says the attacks mimic the activity of Volt Typhoon, a suspected China-sponsored hacking group that has been targeting critical infrastructure organization. However, Fortinet doesn’t go as far to link exploitation of the vulnerability to that group, but does expect Volt Typhoon and other threat actors to leverage the bug in unpatched software and devices.

FortiGate devices were identified by the U.S. National Security Agency as being targeted by Volt Typhoon as an initial intrusion vector.

Organizations should apply the patch immediately. If they aren’t able to do so, disabling SSL-VPN is a legitimate workaround, the company says.

These devices and other SSL VPN products from Citrix, Pulse Secure and others have been popular targets in recent years, says Satnam Narang, senior staff research engineer at vulnerability management firm Tenable.

According to Narang, these flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices.

“SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” Narang says. “They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work.”

Narang adds that pre-authentication bugs like CVE-2023-27997 are especially valuable to remote attackers because they don’t need to have valid credentials.

“Despite patches being available, the inherent value of the flaw remains significant, considering the ongoing success threat actors achieve by exploiting known, unpatched vulnerabilities,” Narang says. “It’s not a question of ‘if’, but rather ‘when’ a public proof-of-concept exploit for this flaw is made public, that we can expect more widespread scanning and exploitation of vulnerable assets.”

The post Patch FortiGate SSL-VPN Devices Immediately appeared first on My TechDecisions.

That includes Microsoft, which is attributing the attacks exploiting the bug, tracked as CVE-2023-34362, to a group it calls “Lace Tempest,” which is known for ransomware operations and running the Clop extortion site.

The Redmond, Wash. tech giant says the group has used similar vulnerabilities in file transfer tools to steal data and extort victims in the past.

In a series of tweets, the Microsoft Threat Intelligent Twitter account revealed several details on the attacks, saying exploitation is typically followed by deployment of a web shell with data exfiltration capabilities.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j

— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023

According to Progress Software, the vulnerability in MOVEit Transfer could lead to escalated privileges and potential unauthorized access to the environment. MOVEit Transfer customers are advised to take immediate action to help protect their environment. Organizations are urged to apply the patch immediately.

According to a statement from a MOVEit spokesperson, the company promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. “We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Affecting all supported MOVEit Transfer versions, CVE-2023-34362 is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” the company says.

In the meantime, the MOVEit says its continuing to work with cybersecurity experts to investigate the issue. A company spokesperson said in a statement, “We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

Experts Weigh in On MOVEit Vulnerability

On Monday, reports of widespread exploitation came pouring in, as several security firms say their customers are under active attack.

Caitlin Condon, senior manager for security research at Rapid7, says the company has responded to alerts across a range of organizations from small businesses to enterprises with “tens of thousands of assets.”

There doesn’t appear to be any particular target vertical of organizational profile, Condon says, as victim organizations have so far included technology, insurance, manufacturing, municipal government, healthcare and financial services. The amount of data varies case by case, but Rapid7 has responded to “multiple incidents where several dozen gigabytes of data was stolen,” Condon says.

In a Rapid7 blog, the company says it has observed an uptick in related cases since the bug was disclosed last week, and the company’s researchers say the vulnerability was exploited at least four days prior to Progress Software’s first advisory on May 31.

These updates confirm what Satnam Narang, senior staff research engineer at Tenable, said last week, attributing the exploitation of file transfer tools to double extortion ransomware groups like Clop.

“While we don’t know the specifics around the group behind the zero day attacks involving MOVEit, it underscores a worrisome trend of threat actors targeting file transfer solutions,” Narang said last week. “Organizations that use MOVEit software should assume compromise and engage in incident response to determine the potential impact, if any.”

MOVEit customers are advised to check for indicators of compromise and unauthorized access over at least the past 30 days.

The post Ransomware Groups Confirmed to be Exploiting MOVEit Bug appeared first on My TechDecisions.

According to Microsoft, the new Autopatch features are available in public preview. They allow admins to configure updates to specific groups, stagger incremental rollouts with phased deployments, new control features and updated status and reporting to help give admins data on success or failures of Autopatch.

The Autopatch groups feature, Microsoft says, allows organizations to create discrete populations of devices within their tenant and configure as many as 15 unique deployment rings, custom cadences and content to each of up to 50 groups.

Divisions, groups or other structures of the enterprise can be replicated in Autopatch and the update settings tailored to each unit, the company says.

Microsoft says the updates allow admins to configure Autopatch with granularity they need. For example, admins can update finance department devices across 10 rings on a scheduled cadence while keeping administrative and executive devices in the default 5 rings and updated according to deadlines.

The new release also includes new alerts and detail recommended actions when Autopatch detects missing or modified policies. Microsoft says this feature complements the “inactive status” feature introduced last month.

In addition, Autopatch will show more information about out-of-band releases in the “Release management” blade, and the schedule for those releases will be posted to the “Release schedule” tab. Included KBs will be available under the “Release announcements” tab.

Autopatch will also feature new reporting blades where admins can get summary views of their current status or views, as well as a new option to filter reports by eight distinct parameters to get granular, interactive alerts. Those alerts will highlight devices with issues and provide integrated details and recommendations.

In a blog post, Microsoft cites a Forrester report that concludes Autopatch can help admins spend 50% to 95% less effort on feature updates.

The post New Grouping, Reporting Features in Windows Autopatch appeared first on My TechDecisions.

Apple released the update Monday through its Rapid Security Response update program, urging all users of iOS devices to apply the iOS Security Response 16.4.1 (a) update.

“This Rapid Security Response provides important security fixes and is recommended for all users,” Apple says of the update.

Apple has been silent on what vulnerabilities this update fixes, but it must be important, as the Rapid Security Response program is designed to fix vulnerabilities without having to issue a full software update.

However, no new CVE has appeared on its security update page, and a notice along with the update doesn’t detail anything about the issues it is fixing.

According to Apple, these kind of updates could provide security improvements in Safari, the WebKit framework, or other critical system libraries. They could also be used to mitigate zero day vulnerabilities or in-the-wild bugs.

The company says Rapid Security Responses are delivered only for latest versions of iOS, iPadOS and macOS. Devices should allow these updates to be applied automatically and should prompt users to restart their devices.

However, some users on Twitter reported on Monday getting an error message when trying to apply the updates. I tested it out myself Tuesday morning and the update was successful, but had to do so manually even though I had automatic updates enabled. Since this is a new deployment model, there might be some kinks Apple has to work out.

Like other software updates, users can navigate to Settings>General>Software Update to apply the Rapid Security Response. Doing so can also allow users to make sure that automatic updates for Rapid Security Response updates are turned on.

Users can opt out of Rapid Security Response updates and instead receive fixes or mitigations when they’re included in full software updates.

Admins should consult this Apple support document about how to manage Rapid Security Responses on Apple devices.

The post Why You Shouldn’t Ignore Apple’s iOS Rapid Security Response Update appeared first on My TechDecisions.

However, those systems are typically located on Earth. Imagine trying to patch a system on an entirely different planet.

That’s apparently what NASA just did, sending a major software update more than 150 million miles away to the Curiosity rover designed to enable the wheeled robot to drive faster and reduce wear and tear on its wheels that it has endured for over a decade.

In addition, NASA made about 180 other changes in the update, which required Curiosity to essentially be shut down between April 3 and April 7, the space agency says in a press release. This is the equivalent of upgrading a Windows 10 device to Windows 11, albeit from a different planet.

While Microsoft, Google and other tech giants spend a considerable amount of time preparing updates and rolling them out, NASA took nine years to develop and send out this update to Curiosity, with the last update going back to 2016.

Other changes include making corrections to the messages the rover sent back to Earth and simplifications to computer code that had been altered by previous patches.

Software update to help navigate Mars terrain

According to NASA, Curiosity can now do more of what it calls “thinking while driving” – performing in a more advanced way to navigate around rocks and sand traps. This is something that NASA’s newest Mars rover, Perseverance, does to help navigate the Mars terrain. Perseverance constantly snaps pictures of the terrain ahead, processing them with a dedicated computer so it can autonomously navigate during one continuous drive.

However, Curiosity isn’t equipped with a dedicated computer for that purpose, instead driving in segments and stopping to process imagery of the terrain after each segment. That results in many stops and starts over the course of a long drive.

The update will help Curiosity process images faster and spend more time on the move, according to NASA.

A new algorithm to protect Curiosity’s wheels

To reduce the wear and tear on the rover’s aluminum wheels which have been showing signs of broke treads since 2013, NASA included in the update a new algorithm designed to improve traction and reduce wheel wear by adjusting the rover’s speed depending on the rocks it’s rolling over.

The update also includes two new mobility commands that reduce the amount of steering the rove needs to do while driving in an arc toward a specific waypoint, helping to further preserve the life of the wheels.

The software update will also help the human controllers on Earth plan the rover’s movements and will make future software updates easier to deploy, according to NASA.

IT admins pushing out a major patch or update may cross their fingers, but doing so across 150 million miles of space is a bit more nerve-wracking, says Jonathan Denison, the rover’s engineering operations team chief, in a statement.

“The idea of hitting the install button was a little scary,” Denison says. “Despite all our testing, we never know exactly what will happen until the software is up there.”

The post NASA’s Curiosity Software Update Makes Patch Tuesday Seem Like a Breeze appeared first on My TechDecisions.

The end goal is to encourage Microsoft customers to stop using persistently vulnerable versions of Exchange, which are a favorite target of hackers, including from Hafnium, a state-sponsored hacking group out of China that has leveraged Exchange vulnerabilities in the past.

According to Microsoft, admins will also see alerts about unsupported or unpatched Exchange servers in their on-premises environment that need to be upgraded or patched. However, if a server remains out of date and unpatched, mail from that server will be throttled and eventually blocked, the company says in a Tech Community blog.

“We don’t want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service,” Microsoft says in the blog. “We also want to get the attention of customers who have unsupported or unpatched Exchange servers and encourage them to secure their on-premises environments.”

Alerting

In addition to the existing Exchange Server health Check tool, Microsoft is adding a new mail flow report to the Exchange admin center in exchange Online that provides details to a tenant admin about unsupported or out-of-date Exchange servers in their environment that connect to Exchange Online to send mail.

The new report will also provide details on any throttling or blocking of messages, along with information about what happens next if the server isn’t made current.

Throttling

If servers aren’t remediated after a period of time, Exchange Online will begin to throttle messages from it, issuing a retriable SMTP 450 error to the sending sever, which will cause the sending server to queue and retry the message later, resulting in a delayed delivery.

The error messages will read, “450 4.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online throttled for 5 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.”

Throttling durations will increase progressively over time to encourage admins to remediate the server. However, if the server isn’t upgraded or patched within 30 days after throttling begins, emails will be blocked.

Blocking

In the blocking scenario, Exchange Online will issue a permanent SMTP 550 error to the sender, triggering a non-delivery report. In this case, a sender will need to re-send the message, the company says.

That error will read, “550 5.7.230 Connecting Exchange server version is out-of-date; connection to Exchange Online blocked for 10 mins/hr. For more information see https://aka.ms/BlockUnsafeExchange.”

When will this enforcement action begin?

According to Microsoft, the report will release in private preview this month, and the first affected customers will see the generally available version of the report beginning May 23. Throttling for that first wave will begin in June, and blocking will begin in July.

These steps will be taken progressively for 90 days from initial detection of the unsupported server to 100% blocking, Microsoft says.

However, admins can pause throttling and blocking for up to 90 days per year in the Exchange admin center. Doing so puts the sever in report-only mode for the duration specified. Admins can use those 90 days however they want throughout the year, and don’t have to use the entire 90 days consecutively.

Begins with Exchange 2007

The throttling and blocking of old Exchange Servers will eventually apply to all versions and all email coming into Exchange Online, but Microsoft will start with Exchange 2007 servers that connect to Exchange Online over an inbound connector type of OnPremises. This is the oldest version of Exchange from which you can migrate in a hybrid configuration to Exchange Online, Microsoft says.

The company will then incrementally bring Exchange Sever versions into the enforcement scope until all versions are included, regardless of how they send mail to Exchange Online.

Microsoft’s intentions

In the Tech Community blog, commenters opined about the reasons behind the move, with some speculating that Microsoft is essentially forcing organizations to migrate to the cloud or pay to continue using Exchange.

However, Chris Goettl, vice president of product management for security products at Ivanti, says this move is another that Microsoft is taking to prevent the malicious use of its solutions. Similar to how the company began blocking macros in Office documents by default, these moves are intended to close security loopholes.

According to Goettl, security researchers have essentially concluded that on-premises Exchange architectures are fundamentally overprivileged and are a security liability.

“There is clear evidence that exchange on prem is not being well maintained by the companies that are still running it,” Goettle says. When there are thousands of Exchange servers that get exploited within a matter of days when a new exploit comes out, there’s kind of a systemic issue.”

Exchange vulnerabilities are typically among the most commonly exploited security bugs. In fact, two recent research reports from Tenable and Rezilion concluded that Exchange zero days such as ProxyShell and ProxyLogon are still among the most exploited vulnerabilities.

It can sometimes take admins several weeks to patch vulnerabilities like those, but the throttling and blocking action Microsoft is taking is aimed at old, vulnerable Exchange infrastructure.

“So they’re not saying you have to stop using on-prem Exchange and start paying for their online services,” Goettl says. “What they are saying, is if you don’t keep it up to date, they reserve the right to throttle then block you if you’re not keeping the ecosystem secure.”

The post What is Going on With Microsoft Exchange Server Throttling and Blocking? appeared first on My TechDecisions.

The amount of bugs fixed by Microsoft this month is on par with the tech giant’s February security update when it patched 75 vulnerabilities, including three that were being actively exploited.

Also similar in the March 2023 Patch Tuesday release were the number of remote code execution bugs, with 25 listed this month. Last month, there were 35 remote code execution vulnerabilities.

Based on analysis from researchers at Zero Day Initiative, Tenable and other security firms, here’s a look at the more notable vulnerabilities.

CVE-2023-23397 – Microsoft Outlook Spoofing Vulnerability

This bug is getting a lot of attention from security researchers. The bug gets a CVSSv3 score of 9.8 and has been exploited in the wild, which makes this a top priority for IT and security admins this month.  The vulnerability is exploited by sending a malicious email to a vulnerable version of Outlook. When the server processes the email, a connection to an attacker-controlled device is established to leak the Net-NTLMv2 hash of the email recipient. This allows the attacker to use the hash to authenticate as the victim recipient in an NTLM relay attack.

According to Microsoft, this can occur before the email is viewed in Preview Pane, so no interaction from the victim is needed for the attack to be successful. Disabling the Preview Pane feature will have no impact.

What makes this even more interesting is that the discovery of this vulnerability is credited to the Computer Emergency Respponse Team of Ukraine and Microsoft researchers. Given what is currently happening in Ukraine, this bug could be significant.

CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability

This is the other vulnerability listed as under active attack, but it doesn’t appear to be as severe as the Outlook spoofing bug. This allows attackers to create files that can bypass Mark of the Web protections, rendering features like SmartScreen and Protected View in Microsoft Office useless and allowing threat actors to spread malware via crafted documents and other files.

This is listed as under active attack and could signify how attackers are adapting new methods of delivering malware since Microsoft has taken steps to prevent Office documents from being used for that purpose.

This bug was discovered by Google’s Threat Analysis Group (TAG), which says ransomware groups are using the vulnerability to deliver the magniber ransomware without any security warnings. According to TAG, attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.

TAG says it has observed over 100,000 downloads of the malicious MSI files since January 2023. Microsoft in December 2022 patched a similar vulnerability after threat actors were exploiting it since September 2022.

CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

This is a vulnerability in Windows operating systems that also gets a critical CVSSv3 score of 9.8. According to Tenable, the bug lies in the way the operating system handles ICMP packets when an application running on a vulnerable Windows host is bound to a raw socket. An attacker can exploit it by sending a malicious fragmented IP Packet to a vulnerable target.

CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability

Another bug getting attention this month is a CVSS 9.8-rated vulnerability that could allow a remote, unauthenticated attacker to execute code at the SYSTEM level without user interaction. Attackers can send a malicious packet to the target server, but the server must have  HTTP/3 enabled and use buffered I/O. However, this is a common configuration for Windows 11 and Windows Server 2022.

There are six other critical-rated bugs patched this month, including vulnerabilities in Windows Cryptographic Services, Hyper-V, Windows Point-to-Point Tunneling Protocol and others.

For more information on the March 2023 Patch Tuesday release, consult Microsoft’s Security Update Guide and analysis from Tenable and Zero Day Initiative.

The post March 2023 Patch Tuesday: Two Actively Exploited Bugs in Outlook, SmartScreen appeared first on My TechDecisions.

The Columbia, M.D.-based provider of vulnerability management software finds in its 2022 Threat Landscape Report that the number one group of most frequently exploited vulnerabilities are a large pool of known vulnerabilities, including some that date back to 2017. Organizations repeatedly failed to apply the vendor’s patches for these bugs, resulting in increasing attacks throughout last year.

According to Tenable, the top exploited vulnerabilities within this group included several older high-severity flaws in Microsoft Exchange, Zoho ManageEngine products and VPN solutions from Fortinet, Citrix and Pulse Secure.

Of course, Log4Shell, the critical remote code execution bug in Java logger Log4j discovered in December 2021, was among the most frequently exploited vulnerabilities in 2022, according to Tenable. Others included Follina, a remote code execution bug in the Microsoft Support Diagnostic Tool; an Atlassian Confluence Server and Data Center vulnerability; and ProxyShell, a chain of three vulnerabilities in Microsoft Exchange Server.

In all of those cases, the vulnerabilities, mitigations and patches were highly publicized, and organizations had the ability to fix these issues immediately. In addition, four of the first five zero-day vulnerabilities exploited in the wild in 2022 were disclosed to the public on the same day the vendor released patches and mitigations, according to Tenable.

Bob Huber, chief security officer and head of research at Tenable, says in a statement that older, long-known vulnerabilities cause more destruction than new ones.

“Cyberattackers repeatedly find success exploiting these overlooked vulnerabilities to obtain access to sensitive information,” Huber says. “Numbers like these conclusively demonstrate that reactive post-event cybersecurity measures aren’t effective at mitigating risk. The only way to turn the tide is to shift to preventive security and exposure management.”

According to the report, older vulnerabilities in Fortinet FortiOS and Zoho ManageEngine were spotted in changed attacks with Log4Shell and various Exchange Server bugs. Tenable says it has been highlighting some of these bugs “for years,” and they are all listed in CISA’s catalog of Known Exploited Vulnerabilities.

The 2017 vulnerability listed in Tenable’s report is a memory corruption bug in Microsoft Office Equation Editor that has a CVSSv3 score of 7.8. Meanwhile, the report lists three 20178 bugs, a 3030 bug and three 2021 bugs as among the most actively exploited in 2022.

Read Tenable’s report for more information.

The post Older, Unpatched Vulnerabilities Are Still Wreaking Havoc appeared first on My TechDecisions.

Microsoft has released patches to fix 75 security bugs in the February 2023 Patch Tuesday release, including one each in Microsoft Office, Windows Common Log File System Driver and Windows Graphics Component that are being actively exploited, as well as a handful of Exchange remote code execution vulnerabilities.

The 75 fixed vulnerabilities is a much lower number than the 98 bugs Microsoft patched in its first security update release of the year in January, but there are still a handful that warrant closer inspection, testing and deployment.

According to analysis from Zero Day Initiative, Tenable, and other cybersecurity researchers, here are the February 2023 Patch Tuesday bugs IT admins should prioritize patching:

CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 and CVE-2023-21710 – Microsoft Exchange Server Remote Code Execution Vulnerabilities

There are multiple remote code execution Exchange bugs getting fixes this month. According to Tenable, CVE-2023-21710 received a CVSSv3 score of 7.2 while the other three CVEs were assigned CVSSv3 scores of 8.8. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call.

According to Tenable’s analysis, CVE-2023-21529, CVE-2023-21706 and CVE-2023-21707 are similar to CVE-2022-41082, an authenticated remote code execution bug that was publicly disclosed in September 2022 as part of ProxyNotShell.

Microsoft released mitigations in September 2022 to protect vulnerable servers until a patch was released in their November 2022 Patch Tuesday. A bypass of this mitigation, called OWASSRF (CVE-2022-41080), was then released in December 2022, per Tenable.

CVE-2023-21715 – Microsoft Office Security Feature Bypass Vulnerability

This bug is a security feature bypass in Microsoft Office, and it is one of the two bugs patched this month that are being actively exploited. However, exploitation requires a local, authenticated user to download and open an attacker-created file on a vulnerable system, so this requires some social engineering.

CVE-2023-23376 – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability

This is the other bug listed under active attack this month, and like it’s twin, there is little information about this vulnerability. According to Microsoft, the bug allows an attacker to exploit code as SYSTEM, which could lead to a complete system takeover. A remote code execution bug is likely being used in conjunction with this one to spread malware or ransomware. This is the third bug CLFS flaw patched in the last year, including one that was disclosed by the National Security Agency and CrowdStrike in April 2022. This one was discovered by Microsoft’s Threat Intelligence Center, which suggests use by a sophisticated threat actor.

CVE-2023-21716 – Microsoft Word Remote Code Execution Vulnerability

This vulnerability gets a CVSS of 9.8, so IT admins should prioritize this Microsoft Word bug. The Outlook Preview Pane is an attack vector, and an attacker could use the bug to execute code at the level of the user without user interaction. It can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which allows for command execution if opened.

The Microsoft advisory for this vulnerability links to MS08-026 and KB922849 for guidance on how to prevent Microsoft Office from opening RTF documents from unknown or untrusted sources by using the Microsoft Office File Block policy, according to Tenable.

CVE-2023-21823 – Microsoft Windows Graphics Component Elevation of Privilege Vulnerability

This is EoP vulnerability in the Microsoft Windows Graphics Component gets a CVSSv3 score of 7.8 and was exploited in the wild as a zero day, according to Tenable. Exploitation of this flaw requires an attacker to log onto a vulnerable system and execute a specially crafted application. Successful exploitation would grant an attacker the ability to to run processes in an elevated context.

For more information on these bugs and the entire February 2023 Patch Tuesday release, read analysis from Tenable and Zero Day Initiative.

The post February 2023 Patch Tuesday: Three Exploited; Exchange, Word Bugs appeared first on My TechDecisions.