Microsoft has released its monthly security updates for April 2023, fixing a total of 97 vulnerabilities across various products and services. Among them, one zero-day flaw was actively exploited in the wild, and seven were rated as critical for allowing remote code execution (RCE).
CVE-2023-28252: Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the only zero-day vulnerability patched this month. It affects the Windows Common Log File System (CLFS) driver, a logging service used by kernel-mode and user-mode applications. An attacker who successfully exploits this flaw could gain SYSTEM privileges, the highest level of access on a Windows system.
Genwei Jiang discovered this vulnerability with Mandiant and Quan Jin with DBAPPSecurity WeBin Lab. It was also reported by Kaspersky, who observed it being used in Nokoyawa ransomware attacks. According to Microsoft, this vulnerability is less likely to be exploited on Windows 11 systems due to additional security measures.
This is not the first time a CLFS driver vulnerability has been exploited in the wild. In fact, this is the fourth such case in the past two years, following CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376. Therefore, we recommend applying this patch as soon as possible, especially on Windows Server systems with the MSMQ service enabled.
CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311: Microsoft Office RCE Vulnerabilities
These four vulnerabilities are all related to Microsoft Office products, such as Word, Publisher, and SharePoint. They allow an attacker to execute arbitrary code on a target system by convincing a user to open a specially crafted document or file.
These types of vulnerabilities are often used in phishing campaigns to distribute malware or gain access to sensitive information. Therefore, we advise updating Microsoft Office applications as soon as possible and educating users about the risks of opening untrusted attachments or links.
CVE-2023-21554: Microsoft Message Queuing RCE Vulnerability
This is another critical RCE vulnerability that affects servers with Microsoft’s Message Queuing (MSMQ) service enabled. MSMQ is a messaging protocol that allows applications to communicate across networks and systems.
An attacker who exploits this vulnerability could execute arbitrary code on a target server with elevated privileges. This could lead to a complete compromise of the server or allow lateral movement within the network.
Trend Micro’s Zero Day Initiative reported this vulnerability, with a CVSSv3 score of 9.8, indicating a high severity and impact. Therefore, we suggest patching any servers with MSMQ enabled as soon as possible.
Other Notable Patches
In addition to the above vulnerabilities, Microsoft also fixed several other flaws that could pose a risk to users or organizations. Some of them are:
CVE-2023-28312: Windows DNS Server RCE Vulnerability
CVE-2023-28313: Windows DNS Server RCE Vulnerability
CVE-2023-28314: Windows DNS Server RCE Vulnerability
These three vulnerabilities affect Windows DNS servers and allow attackers to execute arbitrary code by sending specially crafted DNS requests. DNS servers are essential for resolving domain names to IP addresses and facilitating network communication. Therefore, compromising them could have serious consequences for network security and availability.
CVE-2023-28286: Windows Active Directory Security Feature Bypass Vulnerability
This vulnerability affects Windows Active Directory and allows an attacker to bypass security features such as Kerberos authentication or NTLM signing. This could enable an attacker to impersonate other users or access protected resources without authorization.
CVE-2023-28315: Windows Kernel Elevation of Privilege Vulnerability
This vulnerability affects the Windows kernel and allows attackers to elevate their privileges from low-integrity to medium-integrity levels. This could enable an attacker to perform actions that would otherwise be restricted, such as accessing files or processes belonging to other users.
Conclusion
Microsoft’s April 2023 Patch Tuesday addresses a large number of vulnerabilities across various products and services. Among them, one zero-day flaw was actively exploited in the wild, and seven were rated as critical for allowing remote code execution (RCE).
We recommend applying these patches as soon as possible, especially for systems that are exposed to the internet or have sensitive data or functionality. Additionally, we advise monitoring your network for any signs of malicious activity or exploitation attempts.