16/03/2023: The story has been updated to include Mandiant's comments on CVE-2023-23397
Microsoft fixed 74 security flaws Tuesday, two of which are actively exploited zero-day vulnerabilities. Six of the bugs are rated critical, 67 are rated important, and one is rated moderate in severity. The security roundup was part of the software giant's monthly Patch Tuesday update.
Security experts urged organizations to prioritize patching two zero-day bugs tracked as CVE-2023-23397 (CVSS score: 9.8) and CVE-2023-24880 (CVSS score: 5.1) since they are actively being exploited in the wild.
In addition, several critical remote code execution vulnerabilities dominate the release, making them a top priority for patching as well.
Two zero-days
Of the two zero-day flaws, the bug tracked as CVE-2023-23397 flaw, is a Microsoft Outlook spoofing vulnerability and is the more severe of the two. Exploiting the flaw could results in an authentication bypass on targeted systems.
The bug allows for “new technology LAN manager credential theft” and is triggered “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB(TCP445) share on a threat actor-controlled server,” according to a Microsoft advisory.
In other words, the vulnerability can be easily exploited in a low-complexity attack — all attackers need to do is send specially crafted emails to link the victim to an external attacker’s control UNC location. Since the vulnerability is triggered on the email server side, the exploitation would occur before the email is viewed in the Preview Pane.
“An attacker could exploit this vulnerability to leak a user’s Net-NTLMv2 hash and conduct an NTLM Relay Attack in order to authenticate back as the user,” said Satnam Narang, senior staff research engineer at Tenable. “Notably, this vulnerability is credited to the Computer Emergency Response Team of Ukraine (CERT-UA), which could imply that it may have been exploited in the wild against Ukrainian targets.”
Mandiant told SC Media on Thursday that the team believes it has been used for almost a year to target organizations and critical infrastructure inside and outside of Ukraine in preparation for potential disruptive and destructive cyberattacks, while facilitating strategic intelligence collection.
Researchers anticipate a "broad, rapid adoption" of the exploit by both nation-state and financially-motivated actors.
"This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun," said John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud.
Microsoft Incident and Microsoft Threat Intelligence also disclosed the vulnerability.
The second zero-day bug, CVE-2023-24880, is identified as a Windows SmartScreen Security Feature Bypass Vulnerability. It can allow an adversary to bypass Mark of the Web (MOTW) defenses and deploy ransomware without triggering security warnings.
Protective practices like SmartScreen and Protected View in Microsoft Office rely on MOTW to identify suspicious activities, so bypassing these features could result in users downloading malicious files and applications from untrusted sources.
The vulnerability is credited to Google’s Threat Analysis Group and security researcher Bill Demirkapi. Read more details about this vulnerability in Tuesday's SC Media coverage.
Both of these zero-day bugs have been added to CISA Known Exploitable Vulnerability Catalog.
Other critical bugs with high patching priority
Microsoft also patched a number of critical remote code execution flaws, each with a CVSS severity score of 9.8. The first of the three is impacts the HTTP Protocol Stack (CVE-2023-23392). The second flaw is identified as an Internet Control Message Protocol (CVE-2023-23415) bug. The third is classified as a Remote Procedure Call Runtime (CVE-2023-21708) flaw.
It is worth mentioning that the CVE-2023-23392 bug only affects Windows 11 and Windows Server 2022, which means “this is a newer bug and not legacy code,” wrote Dustin Child, head of threat awareness at Trend Micro Zero Day initiative, in a blog post.
The bug allows remote and unauthenticated attackers to execute code at the SYSTEM level without user interaction, and servers that need to use buffered I/O and have HTTP/3 enabled are particularly vulnerable.
The next Microsoft Patch Tuesday is set for April 11, 2023.