March 2023 Patch Tuesday: 9 Critical CVEs, Including Two Actively Exploited Zero Days
March 14, 2023Falcon Spotlight Team Endpoint & Cloud Security
Microsoft has released 80 security patches for its March 2023 Patch Tuesday rollout: 9 vulnerabilities are rated Critical, 70 Important and 1 Moderate.
Two actively exploited zero-day vulnerabilities we will highlight later in this blog were reported by the vendor: an elevation of privilege within Microsoft Outlook (CVE-2023-23397) rated as Critical and a security feature bypass within Windows SmartScreen (CVE-2023-24880) rated as Moderate
March 2023 Risk Analysis
This month’s leading risk type is remote code execution (40%, down from 48% in February 2023), followed by elevation of privilege at 31% (up from nearly 16% in February) and information disclosure at 22% (up from 10% last month).
The Microsoft Windows product family received the most patches this month (56), followed by Extended Support Updates (20) and the Microsoft Office product family (10).
Actively Exploited Zero-Day Vulnerabilities
CVE-2023-23397, rated as Critical, is a vulnerability affecting Microsoft Outlook. An external attacker could send a specially crafted email that will cause a connection from the victim to an external location of the attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.
CVE-2023-24880, rated as Moderate, is a vulnerability affecting Windows SmartScreen. An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Microsoft explained: “When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check.”
|Critical||9.8||CVE-2023-23397||Microsoft Outlook Elevation of Privilege vulnerability|
|Moderate||5.4||CVE-2023-24880||Windows SmartScreen Security Feature Bypass vulnerability|
Figure 3. Actively exploited zero-day vulnerabilities patched in March 2023
Critical Vulnerabilities affecting Microsoft Products
Critical Vulnerability affecting Remote Procedure Call (RPC)
CVE-2023-21708, a RCE vulnerability affecting Remote Procedure Call (RPC) and rated as Critical, could result in remote code execution on the server side with the same permissions as the running RPC service itself. Microsoft deems this as “less likely exploitable.”
Critical Vulnerability in the HTTP Protocol Stack
CVE-2023-23392, a RCE vulnerability affecting the HTTP Protocol Stack in Windows 11 and Windows Server 2022, is rated as Critical. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
Critical Vulnerability in Internet Control Message Protocol (ICMP)
CVE-2023-23415, a RCE vulnerability affecting Internet Control Message Protocol (ICMP), is rated as Critical. An attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket.
Critical Vulnerabilities affecting the Trusted Platform Module (TPM) Module Library
CVE-2023-1017 and CVE-2023-1018, rated as Critical, are vulnerabilities affecting the TPM2.0 Module Library. An out-of-bounds write vulnerability allows the writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.
Critical Vulnerability in Windows Cryptographic Services
CVE-2023-23416, a RCE vulnerability affecting Windows Cryptographic Services, is rated as Critical and marked as “less likely exploitable” by Microsoft, due to the complexity of the attack vector. For successful exploitation, a malicious certificate needs to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system.
Critical Vulnerability in Windows Point-to-Point Tunneling Protocol
CVE-2023-23404, a RCE vulnerability affecting the P2P Tunneling Protocol, is rated as Critical. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), which could lead to remote code execution (RCE) on the RAS machine. Microsoft marked it as “less likely exploitable” as it requires the attacker to win a race condition.
Critical Vulnerability in Windows Hyper-V
CVE-2023-23411, a Denial of Service vulnerability affecting Windows Hyper-V, is rated as Critical. Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Marked as “less likely exploitable” by Microsoft.
|Critical||9.8||CVE-2023-21708||Remote Procedure Call (RPC) Remote Code Execution|
|Critical||9.8||CVE-2023-23392||HTTP Protocol Stack Remote Code Execution|
|Critical||9.8||CVE-2023-23415||Internet Control Message Protocol (ICMP) Remote Code Execution|
|Critical||8.8||CVE-2023-1017||TPM 2.0 Module Library Elevation of Privilege Vulnerability|
|Critical||8.8||CVE-2023-1018||TPM 2.0 Module Library Elevation of Privilege Vulnerability|
|Critical||8.4||CVE-2023-23416||Windows Cryptographic Services Remote Code Execution|
|Critical||8.1||CVE-2023-23404||Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability|
|Critical||6.5||CVE-2023-23411||Windows Hyper-V Denial of Service|
Figure 4. Critical vulnerabilities affecting Microsoft Products
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
- Download the CrowdStrike 2023 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
- See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments.
- Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
- Learn how Falcon identity protection products can stop workforce identity threats faster.
- Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.