March 2023 Patch Tuesday: 9 Critical CVEs, Including Two Actively Exploited Zero Days

March 14, 2023

Endpoint Security & XDR

Microsoft has released 80 security patches for its March 2023 Patch Tuesday rollout: 9 vulnerabilities are rated Critical, 70 Important and 1 Moderate.

Two actively exploited zero-day vulnerabilities we will highlight later in this blog  were reported by the vendor: an elevation of privilege within Microsoft Outlook (CVE-2023-23397) rated as Critical and a security feature bypass within Windows SmartScreen (CVE-2023-24880) rated as Moderate 

March 2023 Risk Analysis

This month’s leading risk type is remote code execution (40%, down from 48% in February 2023), followed by elevation of privilege at 31% (up from nearly 16% in February) and information disclosure at 22% (up from 10% last month).

Figure 1. Breakdown of March 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month (56), followed by Extended Support Updates (20) and the Microsoft Office product family (10).

Figure 2. Breakdown of product families affected by March 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerabilities

CVE-2023-23397, rated as Critical, is a vulnerability affecting Microsoft Outlook. An external attacker could send a specially crafted email that will cause a connection from the victim to an external location of the attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.

CVE-2023-24880, rated as Moderate, is a vulnerability affecting Windows SmartScreen. An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. Microsoft explained: “When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check.”

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-23397 Microsoft Outlook Elevation of Privilege vulnerability
Moderate 5.4 CVE-2023-24880 Windows SmartScreen Security Feature Bypass vulnerability

Figure 3. Actively exploited zero-day vulnerabilities patched in March 2023

Critical Vulnerabilities affecting Microsoft Products

Critical Vulnerability affecting Remote Procedure Call (RPC)

CVE-2023-21708, a RCE vulnerability affecting Remote Procedure Call (RPC) and rated as Critical, could result in remote code execution on the server side with the same permissions as the running RPC service itself. Microsoft deems this as “less likely exploitable.”

Critical Vulnerability in the HTTP Protocol Stack

CVE-2023-23392, a RCE vulnerability affecting the HTTP Protocol Stack in Windows 11 and Windows Server 2022, is rated as Critical. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.

Critical Vulnerability in Internet Control Message Protocol (ICMP)

CVE-2023-23415, a RCE vulnerability affecting Internet Control Message Protocol (ICMP), is rated as Critical. An attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine. To trigger the vulnerable code path, an application on the target must be bound to a raw socket.

Critical Vulnerabilities affecting the Trusted Platform Module (TPM) Module Library

CVE-2023-1017 and CVE-2023-1018, rated as Critical, are vulnerabilities affecting the TPM2.0 Module Library. An out-of-bounds write vulnerability allows the writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

Critical Vulnerability in Windows Cryptographic Services

CVE-2023-23416, a RCE vulnerability affecting Windows Cryptographic Services, is rated as Critical and marked as “less likely exploitable” by Microsoft, due to the complexity of the attack vector. For successful exploitation, a malicious certificate needs to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system.

Critical Vulnerability in Windows Point-to-Point Tunneling Protocol

CVE-2023-23404, a RCE vulnerability affecting the P2P Tunneling Protocol, is rated as Critical. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS), which could lead to remote code execution (RCE) on the RAS machine. Microsoft marked it as “less likely exploitable” as it requires the attacker to win a race condition.

Critical Vulnerability in Windows Hyper-V

CVE-2023-23411, a Denial of Service vulnerability affecting Windows Hyper-V, is rated as Critical. Successful exploitation of this vulnerability could allow a Hyper-V guest to affect the functionality of the Hyper-V host. Marked as “less likely exploitable” by Microsoft.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-21708 Remote Procedure Call (RPC) Remote Code Execution
Critical 9.8 CVE-2023-23392 HTTP Protocol Stack Remote Code Execution
Critical 9.8 CVE-2023-23415 Internet Control Message Protocol (ICMP) Remote Code Execution
Critical 8.8 CVE-2023-1017 TPM 2.0 Module Library Elevation of Privilege Vulnerability
Critical 8.8 CVE-2023-1018 TPM 2.0 Module Library Elevation of Privilege Vulnerability
Critical 8.4 CVE-2023-23416 Windows Cryptographic Services Remote Code Execution
Critical 8.1 CVE-2023-23404 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
Critical 6.5 CVE-2023-23411 Windows Hyper-V Denial of Service

Figure 4. Critical vulnerabilities affecting Microsoft Products

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

Related Content
Deploying the Droids: Optimizing Charlotte AI’s Performance with a Multi-AI Architecture
CVE-2024-3400: What You Need to Know About the Critical PAN-OS Zero-Day
CrowdStrike Falcon Wins Best EDR Annual Security Award in SE Labs Evaluations