Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880)

It’s March 2023 Patch Tuesday, and Microsoft has delivered fixes for 76 CVE-numbered vulnerabilities, including two actively exploited in the wild (CVE-2023-23397, CVE-2023-24880) by different threat actors.

About CVE-2023-23397

“CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required,” Microsoft explained.

“The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.”

Satnam Narang, senior staff research engineer at Tenable, notes that Outlook vulnerabilities are often triggerable by the Preview Pane functionality, but not this one. “This is because the vulnerability is triggered on the email server side, meaning exploitation would occur before a victim views the malicious email,” he told Help Net Security.

The flaw affects all supported versions of Microsoft Outlook for Windows, but not Outlook for Mac, iOS or Android, or Outlook on the web. “Online services such as Microsoft 365 do not support NTLM authentication and are not vulnerable to being attacked by these messages,” Microsoft pointed out.

The vulnerability was flagged by the Ukrainian CERT and Microsoft’s Incident and Treat Intelligence teams.

“Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe,” the company said, and shared a script that organizations can use to check if they have been among the targets.

About CVE-2023-24880

CVE-2023-24880 is a vulnerability that allows attackers to bypass the Windows SmartScreen feature.

“When you download a file from the internet, Windows adds the zone identifier or Mark of the Web (MOTW) as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check,” Microsoft clarifies.

This vulnerability can be exploited by crafting a malicious file that will evade the MOTW defenses, which means that protective measures like Windows SmartScreen and Microsoft Office Protected View won’t be triggered.

The in-the-wild exploitation of the vulnerability was reported to Microsoft by researchers Benoît Sevens and Vlad Stolyarov of the Google’s Threat Analysis Group (TAG), which spotted it being exploited to deliver the Magniber ransomware.

“The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet,” the team explained.

“TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe – a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan.”

They also noted that, in September and November 2022, threat actors used a similar SmartScreen bypass vulnerability (CVE-2022-44698) to deliver the Magniber ransomware and the Qakbot infostealer, before the flaw was patched in December 2022.

The problem, they say, is that the patch was too narrow, so attackers iterated and discovered new variants.

“When patching a security issue, there is tension between a localized, reliable fix, and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug. Project Zero has written and presented extensively on this trend, and recommends several practices to ensure bugs are correctly and comprehensively fixed,” they added.

Other vulnerabilities of note

Dustin Childs, with Trend Micro’s Zero Day Initiative, also singled out a wormable HTTP protocol stack RCE flaw (CVE-2023-23392) exploitable in a common Windows 11 and Windows Server 2022 configuration, and potentially wormable RCE in the Internet Control Message Protocol (CVE-2023-23415) as worthy of a quick fix.

Add to that list CVE-2023-23416, a RCE in Windows Cryptographic Services.

“For successful exploitation, a malicious certificate needs to be imported on an affected system. An attacker could upload a certificate to a service that processes or imports certificates, or an attacker could convince an authenticated user to import a certificate on their system,” the company noted.

UPDATE (March 115, 2023, 10:20 a.m. ET):

MDSec researcher Dominic Chell has a great write-up on how CVE-2023-23397 can be easily exploited.