It’s April 2023 Patch Tuesday, and Microsoft has released fixes for 97 CVE-numbered vulnerabilities, including one actively exploited zero-day (CVE-2023-28252).
CVE-2023-28252 is a vulnerability in the Windows Common Log File System (CLFS) that allows attackers to gain SYSTEM privileges on target machines.
“Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.
“CVE-2023-28252 is the second CLFS elevation of privilege zero-day exploited in the wild this year (the first one was CVE-2023-23376, patched in February) and the fourth in the last two years. It is also the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity, though it is unclear if both of these discoveries are related to the same attacker.”
Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative, has posited that the February fix might have been insufficient and that attackers may have found a method to bypass that fix – though there’s not enough information available to confirm this.
“This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly,” he added.
Other vulnerabilities of note
CVE-2023-21554 is a critical remote code execution vulnerability in the Microsoft Message Queuing service (an optional Windows component available on all Windows operating systems). It can be triggered with a specially crafted malicious MSMQ packet sent to a MSMQ server.
Dubbed QueueJumper, it’s one of the three vulnerabilities found by the Check Point principal vulnerability researcher Haifei Li and Wayne Low of Fortinet’s FortiGuard Lab: the other two are CVE-2023-21769 and CVE-2023-28302, which can only result in a denial of service condition.
“This unauthorized RCE bug (CVE-2023-21554) in the ‘forgotten’ MSMQ service may have big impact. If you’re a Windows admin, you need to check your environments ASAP (you may have unawarely enabled the service),” Li explained.
“It’s a simple bug, unauthorized – anyone who could reach to 1801/TCP will be able to trigger the bug with a single packet. So patch patch! and check your firewalls to block untrusted connections!”
Li also shared that during their research, they found over 360,000 Internet-facing IPs running the MSMQ service and the 1801 port open to the Internet. Also, that “when installing the official Microsoft Exchange Server, the setup wizard app would enable the MSMQ service in the background if the user selects the ‘Automatically install Windows Server roles and features that are required to install Exchange’ option, which is recommended by Microsoft.”
Check Point research will release technical details about the vulnerabilities later this month so that admins have time to implement the patches or a workaround: blocking inbound connections to the 1801/TCP port from untrusted sources.
Microsoft has also fixed CVE-2023-28250, a critical RCE in the Pragmatic General Multicast protocol installed with the MSMQ service. “When the Windows Message Queuing service is enabled, an attacker who successfully exploited this vulnerability could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” the company noted.
Childs also made sure to point out Microsoft’s republishing of CVE-2013-3900, an old WinVerifyTrust Signature Validation vulnerability that has recently been exploited by attackers in the 3CX supply chain attack.
The fix for it is still optional and includes setting a key in the system registry.
“An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft noted, and said it does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows.
“The new stricter verification behavior, when enabled, applies primarily to portable executable (PE) binaries that are signed with the Windows Authenticode signature format. Binaries most likely to be affected are PE installer files distributed via the Internet that are customized at time of download. The most common scenario in which users could perceive an impact is during the downloading and installation of new applications. This is the case only if customers have chosen to enable the stricter verification behavior, after which users may observe warning messages when attempting to install new applications with signatures that fail validation.”
UPDATE (April 12, 2023, 04:10 a.m. ET):
CVE-2023-28252 is being exploited by a sophisticated cybercrime group that attempts to deliver the Nokoyawa ransomware.
“This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries,” says Kaspersky researcher Boris Larin.