Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)

For May 2023 Patch Tuesday, Microsoft has delivered fixes for 38 CVE-numbered vulnerabilities, including a patch for a Windows bug (CVE-2023-29336) and a Secure Boot bypass flaw (CVE-2023-24932) exploited by attackers in the wild.

The two exploited bugs (CVE-2023-29336, CVE-2023-24932)

CVE-2023-29336 is a vulnerability that allows attackers to gain SYSTEM privileges.

Flagged by researchers with AV maker Avast, it seems probable that it’s being exploited to deliver malware. Microsoft has offered no details about the context of its exploitation.

“This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.

“Historically, we’ve seen three separate examples where Win32k EoP vulnerabilities were exploited as zero days. In January 2022, Microsoft patched CVE-2022-21882, which was exploited in the wild and is reportedly a patch bypass for CVE-2021-1732, which was patched in February 2021 and also exploited in the wild. In October 2021, Microsoft patched another Win32k EoP, identified as CVE-2021-40449, which was linked to a remote access trojan known as MysterySnail, which was a patch bypass for CVE-2016-3309. However, it is unclear if this flaw is a patch bypass.”

CVE-2023-24932 allows attackers to bypass the Secure Boot protections. It is being leveraged by the BlackLotus bootkit to exploit CVE-2022-21894, another Secure Boot bypass flaw that has been fixed last year.

“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled. This is used by threat actors primarily as a persistence and defense evasion mechanism,” Microsoft shared. “Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device.”

The security update addresses the vulnerability by updating the Windows Boot Manager, but is not enabled by default, the company added, because it could cause disruption and prevent a system from starting up.

“Customers will need to carefully follow manual steps to update bootable media and apply revocations before enabling this update,” Microsoft said, and laid out its phased approach to address this vulnerability, which will end in Q1 2024 when the fix will be enabled by default and will enforce bootmanager revocations on all Windows devices.

Microsoft says that apart from affecting all Windows devices with Secure Boot protections, the issue also affects Linux, and that they’ve been coordinating with representatives from major Linux distributions to make the fix available for their operating systems.

Other vulnerabilities of note

CVE-2023-29325 is a publicly known vulnerability in Windows’ Object Linking & Embedding (OLE) mechanism that could allow an attacker to achieve code execution on the target system by simply sending a maliciously crafted RTF e-mail.

“The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. And while Outlook is the more likely exploit vector, other Office applications are also impacted,” says Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.

“This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly.”

Admins in charge of Microsoft SharePoint servers should plug CVE-2023-24955, a RCE flaw exploited by the STAR Labs team during Pwn2Own Vancouver, he added.

Finally, CVE-2023-24941 is a critical RCE in Windows Network File System (NFS) that can be exploited by seding an unauthenticated, specially crafted call to a NFS service.

“With low attack complexity and no privileges or user interaction required, we recommend patching within 72 hours on Windows Server 2012, 2016, 2019, and 2022. If you are unable to patch, an option is applying a temporary fix from Microsoft – they also note that this fix should only be applied if you have already applied security updates from May 2022,” advised Automox’s Peter Pflaster.

“As a mitigation prior to patching, Microsoft recommends disabling NFSv4.1 and then re-enabling it once the patch is applied, although this may impact functionality,” noted Adam Barnett, Lead Software Engineer, Rapid7.

“Older versions of NFS (NFSv3 and NFSv2) are not affected by this vulnerability. Microsoft warns that assets which haven’t been patched for over a year would be vulnerable to CVE-2022-26937 which is a Critical vulnerability in NFSV2.0 and NFSV3.0. In other words: applying today’s mitigation to an asset missing the May 2022 patches would effectively cause a downgrade attack.”

UPDATE (May 10, 2023, 11:00 a.m. ET):

Akamai researchers have pointed out another vulnerability that organizations should prioritize patching: CVE-2023-29324, a security feature bypass vulnerability that they found by analyzing a March 2023 patch for CVE-2023-23397, a zero-click EoP bug in Microsoft Outlook.