Seven of the 97 bugs are rated Critical, and 90 are rated Important in severity. Interestingly, 45 shortcomings are remote code execution flaws, followed by 20 elevations of privilege vulnerabilities. The updates follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.
The security flaw under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.
CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.
A cybercrime group has weaponized the vulnerability to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.
CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block. The vulnerability gets triggered by the manipulation of the base log file.”
In light of the ongoing flaw exploitation, CISA added Windows zero-day to its Known Exploited Vulnerabilities (KEV) catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.
Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).
The MSMQ bug tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.
The CVE-2023-21554 vulnerability allows attackers to execute code remotely and without authorization by reaching the TCP port 1801. In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability.
Two other flaws discovered in MSMQ, CVE-2023-21769, and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).
Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions –
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x65-based Systems Service Pack 2
- Windows Server 2008 R2 for x64-based Systems Service 1
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019, and
- Windows Server 2022
The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.
Microsoft Issues Guidance for BlackLotus Bootkit Attacks
With the update, Microsoft also issued guidance for CVE-2022-21894 (aka Baton Drop). This now-fixed Secure Boot bypass flaw has been exploited by threat actors using a nascent Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus to establish persistence on a host.
Some indicators of compromise (IoCs) include recently created and locked bootloader files in the EFI system partition (ESP), event logs associated with the stoppage of Microsoft Defender Antivirus, presence of the staging directory ESP:/system32/, and modifications to the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity.
UEFI boot kits are particularly dangerous as they run at computer startup, before the operating system loading, and therefore can interfere with or deactivate various operating system (OS) security mechanisms.
Microsoft further recommends that compromised devices be removed from the network and examined for evidence of follow-on activity, reformat or restore the machines from a known clean backup that includes the EFI partition, maintain credential hygiene, and enforce the principle of least privilege (PoLP).
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including —
- Apache Projects
- Aruba Networks
- Google Chrome
- Juniper Networks
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Palo Alto Networks
- Schneider Electric
- SonicWall, and