Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE

Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239119&gt;

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews.

Microsoft Patch Tuesday for March 2023 was quite refreshing.

$ cat comments_links.txt 
ZDI|The March 2023 Security Update Review|https://www.thezdi.com/blog/2023/3/14/the-march-2023-security-update-review
Qualys|The March 2023 Patch Tuesday Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/03/14/the-march-2023-patch-tuesday-security-update-review

$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "March" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: March
MS PT Date: 2023-03-14
MS PT CVEs found: 80
Ext MS PT Date from: 2023-02-15
Ext MS PT Date to: 2023-03-13
Ext MS PT CVEs found: 29
ALL MS PT CVEs: 109

• All vulnerabilities: 109
• Urgent: 1
• Critical: 1
• High: 29
• Medium: 78
• Low: 0

Exploitation in the wild or a public exploit

Let's start with 3 vulnerabilities for which there are signs of exploitation in the wild or a public exploit.

1. Elevation of Privilege - Microsoft Outlook (CVE-2023-23397). Although technically a spoofing bug, the result of this vulnerability could be considered to beAuthentication Bypass. The vulnerability can be exploited by sending a malicious email to a vulnerable version of Outlook. When the email is processed by the server, a connection to an attacker-controlled device can be established in order to leak the Net-NTLMv2 hash of the email recipient. The attacker can use this hash to authenticate as the victim recipient in an NTLM relay attack. Microsoft notes that this exploitation can occur before the email is viewed in the Preview Pane, meaning no interaction from the victim recipient is needed for a successful attack. The vulnerability was discovered by Microsoft Threat Intelligence, who have detected in-the-wild exploitation and published a blog post describing the issue in detail, and which provides a Microsoft script and accompanying documentation to detect if an asset has been compromised using CVE-2023-23397. There are currently a large number of repositories available on GitHub related to this vulnerability. Some of them contain scripts to exploit this vulnerability.
2. Security Feature Bypass - Windows SmartScreen (CVE-2023-24880). The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. MOTW is a Windows feature that protects users from downloading files from unreliable sources. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites. The exploit's existence is mentioned in Microsoft CVSS Temporal Score (Functional Exploit).
3. Denial of Service - Microsoft Excel (CVE-2023-23396). This vulnerability was not highlighted in any of the Patch Tuesday reports. However, a public exploit and a detailed description of this vulnerability appeared last week. For now, it's still a DoS. But it is quite possible that this vulnerability can be investigated further and become an RCE. Exploitation in the wild is NOT mentioned on Vulners, Microsoft and AttackerKB websites

Potentially very dangerous

Now let's look at 3 more vulnerabilities without exploits and signs of exploitation in the wild, but potentially very dangerous.

1. Remote Code Execution - HTTP Protocol Stack (CVE-2023-23392). The critical severity vulnerability affects Windows 11 Systems and Windows Server 2022. The target system needs to have HTTP/3 enabled (it is disabled by default) and set to use buffered I/O. Exploitation can be performed by a remote, unauthenticated attacker sending a malicious packet to the target server. The code will be executed at SYSTEM level without user interaction. That combination makes this bug wormable.
2. Remote Code Execution - ICMP (CVE-2023-23415). ICMP (Internet Control Message Protocol) is an error-reporting protocol that network devices use to generate error messages to the source IP address when network problems prevent delivery of IP packets. The vulnerability lies in the way the operating system handles ICMP packets when an application running on the vulnerable Windows host is bound to a raw socket. Exploitation is performed by sending a malicious fragmented IP packet to a vulnerable target, leading to arbitrary code execution. This is still in theory, but if everything is really so simple, then it will be a disaster. There have been couple of GitHub links for this vulnerability. One is deleted (code 404 error) and the other one is blocked ("Access to this repository has been disabled by GitHub Staff due to a violation of GitHub's terms of service"). Whether there were real exploits or rickrolls/malwares, I don't know. I added both links to Vulristics exclusion list.
3. Remote Code Execution - Remote Procedure Call Runtime (CVE-2023-21708, CVE-2023-23405, CVE-2023-24869, CVE-2023-24908). With a specially crafted RPC call to an RPC host, an attacker may exploit this vulnerability. An unauthenticated attacker may exploit this vulnerability to perform remote code execution on the server side with the same privileges as the RPC service. Microsoft recommends blocking TCP port 135 at the perimeter as a mitigation; given the perennial nature of RPC vulnerabilities, defenders will know that this has always been good advice.

Also, I would like to draw your attention to 7 CVEs Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver, andRemote Code Execution - TPM2.0 Module Library (CVE-2023-1017).

Full Vulristics report: ms_patch_tuesday_march2023