Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
trellixTrellixTRELLIX:91E84CBD94B977F4E078B53C073365B3
HistoryApr 05, 2023 - 12:00 a.m.

The Bug Report - March 2023 Edition

2023-04-0500:00:00
www.trellix.com
19
JSON

The Bug Report – March 2023 Edition

By Trellix · April 05, 2023
This story was also written by Kasimir Schulz.

It really is bussin, though. It really is bussin, though.

Why am I here?

Welcome back to the Bug Report, Ides of March edition! Last month was highlighted by glimpses into the past, with a historic attack technique and a vanquished bug returning to stab you in the back once more. As if that wasn’t bad enough, Google Pixel and Windows 11 users were subjected to an Acropalypse. If you’ve managed to survive all that, we suggest you sit back, relax, and enjoy some laughs as we reflect on the vulnerabilities that plagued our March news feeds—you’ve earned it.

  • CVE-2023-24033: Samsung Baseband
  • CVE-2023-21036: Google Pixel and Windows Snipping Tool
  • CVE-2023-23397: Microsoft Outlook
  • CVE-2023-24880: Windows SmartScreen

CVE-2023-24033: If you liked it, you shouldn’t have put a ring on it

What is it?

Baseband phone hacking was quiet for a while, but it seems like the signal is back and stronger than ever. Once a tool for those seeking liberation from carrier-locked SIM cards for iPhones around the world, but now, after taking a bite from the Apple, the technique left countless devices with no option but to turn off their Wi-Fi calling and Voice over LTE (VoLTE) for several days. This March, Google’s Project Zero reported that they found eighteen 0-day vulnerabilities in Samsung Semiconductor’s Exynos Modems. Four of these vulnerabilities allowed attackers to remotely execute code on a victim’s device simply by knowing their phone number—talk about your number being up, huh?

The vulnerabilities occurred because the Session Description Protocol (SDP) module’s format types are improperly checked by the Exynos Modem’s baseband modem chipsets. In the case of CVE-2023-24033 and the other three critical vulnerabilities, this allowed communications coming from the internet and going to baseband to take advantage of the improper checks to perform remote code execution.

Who cares?

While “the edge” is a term that is often thrown around in networking, most people try to avoid living on it. For all of you who agree that living on the edge (in regard to security) has all the risk with almost none of the fun, you might care about this vulnerability. Those that own a Google Pixel 6 or 7, or a Samsung or Vivo mobile are most likely to be affected by these vulnerabilities, since those devices contain the vulnerable Samsung Semiconductor chips. However, all those iPhone users who have been laughing thus far should keep reading, as the affected chips are not limited to being inside small mobile devices. If you are driving around in a large mobile device—better known as a car—that uses the Exynos Auto T5123 chipset, you are also vulnerable.

While at this time there are no reports of these vulnerabilities being exploited in the wild, Project Zero purposefully left the details of the four critical vulnerabilities hidden due to “a very rare combination of level of access these vulnerabilities provide and the speed with which we [Project Zero] believe a reliable operational exploit could be crafted.”

What can I do?

As always, the best way to protect yourself from vulnerabilities is to download the patch(es) that fixes them. As their own devices were in the spotlight this time, Google was quick to make sure that the Pixel 6 and 7 were patched quickly. By the end of March, most devices had been updated to protect against the vulnerabilities and these patches can be downloaded through the usual software update process. For those whose devices do not have an update available yet, you should turn off Wi-Fi calling and VoLTE, which will prevent your device from being targeted by the critical vulnerabilities.

CVE-2023-21036: The Acropalypse

What is it?

It’s not often that a vulnerability comes in with a nickname that’s good enough to use as our witty subtitle as-is. Comparing a vulnerability to the apocalypse may seem extreme, but what else can you call a vulnerability that may affect a significant number of photos on the internet? While this vulnerability has existed in the Google Pixel screenshot editing functionality for five years, it is also cropping up in other places, such as the Windows 11 snipping tool. The likely prevalence of this vulnerability throughout multiple editing tools is due to the simplicity of the cause of the issue. In an effort that rivaled the valiant reverse engineers who recently participated in our CTF, David Buchanan did a root cause analysis of the vulnerability. Buchanan discovered that the API call being used to write the file was not truncating by default, resulting in cropped files having some of the original file left behind.

Who cares?

In step with this month’s theme of trusted components stabbing you in the back, this vulnerability is a good warning for all the developers in the audience. If you or a loved one is plagued by being an open-source developer for any image cropping tools, please direct your attention to the “What can I do?” section.

If you are lucky enough to not have to maintain any open-source code but have ever used the products mentioned above to crop an image, you probably still care. While the vulnerability can cause emotional damage by bringing back that ex you cropped out of your favorite photos, it can also be used to recover sensitive information that you’ve cropped out. This could range from you being slightly embarrassed (depending on your browsing history) to your credit card information being leaked.

Unlike the previous vulnerability, this one has multiple PoC scripts available on GitHub, as well as Buchanan’s blog post which fully explains the vulnerability and how to exploit it. A group of researchers also created a website that anyone can use to recover cropped out data from Pixel screenshots for those of you that want to see how much trouble you are in.

What can I do?

Despite the Acropalypse being upon us, all hope is not lost. Instead of having to delete every photo on your favorite social media, you can use one of the many Acropalypse detection and sanitization tools to clean your photos. At that point, you could reupload the photos and hope that your parents were wrong all those years ago when they said that anything posted on the internet is there forever.

For all those open-source developers that were sent to this section by concerned loved ones, rejoice, you are about to feel a weight lift off your shoulders. To solve this problem in your own codebase, you just need to get rid of all that extra baggage. While getting rid of emotional baggage might be hard, getting rid of extra bytes is as simple as truncating your files when you overwrite them.

CVE-2023-23397: A grim Outlook

What is it?

Don’t you just hate receiving meeting invites? Well, after hearing about CVE-2023-23397, you’ll have an all-new reason to wince when you get one. Although we’ve already done a deep dive into this vulnerability, we’ll give a quick summary here to save you some time—unlike all those pesky meetings. Prior to March’s Patch Tuesday, it seems Microsoft inadvertently let hackers add their own boss music when hacking by simply setting an Outlook invite’s custom reminder sound to a UNC path pointing to an attacker-controlled server. When the victim’s Outlook client attempted to retrieve the reminder sound, it would perform NTLM authentication with the malicious server, thereby leaking the victim’s NTLMv2 hash. These hashes could then be used in an NTLM relay attack to gain access to other hosts or services, potentially leading to a full domain compromise.

Although this Outlook vulnerability is typically exploited by sending a malicious calendar invite to a victim, it can potentially be exploited using any Outlook entity that uses the .msg format and supports reminders.

Who cares?

Chances are, if you are reading this, you do. If you or anyone at your org uses Outlook, you should be on the look-Out for CVE-2023-23397. Not only is there a PoC out for this vulnerability, but it has also been allegedly getting exploited in the wild for almost a year. While we love to joke here on the Bug Report, the impact of this vulnerability is sadly no joke. Due to CVE-2023-23397 requiring no user interaction, it’s much more dangerous than most Office vulnerabilities, and even the best anti-phishing training won’t protect your systems from this one.

What can I do?

Don’t despair though, while the Outlook may be grim, there is light on the horizon. In a stroke of luck resulting in me getting to write a really short section, and you getting to have a secure system, Microsoft has already patched the vulnerability. They have also released a detailed guide on how to patch your systems, as well as automatically detect if any users have been targeted.

Trellix customers also have reason to rejoice, as they are covered for this vulnerability across numerous products, including Trellix Endpoint Detection and Response (EDR), Endpoint Security (ENS), Intrusion Prevention System (IPS), and Helix.

CVE-2023-24880: Outsmarting the SmartScreen patch for… error?!?

What is it?

I know you might think that we traveled back in time to 2022 with this vulnerability, and while that would have been better than a return to 2020, that is luckily not the case this time. CVE-2023-24880 is a workaround for Microsoft’s patch for CVE-2022-44698, which allowed malicious files to be downloaded without a security warning being displayed. Normally, when you download a file, Windows adds a zone identifier known as Mark of the Web (MOTW) to the file. When the file is run, Windows SmartScreen then checks this zone identifier to determine if the file was downloaded from the internet. If so, SmartScreen then attempts to do a reputation check.

The original exploit worked by creating an invalid Authenticode signature that caused SmartScreen to return an error that bypassed the security warning dialog displayed to users. The patch that was put in place checked to see if a valid signature was being passed, returning a dialog if an invalid one was found. In what should have been an alarming display of tenacity, malicious actors were able to forge signature files that passed the check but raised an entirely different error, resulting in the warning dialog still not being displayed.

Maginot Line-en Unrelated image of France’s Maginot Line.

Who cares?

Maybe you are an avid meme collector like our Bug Report authors, maybe you are just a regular internet user who likes downloading files. If you are someone who downloads files and trusts in the software meant to defend you working as expected, then you should be careful and check out the next section about what you can do to wall up your SmartScreen.

Like the original vulnerability, this bypass is also being actively exploited in the wild, primarily in Magniber ransomware campaigns. Google TAG released a blog stating that they have observed over 100,000 downloads of the malicious MSI files used to spread the Magniber ransomware since January 2023.

What can I do?

If you are smart, then you should update to the latest patch that screens your computer against this vulnerability that outsmarted the old patch. Even after updating, it would still be smart to always double check files that you download from the internet if they are from untrusted sources.

We also encourage you to consult our KB article on Magniber ransomware disguised as Windows MSI files, which provides IOCs and suggested countermeasures. For Trellix customers, we provide coverage for the Magniber ransomware delivery mechanism utilized in the aforementioned campaign across multiple products, including Trellix Network Security, Detection as a Service, and Email Security.

_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _

Related

trellix 3
krebs 4
malwarebytes 5
cve 5
prion 5
attackerkb 3
cisa_kev 3
mscve 5
githubexploit 26
talosblog 4
thn 20
mskb 14
openvas 10
mssecure 1
mmpc 1
nessus 13
trendmicroblog 1
hivepro 2
msrc 2
securelist 3
qualysblog 5
avleonov 2
googleprojectzero 1
kaspersky 3
rapid7blog 3
trellix
trellix
The Bug Report - March 2023 Edition
2023-04-05 00:00:00
CVE-2023-23397: The Notification Sound You Don’t Want to Hear
2023-03-17 00:00:00
CVE-2023-23397: The Notification Sound You Don’t Want to Hear
2023-03-17 00:00:00
krebs
krebs
Microsoft Patch Tuesday, March 2023 Edition
2023-03-15 15:19:32
Fat Patch Tuesday, February 2024 Edition
2024-02-13 22:28:48
Microsoft Patch Tuesday, December 2022 Edition
2022-12-14 17:01:07
malwarebytes
malwarebytes
Update now! Microsoft fixes two zero-day bugs
2023-03-15 01:00:00
Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles
2023-03-20 08:00:00
Google Pixel: Cropped or edited images can be recovered
2023-03-22 01:00:00
cve
cve
CVE-2022-44698
2022-12-13 19:15:00
CVE-2023-24033
2023-03-13 12:15:11
CVE-2023-24880
2023-03-14 17:15:17
prion
prion
Format string
2023-03-13 12:15:00
Security feature bypass
2022-12-13 19:15:00
Security feature bypass
2023-03-14 17:15:00
attackerkb
attackerkb
CVE-2022-44698
2022-12-13 00:00:00
CVE-2023-24880
2023-03-14 00:00:00
CVE-2023-23397
2023-03-14 00:00:00
cisa_kev
cisa_kev
Microsoft Defender SmartScreen Security Feature Bypass Vulnerability
2022-12-13 00:00:00
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
2023-03-14 00:00:00
Microsoft Office Outlook Privilege Escalation Vulnerability
2023-03-14 00:00:00
mscve
mscve
Windows SmartScreen Security Feature Bypass Vulnerability
2023-03-14 07:00:00
Windows SmartScreen Security Feature Bypass Vulnerability
2022-12-13 08:00:00
Microsoft Outlook Elevation of Privilege Vulnerability
2023-03-14 07:00:00
githubexploit
githubexploit
Exploit for Vulnerability in Google Android
2023-03-24 02:39:52
Exploit for Vulnerability in Google Android
2023-03-26 01:32:32
Exploit for Vulnerability in Google Android
2023-03-22 14:59:42
talosblog
talosblog
Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild
2023-03-15 23:46:33
Threat Source newsletter (March 23, 2023) — Meta is threatening to ban news sharing in Canada. Good.
2023-03-23 18:00:16
Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine
2023-03-16 18:00:15
thn
thn
APT28 Targets Ukrainian Government Entities with Fake "Windows Update" Emails
2023-05-01 08:52:00
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme
2024-03-18 05:59:00
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK
2023-12-29 10:41:00
mskb
mskb
Description of the security update for Outlook 2013: March 14, 2023 (KB5002265)
2023-03-14 07:00:00
Description of the security update for Outlook 2016: March 14, 2023 (KB5002254)
2023-03-14 07:00:00
December 13, 2022—KB5021235 (OS Build 14393.5582)
2022-12-13 08:00:00
openvas
openvas
Microsoft Outlook 2013 Service Pack 1 Elevation of Privilege Vulnerability (KB5002265)
2023-03-15 00:00:00
Microsoft Outlook 2016 Elevation of Privilege Vulnerability (KB5002254)
2023-03-15 00:00:00
Microsoft Office 365 (2016 Click-to-Run) Multiple Vulnerabilities (Mar 2023)
2023-03-15 00:00:00
mssecure
mssecure
Guidance for investigating attacks using CVE-2023-23397
2023-03-24 18:30:00
mmpc
mmpc
Guidance for investigating attacks using CVE-2023-23397
2023-03-24 18:30:00
nessus
nessus
Security Updates for Outlook (March 2023)
2023-03-14 00:00:00
Security Updates for Outlook C2R Elevation of Privilege (March 2023)
2023-03-16 00:00:00
KB5021235: Windows 10 Version 1607 and Windows Server 2016 Security Update (December 2022)
2022-12-13 00:00:00
trendmicroblog
trendmicroblog
Patch CVE-2023-23397 Immediately: What You Need To Know and Do
2023-03-21 00:00:00
hivepro
hivepro
Citrix ADC and Gateway Zero-Day Vulnerability Exploited by APT5
2022-12-15 13:53:41
Microsoft addresses actively exploited zero-day and numerous critical flaws
2022-12-15 11:42:15
msrc
msrc
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
2023-03-14 13:00:00
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
2023-03-14 13:00:00
securelist
securelist
Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability
2023-07-19 12:00:41
IT threat evolution Q3 2023
2023-12-01 10:00:09
IT threat evolution in Q1 2023. Non-mobile statistics
2023-06-07 08:00:18
qualysblog
qualysblog
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
2023-09-26 13:04:00
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
2023-12-19 15:00:00
Qualys Threat Research Unit: Threat Thursdays, December 2022
2022-12-29 19:05:19
avleonov
avleonov
Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE
2023-03-27 00:25:37
Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions
2022-12-24 22:55:39
googleprojectzero
googleprojectzero
Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
2023-03-16 00:00:00
kaspersky
kaspersky
KLA48560 Multiple vulnerabilities in Microsoft Office
2023-03-14 00:00:00
KLA20117 Multiple vulnerabilities in Microsoft Windows
2022-12-13 00:00:00
KLA48553 Multiple vulnerabilities in Microsoft Windows
2023-03-14 00:00:00
rapid7blog
rapid7blog
Patch Tuesday - March 2023
2023-03-14 23:46:44
Patch Tuesday - December 2022
2022-12-13 21:24:06
Patch Tuesday - September 2023
2023-09-12 22:55:55
JSON
Related for TRELLIX:91E84CBD94B977F4E078B53C073365B3
trellix3krebs4malwarebytes5cve5prion5attackerkb3cisa_kev3mscve5githubexploit26talosblog4thn20mskb14openvas10mssecure1mmpc1nessus13trendmicroblog1hivepro2msrc2securelist3qualysblog5avleonov2googleprojectzero1kaspersky3rapid7blog3