Patch Tuesday: Microsoft fixes actively exploited zero-day and seven 'critical' flaws
Researchers have observed Nokoyawa ransomware being deployed using the zero-day
It is the second Tuesday of the month, and with that comes Microsoft's latest round of security updates for various products, including Windows.
The company's April Patch Tuesday addresses a total of 97 vulnerabilities, including one zero-day bug that has been actively exploited.
Out of 97 vulnerabilities, seven are rated as "critical" flaws and prioritised for immediate attention.
In all, the April security update includes patches for 45 remote code execution (RCE) vulnerabilities, 20 elevation of privilege (EoP) vulnerabilities, 10 information disclosure bugs, nine denial of service (DoS) bugs, eight security feature bypass vulnerabilities and six spoofing bugs.
The aforementioned count of 97 vulnerabilities does not include 17 Microsoft Edge vulnerabilities that were addressed earlier in the month.
Actively exploited
Microsoft's latest Patch Tuesday update addresses a zero-day vulnerability, identified as CVE-2023-28252, that has been actively exploited in malicious attacks.
This vulnerability affects the Windows Common Log File System (CLFS) Driver and allows attackers to elevate their privileges to SYSTEM, the highest level in Windows.
CVE-2023-28252 has been assigned a CVSSv3 score of 7.8. Notably, this is a post-compromise vulnerability, which means that it can only be exploited by an attacker who has already gained access to a vulnerable target.
Microsoft has not disclosed the extent of attacks exploiting this vulnerability, but according to security researchers, there have been instances where the Nokoyawa ransomware was deployed using this security flaw.
According to Satnam Narang, Senior Staff Research Engineer at Tenable, CVE-2023-28252 marks the second time this year that a CLFS elevation of privilege zero-day bug has been exploited in the wild.
"It is also the second CLFS zero day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker," Narang added.
"Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity."
While Microsoft credits Genwei Jiang with Mandiant and Quan Jin with DBAPPSecurity WeBin Lab for discovering the CVE-2023-28252, Kaspersky has also claimed to have discovered and reported the same vulnerability to Microsoft.
Kaspersky said it observed the vulnerability being exploited in attacks involving the Nokoyawa ransomware.
A critical flaw addressed this month by Microsoft is CVE-2023-21554, an RCE flaw that affects servers with Microsoft's Message Queuing (MSMQ) service enabled.
CVE-2023-21554 received a high CVSS severity rating of 9.8 out of 10 and has been categorised by Microsoft as "exploitation more likely."
To exploit CVE-2023-21554, an attacker can send a specially crafted MSMQ packet to a targeted server.
Microsoft's advisory specifies that this vulnerability can only be exploited when the Windows message queuing service is enabled. In that situation, TCP port 1801 will be listening on the host.
Microsoft fixed another critical vulnerabilities affecting MSMQ, tracked as CVE-2023-28250.
"While neither of these two CVEs have been exploited in the wild yet, the risk remains high - as they have a CVSSv3 base score of 9.8/10 and are potentially wormable," said Bharat Jogi, director, vulnerability and threat research at Qualys.
In addition to critical vulnerabilities CVE-2023-21554 and 2023-28250, Microsoft has also addressed two DoS vulnerabilities in the MSMQ this month. These bugs are indexed as CVE-2023-21769 and CVE-2023-28302, and have been rated as "important" by Microsoft.
The company has patched multiple RCE vulnerabilities in Office, Word and Publisher, which can be triggered by opening a malicious document. These vulnerabilities have been identified as CVE-2023-28285, CVE-2023-28295, CVE-2023-28287 and CVE-2023-28311.
"This patch Tuesday MSFT fixed some critical flaws, of which we would recommend organisations to prioritise patching vulnerabilities those that are actively being exploited and wormable," said Jogi.
In addition to the security updates, Microsoft has also made an announcement regarding Exchange Server 2013.
The company has declared that Exchange Server 2013 has now reached its end of life, and will no longer receive any further security updates.
Microsoft advises users to upgrade from Exchange Server 2013 to a newer version as soon as possible to avoid any potential security risks.
To help customers with the decommissioning process, Microsoft has released guidance on how to upgrade to a newer version of Exchange Server.