Akamai’s Perspective on February’s Patch Tuesday 2023
It’s Patchentine o’clock, and Microsoft has taken gift-giving to the extreme, with approximately 80 patched CVEs, nine of them critical and five with a high CVSS score of 9.8. Three of the patched CVEs are also said to have been used in the wild, designating them as patched zero-days.
As we do every month, Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
Note: There is an issue with this month’s patch and Windows server 2022 VMs with Secure Boot running on VMware ESXi version 7.0.x and below. They might not boot after installing KB5022842.
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
In this report, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities exploited in the wild
CVE-2023-21823
We will start with the remote code execution (RCE) vulnerability in the Windows Graphic component. Although the vulnerability is for remote exploitation, the attack vector is listed as local. This probably means that this is more of an arbitrary code execution (ACE) vulnerability, that requires the user to interact with a downloaded file.
Curiously, this CVE affects also Microsoft Office, iOS and Android versions included. As such, the update isn’t only administered via Windows Update but also by the Microsoft Store, Google Play, and the App Store. If you have automatic updates disabled in any of the stores, please remember to trigger updates on your devices.
CVE-2023-21715
This is a security bypass vulnerability in Microsoft Publisher. Specifically, it deals with “Mark-of-the-Web” (MOTW). Normally, files downloaded from the internet are marked internally, so the operating system or programs know to not trust them and execute them (or macros inside them) automatically. Specifically, Microsoft Publisher used to not handle MOTW and allowed macro execution in files downloaded from the web. This has been fixed with this CVE. Security researcher Haifei Li wrote a more detailed analysis on Twitter.
CVE-2023-23376
This is an elevation of privilege vulnerability in the Windows Common Log File System Driver that allows attackers to gain SYSTEM privileges. No more details are available currently.
Microsoft Protected Extensible Authentication Protocol
The Protected Extensible Authentication Protocol (PEAP) is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within a TLS session. EAP is used to authenticate devices and connections to networks, and is also used in Wi-Fi network authentication.
Windows servers can be configured with an optional role called Network Policy Server (NPS), and the NPS can be used to authenticate and allow network connection requests with EAP and PEAP. This isn’t enabled by default — the NPS role has to be manually installed and configured. From our observations, only 21% of networks had NPS servers.
Since the NPS is supposed to be central to the network, and also process authentication requests, it might be problematic to apply segmentation policies on it. Instead, Microsoft says that a possible mitigation would be to not allow PEAP in protocol negotiations and provide two sources on implementing that.
This month, there are six CVEs in total; three critical RCEs (with a score of 9.8) and three important CVEs (with a score of 7.5): an RCE, a DoS, and an information bypass CVE.
CVE number |
Severity |
Base score |
Effect |
|---|---|---|---|
Critical |
9.8 |
Remote code execution |
|
Important |
7.5 |
||
Denial of service |
|||
Information disclosure |
Windows iSCSI
iSCSI is a protocol used to connect to SCSI storage devices. In Windows, machines have the iSCSI Initiator process and the Microsoft iSCSI Initiator Service. Neither run by default — both need to be manually run and configured. From our observations, only 3% on networks have machines with Windows iSCSI running.
This month, there is one critical RCE and three DoS CVEs. While not explicitly mentioned, we assume that the CVEs refer to the Microsoft iSCSI Initiator Service. In addition, the RCE is said to only work on 32-bit machines.
Q: My machines are busy sending Valentine ecards with cute animals on them, so they can’t be patched or restarted. Can I protect them somehow in the meantime?
Luckily, the iSCSI service isn’t running by default. Therefore, it should be possible to map machines that are running it and create segmentation policies for them. There shouldn’t be that many incoming connections to the iSCSI service, so using microsegmentation to restrict access to the service from outside the machine. This should buy you some time to free the machine to apply the patches to it.
To map machines with iSCSI, you can search for connections over TCP ports 860 and 3260 (the default iSCSI ports). You can also look for the service itself — Microsoft iSCSI Initiator Service.
This is an osquery query for it:
select pid from services where display_name = "Microsoft iSCSI Initiator Service" and status="RUNNING";
Additionally, the RCE vulnerability FAQ also mentions that it is achieved by sending a DHCP request to the iSCSI service. If you have network visibility, you can check to see your iSCSI machines receive DHCP normally (UDP ports 67,68), and if not (or it’s from a limited scope) you can apply segmentation on that as well. This should provide additional mitigation before patching.
Microsoft SQL server
There are three RCE CVEs in Microsoft’s SQL server this month. Two of those (with a base CVSS score 8.8) are for the optional feature SQL Data Quality Services' (DQS). The third CVE has a CVSS score of 7.8. From our observations, 60% of networks have MSSQL servers, and 40% DQS installed as well.
As SQL servers typically hold sensitive information; therefore, they should be segmented and have access control restrictions placed on them to prevent data theft incidents. If you don’t have such policies, this is a good opportunity to add them. Map your existing MSSQL servers (either by looking for the MSSQL service, or by looking for connections over ports 1433,1434). After mapping existing servers, create segmentation policies based on the existing traffic and other segments that should have access (like IT to all, or finance to finance, etc.). This is also a good opportunity to see who's being naughty and accessing databases they shouldn’t touch.
There are seven other CVEs that are related to SQL this month in OLE and ODBC. We already covered those in previous advisories, and our recommendations haven’t changed (and the CVEs seem similar as well). Read more about them in Previously covered services.
Microsoft PostScript printer driver
PostScript is a programming language that is used for page layout descriptions. There are many printers that support it (mostly the higher-end ones for office/business use, not those for home use).
The PostScript printer driver is the system component in Windows (pscript5.dll) that knows how to communicate with printers over PostScript. From our observations, approximately 30% of networks had machines with the PostScript printer driver.
Since attackers are known to use printers in breaches, please take a break from printing Valentines to patch or otherwise protect your printer servers.
CVE number |
Attack vector |
Mitigation |
|---|---|---|
An authenticated attacker can send a crafted file to a shared printer. This results in an RCE on the sharing server. |
Limit your shared printers, or perform segmentation on your printer sharing servers, to limit unauthorized access to them. Also, as the attacker must be authenticated, user access controls or checks can also alert on anomalous behavior. |
|
The attack vector is listed as local and as an ACE. This usually means that the user is opening something that came from the internet that results in code execution. In this case, perhaps it’s the printing of a maliciously crafted document. |
Having controls on downloaded files or email file scanners might help mitigate the risk. Additionally, this CVE seems more suited for desktop/user machines. Those are usually easier to patch than critical servers. |
|
According to the FAQ, a user has to access a malicious printer, and the end result is heap memory being disclosed. |
Since your printers should be accounted for, adding segmentation rules to prevent access to “new” printers should be feasible and mitigate that risk. |
Microsoft Word
There is one critical RCE CVE (9.8 CVSS score) in Microsoft Word that deals with RTF files. (Who doesn’t like red, thorny flowers on Valentine's Day?)
In this case, specifically crafted RTF files can trigger command execution when Word opens them. This also affects the Preview Pane and Sharepoint. Luckily, Microsoft provided two possible mitigations:
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Remote code execution |
Network access with an authenticated user with Manage List permissions |
||
Remote code execution |
The victim needs to connect to a malicious SQL server via OLEDB. |
||
Remote code execution |
The victim needs to connect to a malicious SQL server via ODBC. |
||
Remote code execution |
Network; requires authentication |
||
Network; requires the attacker to be authenticated as an admin |
|||
Spoofing |
Network access and authentication. The user would also have to click the injected link. |
||
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change.