Akamai’s Perspective on January’s Patch Tuesday 2023

In addition to the security vulnerabilities disclosed by Akamai, in this report, we’re focusing on the following areas in which bugs were patched:

Security vulnerabilities disclosed by Akamai

SMB Witness service remote EoP

CVE-2023-21549, CVSS score 8.8

This is another vulnerability found through our RPC Toolkit. The SMB Service Witness Protocol is used as part of SMB clustered file servers.

LSM local EoP

CVE-2023-21771, CVSS score 7.0

This is another vulnerability in one of LSM RPC interfaces. The vulnerability is only locally triggerable, and exploitation requires winning a race condition that is easily achieved.

As the vulnerable function does not exist on every Windows build, only the following versions are vulnerable:

• Windows Server 2022

• Windows 10 versions 21H2 and 22H2

• Windows 11 versions 21H2 and 22H2

Windows Layer 2 Tunneling Protocol

The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support VPNs. In Windows, it is part of the Remote Access Server (RAS), similarly to SSTP and PPP (which were covered in previous months). Remote access is a Windows Server role that allows remote clients to connect to the LAN, similar to a VPN. The server role needs to be actively added.

There are five critical vulnerabilities in this service this month, all of them with a CVSS score 8.1 and allow for remote code execution.

Four of the vulnerabilities (CVE-2023-21546, CVE-2023-21679, CVE-2023-21555 and CVE-2023-21556) require the attacker to win a race condition to trigger them. The other CVE, CVE-2023-21543, doesn’t require a race condition according to the Microsoft Security Response Center (MSRC), but does require the attacker to perform additional steps prior to the exploitation.

We can’t have downtime on our VPN server. Can we do some type of mitigation other than patching?

Since L2TP is used to support VPN servers, it is practically impossible to restrict internet access to it. Therefore, there aren’t many mitigation options available outside of patching. If you know that you don’t have workers in certain parts of the world (for example, all your employees are in the United States), you might restrict access from certain geolocations based on geo-ip, but that task is very hard to contain as well.

Alternatively, since all the CVEs require race conditions or extra steps, it is safe to assume that their exploitation will result in a spike in network activity. Monitoring network activity might yield alerts on potential exploitation attempts.

Windows Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) is an open source protocol designed for connecting and querying directory services and databases. Active Directory’s domain controller has an LDAP server implementation to allow existing programs and servers that rely on LDAP to use the existing AD without requiring a separate server.

This month, there are two vulnerabilities in the LDAP service, affecting unpatched domain controllers. CVE-2023-21557 is a denial-of-service (DoS) vulnerability that can be done prior to authentication. MSRC’s advisory also states that successfully exploiting the vulnerability could also result in an information disclosure, but doesn’t specify what data is leaked. CVE-2023-21676 is a remote code execution vulnerability, though it requires prior authentication.

We can’t patch our domain controller and risk down time. Can the vulnerabilities be mitigated elsewhere?

Not really. Since the domain controller is integral to all parts of the domain, it is practically impossible to restrict access to it without compromising normal network operations. Since CVE-2023-21676 requires an authenticated user, it might help IR teams when tracing it (but will not really help with preemptive prevention).