Akamai’s Perspective on May’s Patch Tuesday 2023
Not too long ago in Redmond, Washington, USA …
It is a period of cyber war. Network admins working tirelessly to apply the new Patch Tuesday.
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
It seems the Force is with us this month, as there are only 40 CVEs this time, many fewer than in previous months. Seven of the patched CVEs were critical (one of them found by our very own Ben Barnea), as well as two others with CVSS scores of 9.8 in PGM and NFS. Two of the patched CVEs are also said to have been used in the wild, designating them as patched zero-day vulnerabilities.
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are, and we’ll provide a realistic perspective on the bugs that were fixed. You can also see a quick real-time overview on the day of the patch on our Twitter account. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
In this report, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities exploited in the wild
Windows Win32k — CVE-2023-29336
This is a local elevation of privileges vulnerability in Win32k, which handles Windows subsystem in the Windows Kernel — mostly GUI and Window management. It was detected by security researchers from Avast and can be used to elevate privileges to SYSTEM.
Secure Boot — CVE-2023-24932
This vulnerability allows attackers to bypass Secure Boot, which is used to ensure that only trusted software is used for booting the machine. It has been used by the BlackLotus to load its bootkit. By itself, the patch does not mitigate the risk made by the vulnerability.
Admins must also update all Windows backups and bootable media, as well as apply revocations and new policies. Microsoft released KB5025885 to provide guidance on how to deploy the changes.
Vulnerabilities discovered by Akamai researchers
Windows MSHTML Platform — CVE-2023-29324
The vulnerability is a bypass of the MapUrlToZone function. The function incorrectly parses a specific path, resolving it as a local path although it’s a remote one.
MapUrlToZone was used as a mitigation to the critical Outlook vulnerability that was patched in March, and thus the new vulnerability allows the exploitation of that vulnerability again.
We have published a detailed write-up for this issue.
Windows SMB — CVE-2023-24898
Servers running SMB over QUIC are vulnerable to a denial-of-service attack. The vulnerability can be exploited easily without authentication from the attacker. Since SMB over QUIC is a relatively new feature, we don't expect a large number of machines to be vulnerable.
Windows Network File System (NFS)
NFS is a network protocol originally developed by Sun Microsystems to allow remote file access over the network. An implementation of it exists in Microsoft Windows, and the NFS role can be added to a server to turn it into an NFS server. There are three vulnerabilities this month — one of them critical — that can lead to remote code execution.
Scope analysis
The NFS feature needs to be added to a Windows server and client before it can be used. It is included in the File and Storage Services server role in Windows Server.
NFS commonly uses port 111 (Sun RPC’s EpMapper port — early versions of NFS are implemented over Sun RPC) and port 2049. Looking at various data centers, we found that only 0.1% could potentially be NFSv4 servers, and only about half are running Windows.
General recommendations
Normally, we would recommend seeing if it’s possible to upgrade your NFS server to use NFS v4.1, as it is the most secure version. This time, however, the remote code execution vulnerability affects only NFS v4, so we can’t recommend an upgrade.
Instead, we recommend applying segmentation around NFS servers. You should check and see if you can limit (ringfence) the NFS clients to a smaller group of servers/workstations, and also limit the outbound traffic from the NFS server. Since it is a server, there should be few reasons for it to initiate connections. Segmentation could limit the impact a successful exploitation provides.
CVE number |
Effect |
Required access |
|---|---|---|
Remote code execution |
Network |
|
Information disclosure |
||
Denial of service |
Windows Lightweight Directory Access Protocol (LDAP)
The LDAP is an open source protocol designed for connecting and querying directory services and databases. Active Directory’s domain controller has an LDAP server implementation to allow existing programs and servers that rely on LDAP to use the existing domain controller without requiring a separate server.
This month, there is one vulnerability in the LDAP service that affects unpatched domain controllers. CVE-2023-28283 is a remote code execution vulnerability that can be abused prior to authentication.
We can’t patch our domain controller and risk downtime. Can the vulnerabilities be mitigated elsewhere?
Not really. Since the domain controller is integral to all parts of the domain, it is practically impossible to restrict access to it without compromising normal network operations. Even tracing CVE-2023-28283 might be difficult, since it doesn’t require authentication. Incident response teams can be on the lookout for short-lived LDAP sessions that don’t have a reply from the server. This might indicate an exploitation attempt.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
|
Information disclosure |
Authenticated locally |
|
Remote code execution |
Network |
||
Remote code execution |
Authenticated with Site Owner permissions |
||
Spoofing |
Authenticated with site creation permissions; could lead to NTLM hash leak |
||
Information disclosure |
Authenticated |
||
Remote code execution |
Network |
||
Denial of service |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit our Twitter account for real-time updates.
