Microsoft Patch Tuesday February 2023: Win Graphics RCE, Edge RCE, Publisher SFB, CLFS EoP, Exchange RCEs, Word RCE, HoloLens1

Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2023, including vulnerabilities that were added between January and February Patch Tuesdays.

Alternative video link (for Russia):

This month I decided to change the format a bit. Now I share my impression of Microsoft Patch Tuesday on the same Patch Tuesday day in my main telegram channel avleonovcom and my second russian telegram channel avleonovrus. You can also find a draft of the Vulristics report there. So please subscribe. And the full blog post/video is published with a delay. And, in fact, this is it.

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews.

$ cat comments_links.txt 
ZDI|The February 2023 Security Update Overview|
KrebsOnSecurity|Microsoft Patch Tuesday, February 2023 Edition|
Qualys|The February 2023 Patch Tuesday Security Update Review|

$ python3 --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "February" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: February
MS PT Date: 2023-02-14
MS PT CVEs found: 78
Ext MS PT Date from: 2023-01-11
Ext MS PT Date to: 2023-02-13
Ext MS PT CVEs found: 34
  • All vulnerabilities: 112
  • Urgent: 1
  • Critical: 3
  • High: 53
  • Medium: 55
  • Low: 0

Vulnerabilities with signs of exploitation in the wild

  1. Remote Code Execution – Windows Graphics Component (CVE-2023-21823) seems the most critical. The vulnerability gives an attacker SYSTEM privileges when exploited. To exploit this, attackers use specially crafted Microsoft OneNote files (OneNote is a digital note-taking app). Malicious files can be delivered as email attachments. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites. The exploit’s existence is mentioned in Microsoft CVSS Temporal Score (Autonomous Exploit). Interestingly, ZDI classified this vulnerability as EoP and did not include it in their review. Apparently MS changed the type of vulnerability before the release.
  2. Memory Corruption – Microsoft Edge (CVE-2023-0129). Exploitation in the wild is mentioned on AttackerKB website. Vulnerabilities that are responsible for initial access with the network access vector and external unprivileged attacker model should be fixed quickly. Such vulnerabilities allow infiltrating a company without any privileges and special access (only user interaction).
  3. Security Feature Bypass – Microsoft Publisher (CVE-2023-21715). Microsoft Publisher is a desktop publishing application used for creating a wide variety of publications, from business cards and newsletters to calendars and greeting cards. Successful exploitation of CVE-2023-21715 allows an attacker to bypass Office macro defenses using a specially-crafted document and run code which would otherwise be blocked by policy. Only Publisher installations delivered as part of Microsoft 365 Apps for Enterprise are listed as affected. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites.
  4. Elevation of Privilege – Windows Common Log File System Driver (CVE-2023-23376). The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with an RCE bug to spread malware or ransomware. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites.

Other vulnerabilities without exploits and signs of exploitation in wild

  1. Remote Code Execution – Microsoft Exchange (CVE-2023-21529, CVE-2023-21706, CVE-2023-21707, CVE-2023-21710). Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. The vulnerabilities allow a remote attacker to execute arbitrary code on a vulnerable server, via a network call. CVE-2023-21529 results from an incomplete fix in Exchange from previous Patch Tuesday. While this vulnerability does require authentication, it allows any user with access to the Exchange PowerShell backend to take over an Exchange server. So far, there are no signs of these vulnerabilities being exploited in the wild.
  2. Remote Code Execution – Microsoft Word (CVE-2023-21716). Although the vulnerable component is not specified, Microsoft states that the Outlook Preview Pane is an attack vector. The vulnerability can be exploited by an unauthenticated attacker sending an email with a rich text format (RTF) payload, which when opened, allows for command execution. When paired with a privilege escalation bug, an attacker could completely compromise a target. There are no signs of this vulnerability being exploited in the wild.

A funny one

Information Disclosure – Microsoft HoloLens 1 (CVE-2019-15126). In fact, this is an old Broadcom vulnerability with a bunch of exploits. Microsoft HoloLens (1st gen) was the world’s first fully untethered holographic computer. It was released in March 2016. An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic. Broadcom no longer supports their hardware on any Windows platforms. As such there is no security update available to address this vulnerability. But there are some security recommendations.

Full Vulristics report: ms_patch_tuesday_february2023

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.