Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2023, including vulnerabilities that were added between April and May Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239126

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews.

It’s been a long time since we’ve had such tiny Patch Tuesday. 57 CVEs, including CVEs appeared during the month. And only 38 without them! 😄

$ cat comments_links.txt 
ZDI|The May 2023 Security Update Review|https://www.zerodayinitiative.com/blog/2023/5/8/the-may-2023-security-update-review
Qualys|The May 2023 Patch Tuesday Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/05/09/microsoft-patch-tuesday-may-2023-security-update-review

$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "May" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: May
MS PT Date: 2023-05-09
MS PT CVEs found: 38
Ext MS PT Date from: 2023-04-12
Ext MS PT Date to: 2023-05-08
Ext MS PT CVEs found: 19
ALL MS PT CVEs: 57

• All vulnerabilities: 57
• Urgent: 1
• Critical: 2
• High: 24
• Medium: 30
• Low: 0

Urgent

1. Memory Corruption – Microsoft Edge (CVE-2023-2033). The most critical vulnerability, but VM vendors do not highlight it. This is a vulnerability in Chrome that has been talked about for three weeks. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites. The existence of a publicly available exploit is mentioned on Vulners website (Exploit for Type Confusion in Google Chrome).

Critical

1. Security Feature Bypass – Secure Boot (CVE-2023-24932). Secure Boot is a crucial security feature that helps prevent malicious software from loading while the computer boots. This security standard maintains computers’ safety by ensuring that the device boots only using trusted software provided by the Original Equipment Manufacturer (OEM). An attacker with physical access or administrative permissions to a target device may exploit this vulnerability to install an affected boot policy. On successful exploitation, an attacker can bypass the Secure Boot. The KB article notes that this update and the associated mitigation steps are necessary due to the publicly disclosed bypass being used by the BlackLotus UEFI bootkit. Administrators should be aware that additional actions are required for remediation of CVE-2023-24932 beyond simply applying the patches. The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. Note that the EPSS for this vulnerability is very low, even though there is known malware, it looks like a bug in EPSS.
2. Memory Corruption – Microsoft Edge (CVE-2023-2136). Another critical vulnerability in Chrome. VM vendors do not highlight it. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites.

High

1. Remote Code Execution – Windows OLE (CVE-2023-29325). OLE (Object Linking and Embedding) is a mechanism to help users create and edit documents containing “objects” made by multiple applications. Sound clips, spreadsheets, and bitmaps are examples of OLE document components. The vulnerability lies in the processing of RTF documents and emails. Microsoft said that the Preview Pane feature in Microsoft Outlook and Office is a vector for exploitation. An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability has been given a high complexity as successful exploitation requires the attacker to win a race condition and the target to be prepared for exploitation. The exploit’s existence is mentioned in Microsoft CVSS Temporal Score (Proof-of-Concept Exploit).
2. Elevation of Privilege – Windows Win32k (CVE-2023-29336). The vulnerability exists in Win32k, a Windows Core Library, and is known to be exploited in the wild. Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB, Microsoft websites. An attacker with local access may exploit this vulnerability in a low-complexity attack without needing any privileges. An attacker could gain SYSTEM privileges on the affected system after successful exploitation. Microsoft bulletin for CVE-2023-29336 suggests that the attack is likely conducted via a specially-crafted Rich Text File (RTF). Note that the EPSS for this is very low, even with a known active attack, this looks like a bug in EPSS.
3. Remote Code Execution – Windows Network File System (CVE-2023-24941). Network File System (NFS) offers a file-sharing solution for enterprises with heterogeneous environments, including Windows and non-Windows computers. A local attacker with network access can exploit this vulnerability by making an unauthenticated, specially crafted call to a Network File System (NFS) service that triggers remote code execution. As a mitigation prior to patching, Microsoft recommends disabling NFSv4.1 and then re-enabling it once the patch is applied, although this may impact functionality.
4. Remote Code Execution – Windows Pragmatic General Multicast (PGM) (CVE-2023-24943). Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. When the Windows Message Queuing service runs in a PGM Server environment, an attacker may send a specially crafted file over the network to achieve remote code execution and trigger malicious code. Although MSQS is not installed by default, some software, including some versions of Microsoft Exchange Server, will helpfully enable it as part of their own installation routine.
5. Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2023-28283). The Lightweight Directory Access Protocol (LDAP) operates a layer above the TCP/IP stack. The directory service protocol helps connect, browse, and edit online directories. On successful exploitation, an attacker could perform remote code execution within the context of the LDAP service with the help of a specially crafted set of LDAP requests.
6. Remote Code Execution – Microsoft SharePoint (CVE-2023-24955). This bug was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. While this specific bug requires authentication, during the contest, it was combined with an authentication bypass.

Full Vulristics report: ms_patch_tuesday_may2023