Report Name: Microsoft Patch Tuesday, April 2023
Generated: 2023-04-23 12:27:35

Product Name	Prevalence	U	C	H	M	L	Comment
Kerberos	1			1			Kerberos
Microsoft Message Queuing	0.9			3			Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
Remote Procedure Call Runtime	0.9			1	1		Remote Procedure Call Runtime
Windows DNS Server	0.9			8	1		Windows component
Windows Kernel	0.9			1	8		Windows Kernel
Windows NTLM	0.9				1		A suite of security protocols to authenticate users' identity and protect the integrity and confidentiality of their activity
Windows Win32k	0.9			1	1		Windows kernel-mode driver
Microsoft Defender	0.8				1		Anti-malware component of Microsoft Windows
Microsoft Edge	0.8			14	11		Web browser
Microsoft PostScript and PCL6 Class Printer Driver	0.8			11	1		Microsoft standard printer driver for PostScript printers
RPC	0.8				1		Remote Procedure Call Runtime
Windows Domain Name Service	0.8			1			Windows component
Windows Advanced Local Procedure Call (ALPC)	0.8				1		Windows component
Windows Ancillary Function Driver for WinSock	0.8				1		Windows component
Windows Bluetooth Driver	0.8			1			Windows component
Windows Boot Manager	0.8				2		Windows component
Windows CNG Key Isolation Service	0.8				1		Windows component
Windows Clip Service	0.8				1		Windows component
Windows Common Log File System Driver	0.8		1		1		Windows component
Windows Enroll Engine	0.8			1			Windows component
Windows Error Reporting Service	0.8				1		Windows component
Windows Graphics Component	0.8				1		Windows component
Windows Group Policy	0.8				1		Windows component
Windows Internet Key Exchange (IKE) Protocol Extensions	0.8			1			Windows component
Windows Kernel Memory	0.8				1		Windows component
Windows Lock Screen	0.8			2			Windows component
Windows Network Address Translation (NAT)	0.8				1		Windows component
Windows Network File System	0.8				1		Windows component
Windows Network Load Balancing	0.8			1			Windows component
Windows Point-to-Point Protocol over Ethernet (PPPoE)	0.8			1			Windows component
Windows Point-to-Point Tunneling Protocol	0.8			1			Windows component
Windows Pragmatic General Multicast (PGM)	0.8			1			Windows component
Windows Registry	0.8				1		Windows component
Windows Remote Desktop Protocol	0.8				1		Windows component
Windows Remote Procedure Call Service (RPCSS)	0.8				1		Windows component
Windows Secure Channel	0.8				3		Windows component
Windows Secure Socket Tunneling Protocol (SSTP)	0.8				1		Windows component
Windows Snipping Tool	0.8				1		Windows component
.NET	0.7			1			.NET
Microsoft SharePoint	0.7				1		Microsoft SharePoint
Raw Image Extension	0.7			2			Raw Image Extension
Microsoft Office	0.6			1			Microsoft Office
Microsoft SQL	0.6			1			Microsoft SQL
Microsoft Word	0.6		1				MS Office product
Azure Machine Learning	0.5				1		Azure Machine Learning
Azure Service Connector	0.5				1		Azure Service Connector
DHCP Server Service	0.5				1		DHCP Server Service
Layer 2 Tunneling Protocol	0.5			2			Layer 2 Tunneling Protocol
Microsoft Dynamics 365 (on-premises)	0.5				2		Microsoft Dynamics 365 (on-premises)
Microsoft Dynamics 365 Customer Voice	0.5				1		Microsoft Dynamics 365 Customer Voice
Microsoft ODBC and OLE DB	0.5			2			Microsoft ODBC and OLE DB
Microsoft Publisher	0.5				2		Microsoft Publisher
Microsoft WDAC OLE DB provider for SQL Server	0.5			1			Microsoft WDAC OLE DB provider for SQL Server
Visual Studio	0.3			1	3		Integrated development environment
Visual Studio Code	0.3				1		Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0		1	40	4		Remote Code Execution
Security Feature Bypass	0.9			6	5		Security Feature Bypass
Denial of Service	0.7			2	7		Denial of Service
Memory Corruption	0.6			11	3		Memory Corruption
Elevation of Privilege	0.5		1	2	18		Elevation of Privilege
Cross Site Scripting	0.4				3		Cross Site Scripting
Information Disclosure	0.4				11		Information Disclosure
Spoofing	0.4				6		Spoofing
Tampering	0.3				1		Tampering
Unknown Vulnerability Type	0				2		Unknown Vulnerability Type

Urgent (0)

Critical (2)

1. Elevation of Privilege - Windows Common Log File System Driver (CVE-2023-28252) - Critical [665]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

qualys: CVE-2023-28252: Windows Common Log File System Driver Elevation of Privilege Vulnerability An attacker may exploit this vulnerability in a low-complexity attack. On successful exploitation, an attacker will gain SYSTEM privileges. Microsoft has mentioned in the advisory that the vulnerability is being exploited in the wild. Cybercriminals have used the vulnerability to deploy Nokoyawa Ransomware. The identity of the threat actor or APT group using Nokoyawa is yet to be disclosed. The attacks are happening in South and North America, regions across Asia, and SMBs in the Middle East. Additionally, CISA has also added this vulnerability to its Known Exploitable Vulnerabilities Catalog.

tenable: Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252)

tenable: CVE-2023-28252 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

tenable: CVE-2023-28252 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver, a logging service used by kernel-mode and user-mode applications. It was assigned a CVSSv3 score of 7.8. This vulnerability is a post-compromise flaw, meaning an attacker could exploit it after gaining access to a vulnerable target. Successful exploitation would elevate an attacker’s privileges SYSTEM. According to Microsoft, it was exploited in the wild as a zero day. Its discovery is attributed to Genwei Jiang of Mandiant and Quan Jin with DBAPPSecurity WeBin Lab.

tenable: CVE-2023-28252 is the second CLFS Driver EoP vulnerability to be exploited in the wild in 2023, as CVE-2023-23376 was disclosed in the February 2023 Patch Tuesday. It is the fourth known CLFS EoP vulnerability to be exploited in the wild in the last two years, following CVE-2022-24521 from the April 2022 Patch Tuesday and CVE-2022-37969 from the September 2022 Patch Tuesday release. CVE-2022-37969 was also disclosed to Microsoft by Wang and Jin, though it is unclear if there is any connection between both flaws.

rapid7: Over the last 18 months or so, Rapid7 has written several times about the prevalence of driver-based attacks. This month's sole zero-day vulnerability – a driver-based elevation of privilege – will only reinforce the popularity of the vector among threat actors. Successful exploitation of CVE-2023-28252 allows an attacker to obtain SYSTEM privileges via a vulnerability in the Windows Common Log File System (CLFS) driver. Microsoft has patched more than one similar CLFS driver vulnerability over the past year, including CVE-2023-23376 in February 2023 and CVE-2022-37969 in September 2022.

rapid7: Microsoft has released patches for the zero-day vulnerability CVE-2023-28252 for all current versions of Windows. Microsoft is not aware of public disclosure, but has detected in-the-wild exploitation and is aware of functional exploit code. The assigned base CVSSv3 score of 7.8 lands this vulnerability near the top of the High severity range, which is expected since it gives complete control of an asset, but a remote attacker must first find some other method to access the target.

zdi: CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability. This is the one bug under active attack this month, and if it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago. To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly.

2. Remote Code Execution - Microsoft Word (CVE-2023-28311) - Critical [647]

Description: Microsoft Word Remote Code Execution Vulnerability

High (61)

3. Remote Code Execution - Microsoft Message Queuing (CVE-2023-21554) - High [542]

Description: Microsoft Message Queuing Remote Code Execution Vulnerability

qualys: CVE-2023-21554: Microsoft Message Queuing Remote Code Execution Vulnerability (QueueJumper) Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages). The Windows message queuing service needs to be enabled for the system to be exploitable. This feature can be enabled using the Control Panel. To exploit this vulnerability, an attacker must send a specially crafted malicious MSMQ packet to an MSMQ server to perform remote code execution on the server side.

qualys: CVE-2023-21554: Microsoft Message Queuing Remote Code Execution Vulnerability   This vulnerability has a CVSSv3.1 9.8 / 8.5   Policy Compliance Control IDs (CIDs):   4030 Status of the ‘Windows Message Queuing Service’   14916 Status of Windows Services   14297 Status of the open network connections and listening ports (Qualys Agent only)  The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:   control.id: [4030,14916,14297,10472,10475,10474,13918,10473,16104,4026] 

qualys: CVE-2023-21554: Microsoft Message Queuing Remote Code Execution Vulnerability  This vulnerability has a CVSSv3.1 score of 9.8/10.  Exploitability Assessment: Exploitation More Likely

tenable: CVE-2023-21554 | Microsoft Message Queuing Remote Code Execution Vulnerability

tenable: CVE-2023-21554 is a RCE vulnerability affecting Microsoft Message Queuing (MSMQ) with a CVSSv3 score of 9.8. An attacker could exploit this flaw by sending a specially crafted MSMQ packet to an affected MSMQ server. Microsoft’s advisory notes that exploitation of this flaw requires the Windows message queuing service to be enabled. When enabled, TCP port 1801 will be listening on the host.

rapid7: Microsoft rates seven of this month’s RCE vulnerabilities as Critical, including two related vulnerabilities with a CVSSv3 base score of 9.8. CVE-2023-28250 describes a vulnerability in Windows Pragmatic General Multicast (PGM) which allows an attacker to achieve RCE by sending a specially crafted file over the network. CVE-2023-21554 allows an attacker to achieve RCE by sending a specially crafted Microsoft Messaging Queue packet. In both cases, the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable. The Message Queueing Service is not installed by default. Even so, Microsoft considers exploitation of CVE-2023-21554 more likely.

zdi: CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability. This is a CVSS 9.8 bug and receives Microsoft’s highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update.

4. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-28250) - High [526]

Description: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

qualys: CVE-2023-28250: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM) is a multicast computer network transport protocol best suited for applications like multi-receiver file transfer. The protocol provides a reliable sequence of packets to multiple recipients simultaneously. The system will be exploitable if the Windows Message Queuing service is enabled. An attacker may send a specially crafted file over the network for remote code execution.

qualys: CVE-2023-28250: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability   This vulnerability has a CVSSv3.1 9.8 / 8.5   Policy Compliance Control IDs (CIDs):   4030 Status of the ‘Windows Message Queuing Service’   14916 Status of Windows Services   14297 Status of the open network connections and listening ports (Qualys Agent only)  

qualys: CVE-2023-28250: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  This vulnerability has a CVSSv3.1 score of 9.8/10.  Exploitability Assessment: Exploitation More Likely

tenable: CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-28250 is a RCE vulnerability affecting Windows Pragmatic General Multicast (PGM). Successful exploitation requires the MSMQ service to be enabled. An attacker could exploit this flaw by sending a crafted file over the network in order to execute arbitrary code. This vulnerability has a CVSSv3 score of 9.8 and impacts supported versions of Windows including Server Core installations.

rapid7: Microsoft rates seven of this month’s RCE vulnerabilities as Critical, including two related vulnerabilities with a CVSSv3 base score of 9.8. CVE-2023-28250 describes a vulnerability in Windows Pragmatic General Multicast (PGM) which allows an attacker to achieve RCE by sending a specially crafted file over the network. CVE-2023-21554 allows an attacker to achieve RCE by sending a specially crafted Microsoft Messaging Queue packet. In both cases, the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable. The Message Queueing Service is not installed by default. Even so, Microsoft considers exploitation of CVE-2023-21554 more likely.

5. Remote Code Execution - Windows Internet Key Exchange (IKE) Protocol Extensions (CVE-2023-28238) - High [514]

Description: Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability

qualys: CVE-2023-28238: Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability   This vulnerability has a CVSSv3.1 7.5 / 6.5   Policy Compliance Control IDs (CIDs):   4026 Status of the Windows IKE and AuthIP IPsec Keying Modules service   14916 Status of Windows Services  

qualys: CVE-2023-28238: Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability  This vulnerability has a CVSSv3.1 score of 7.5/10. Exploitability Assessment: Exploitation Less Likely 

6. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2023-28232) - High [502]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

qualys: CVE-2023-28232: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Point-to-Point Tunneling Protocol enables secure data transmission from a remote client to a private enterprise server with the help of a virtual private network (VPN) across TCP/IP-based data networks. The vulnerability arises when a user connects a Windows client to a malicious server. An attacker must perform additional actions to prepare the target environment for exploitation.

7. Remote Code Execution - .NET (CVE-2023-28260) - High [495]

Description: .NET DLL Hijacking Remote Code Execution Vulnerability

8. Remote Code Execution - Remote Procedure Call Runtime (CVE-2023-21727) - High [495]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

9. Remote Code Execution - Microsoft ODBC and OLE DB (CVE-2023-23375) - High [485]

Description: Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

10. Remote Code Execution - Microsoft ODBC and OLE DB (CVE-2023-28304) - High [485]

Description: Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

11. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24884) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

12. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24885) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

13. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24886) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

14. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24887) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

15. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24924) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

16. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24925) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

17. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24926) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

18. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24927) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

19. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24928) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

20. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24929) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

21. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-28243) - High [478]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

22. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2023-28275) - High [476]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

23. Remote Code Execution - Windows DNS Server (CVE-2023-28254) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

24. Remote Code Execution - Windows DNS Server (CVE-2023-28255) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

25. Remote Code Execution - Windows DNS Server (CVE-2023-28256) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

26. Remote Code Execution - Windows DNS Server (CVE-2023-28278) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

27. Remote Code Execution - Windows DNS Server (CVE-2023-28305) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

28. Remote Code Execution - Windows DNS Server (CVE-2023-28306) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

29. Remote Code Execution - Windows DNS Server (CVE-2023-28307) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

30. Remote Code Execution - Windows DNS Server (CVE-2023-28308) - High [471]

Description: Windows DNS Server Remote Code Execution Vulnerability

31. Remote Code Execution - Windows Kernel (CVE-2023-28237) - High [471]

Description: Windows Kernel Remote Code Execution Vulnerability

32. Remote Code Execution - Windows Network Load Balancing (CVE-2023-28240) - High [466]

Description: Windows Network Load Balancing Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

33. Remote Code Execution - Microsoft SQL (CVE-2023-23384) - High [457]

Description: Microsoft SQL Server Remote Code Execution Vulnerability

zdi: CVE-2023-23384 – Microsoft SQL Server Remote Code Execution Vulnerability. This is a silent patch released by Microsoft in February and is just now being documented. The problem of silent patching has already been well documented, so I won’t rehash it here. The patch fixes an OOB Write bug in the SQLcmd tool that could allow a remote, unauthenticated attacker to exploit code with elevated privileges. While not listed in the CVSS, the attack complexity seems high since the attacker can only control a few bytes at a time. A server crash is much more likely. If you’re running SQL server, read the Cumulative Update table to ensure you have both the February and April updates installed.

34. Remote Code Execution - Windows Domain Name Service (CVE-2023-28223) - High [454]

Description: Windows Domain Name Service Remote Code Execution Vulnerability

35. Remote Code Execution - Windows Bluetooth Driver (CVE-2023-28227) - High [454]

Description: Windows Bluetooth Driver Remote Code Execution Vulnerability

36. Remote Code Execution - Layer 2 Tunneling Protocol (CVE-2023-28219) - High [452]

Description: Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

qualys: CVE-2023-28219 & CVE-2023-28220: Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used mainly by Internet Service Providers and Virtual Private Networks (VPNs). L2TP is one of the protocols that help in ensuring security and privacy by enabling a tunnel for Layer 2 traffic over a Layer 3 network. To exploit this vulnerability, an attacker is required to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server and perform remote code execution on the RAS server machine.

37. Remote Code Execution - Layer 2 Tunneling Protocol (CVE-2023-28220) - High [452]

Description: Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

qualys: CVE-2023-28219 & CVE-2023-28220: Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used mainly by Internet Service Providers and Virtual Private Networks (VPNs). L2TP is one of the protocols that help in ensuring security and privacy by enabling a tunnel for Layer 2 traffic over a Layer 3 network. To exploit this vulnerability, an attacker is required to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server and perform remote code execution on the RAS server machine.

38. Remote Code Execution - Visual Studio (CVE-2023-28296) - High [452]

Description: Visual Studio Remote Code Execution Vulnerability

39. Remote Code Execution - Windows Point-to-Point Protocol over Ethernet (PPPoE) (CVE-2023-28224) - High [442]

Description: Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability

40. Remote Code Execution - Raw Image Extension (CVE-2023-28291) - High [438]

Description: Raw Image Extension Remote Code Execution Vulnerability

qualys: CVE-2023-28291: Raw Image Extension Remote Code Execution Vulnerability An attacker must log on to the system to exploit the vulnerability. An attacker may trick a local user into opening a malicious file containing a specially crafted application to take control of the system. To open the specially crafted file, an attacker must first convince the user to click a link, usually sent via an email or instant message.

41. Remote Code Execution - Raw Image Extension (CVE-2023-28292) - High [438]

Description: Raw Image Extension Remote Code Execution Vulnerability

42. Security Feature Bypass - Microsoft Edge (CVE-2023-1814) - High [436]

Description: Chromium: CVE-2023-1814 Insufficient validation of untrusted input in Safe Browsing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1814 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

43. Elevation of Privilege - Windows Win32k (CVE-2023-28274) - High [427]

Description: Windows Win32k Elevation of Privilege Vulnerability

44. Security Feature Bypass - Microsoft Edge (CVE-2023-1817) - High [425]

Description: Chromium: CVE-2023-1817 Insufficient policy enforcement in Intents. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1817 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

45. Security Feature Bypass - Microsoft Edge (CVE-2023-1823) - High [425]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1823 Inappropriate implementation in FedCM. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in FedCM in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1823 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

46. Remote Code Execution - Microsoft Office (CVE-2023-28285) - High [421]

Description: Microsoft Office Remote Code Execution Vulnerability

47. Memory Corruption - Microsoft Edge (CVE-2023-1534) - High [419]

Description: Chromium: CVE-2023-1534 Out of bounds read in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1534 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

48. Security Feature Bypass - Windows Enroll Engine (CVE-2023-28226) - High [413]

Description: Windows Enroll Engine Security Feature Bypass Vulnerability

49. Elevation of Privilege - Kerberos (CVE-2023-28244) - High [410]

Description: Windows Kerberos Elevation of Privilege Vulnerability

qualys: CVE-2023-28244: Windows Kerberos Elevation of Privilege Vulnerability   This vulnerability has a CVSSv3.1 8.1 / 7.1   Policy Compliance Control IDs (CIDs):   10472 Status of the ‘Turn On Virtualization Based Security’ setting   10475 Status of the ‘Turn On Virtualization Based Security (Select Platform Security Level)’ setting   10474 Status of the ‘Turn On Virtualization Based Security (Enable Virtualization Based Protection of Code Integrity)’ setting   13918 Status of ‘Turn On Virtualization Based Security: Require UEFI Memory Attributes Table’ group policy   10473 Status of the ‘Turn On Virtualization Based Security (Credential Guard Configuration)’ setting   16104 Status of the ‘Turn On Virtualization Based Security (Secure Launch Configuration)’ GPO setting  

qualys: CVE-2023-28244: Windows Kerberos Elevation of Privilege Vulnerability  This vulnerability has a CVSSv3.1 score of 8.1/10. Exploitability Assessment: Exploitation Less Likely  Note: Scripts will be available in the CAR script library.

50. Memory Corruption - Microsoft Edge (CVE-2023-1528) - High [407]

Description: Chromium: CVE-2023-1528 Use after free in Passwords. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1528 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

51. Memory Corruption - Microsoft Edge (CVE-2023-1529) - High [407]

Description: Chromium: CVE-2023-1529 Out of bounds memory access in WebHID. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1529 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

52. Memory Corruption - Microsoft Edge (CVE-2023-1530) - High [407]

Description: Chromium: CVE-2023-1530 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1530 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

53. Memory Corruption - Microsoft Edge (CVE-2023-1531) - High [407]

Description: Chromium: CVE-2023-1531 Use after free in ANGLE. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1531 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

54. Memory Corruption - Microsoft Edge (CVE-2023-1532) - High [407]

Description: Chromium: CVE-2023-1532 Out of bounds read in GPU Video. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1532 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

55. Memory Corruption - Microsoft Edge (CVE-2023-1810) - High [407]

Description: Chromium: CVE-2023-1810 Heap buffer overflow in Visuals. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1810 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

56. Memory Corruption - Microsoft Edge (CVE-2023-1811) - High [407]

Description: Chromium: CVE-2023-1811 Use after free in Frames. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1811 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

57. Memory Corruption - Microsoft Edge (CVE-2023-1815) - High [407]

Description: Chromium: CVE-2023-1815 Use after free in Networking APIs. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1815 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

58. Memory Corruption - Microsoft Edge (CVE-2023-1818) - High [407]

Description: Chromium: CVE-2023-1818 Use after free in Vulkan. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1818 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

59. Memory Corruption - Microsoft Edge (CVE-2023-1820) - High [407]

Description: Chromium: CVE-2023-1820 Heap buffer overflow in Browser History. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1820 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

60. Denial of Service - Microsoft Message Queuing (CVE-2023-21769) - High [405]

Description: Microsoft Message Queuing Denial of Service Vulnerability

tenable: In addition to this RCE flaw, two denial of service CVEs (CVE-2023-21769 and CVE-2023-28302) rated as “important” were also patched in MSMQ this month.

61. Denial of Service - Microsoft Message Queuing (CVE-2023-28302) - High [405]

Description: Microsoft Message Queuing Denial of Service Vulnerability

tenable: In addition to this RCE flaw, two denial of service CVEs (CVE-2023-21769 and CVE-2023-28302) rated as “important” were also patched in MSMQ this month.

62. Security Feature Bypass - Windows Lock Screen (CVE-2023-28235) - High [401]

Description: Windows Lock Screen Security Feature Bypass Vulnerability

63. Security Feature Bypass - Windows Lock Screen (CVE-2023-28270) - High [401]

Description: Windows Lock Screen Security Feature Bypass Vulnerability

Medium (60)

64. Memory Corruption - Microsoft Edge (CVE-2023-1533) - Medium [395]

Description: Chromium: CVE-2023-1533 Use after free in WebProtect. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1533 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

65. Memory Corruption - Microsoft Edge (CVE-2023-1812) - Medium [395]

Description: Chromium: CVE-2023-1812 Out of bounds memory access in DOM Bindings. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1812 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

66. Remote Code Execution - DHCP Server Service (CVE-2023-28231) - Medium [392]

Description: DHCP Server Service Remote Code Execution Vulnerability

qualys: CVE-2023-28231: DHCP Server Service Remote Code Execution Vulnerability Dynamic Host Configuration Protocol (DHCP) is a network server that helps clients successfully communicate on the network. The protocol provides an Internet Protocol (IP) host with its IP address. An authenticated attacker may exploit this vulnerability by sending a specially crafted RPC call to the DHCP service. An attacker must gain access to the restricted network before performing the attack for successful exploitation.

tenable: CVE-2023-28231 | DHCP Server Service Remote Code Execution Vulnerability

tenable: CVE-2023-28231 is a RCE vulnerability affecting the Dynamic Host Configuration Protocol (DHCP) server service. Microsoft rates this vulnerability as “Exploitation More Likely” according to the Microsoft Exploitability Index. With a CVSSv3 score of 8.8, successful exploitation requires an attacker to be on an adjacent network prior to using a crafted RPC call to exploit the flaw.

rapid7: DHCP server vulnerability CVE-2023-28231 requires an attacker to be on the same network as the target, but offers RCE via a specially crafted RPC call. Microsoft considers that exploitation is more likely.

67. Denial of Service - Microsoft Defender (CVE-2023-24860) - Medium [389]

Description: Microsoft Defender Denial of Service Vulnerability

rapid7: The hunter becomes the hunted as Microsoft patches a Denial of Service vulnerability in Defender. The advisory for CVE-2023-24860 includes some unusual guidance: “Systems that have disabled Microsoft Defender are not in an exploitable state.” In practice this vulnerability is less likely to be exploited, and the default update cadence for Defender should mean that most assets are automatically patched in a short timeframe.

68. Denial of Service - Windows Network Address Translation (NAT) (CVE-2023-28217) - Medium [389]

Description: Windows Network Address Translation (NAT) Denial of Service Vulnerability

69. Denial of Service - Windows Secure Channel (CVE-2023-24931) - Medium [389]

Description: Windows Secure Channel Denial of Service Vulnerability

70. Denial of Service - Windows Secure Channel (CVE-2023-28233) - Medium [389]

Description: Windows Secure Channel Denial of Service Vulnerability

71. Denial of Service - Windows Secure Channel (CVE-2023-28234) - Medium [389]

Description: Windows Secure Channel Denial of Service Vulnerability

72. Denial of Service - Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2023-28241) - Medium [389]

Description: Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability

73. Security Feature Bypass - Windows Boot Manager (CVE-2023-28249) - Medium [389]

Description: Windows Boot Manager Security Feature Bypass Vulnerability

74. Security Feature Bypass - Windows Boot Manager (CVE-2023-28269) - Medium [389]

Description: Windows Boot Manager Security Feature Bypass Vulnerability

75. Elevation of Privilege - RPC (CVE-2023-28268) - Medium [377]

Description: Netlogon RPC Elevation of Privilege Vulnerability

76. Security Feature Bypass - Azure Service Connector (CVE-2023-28300) - Medium [375]

Description: Azure Service Connector Security Feature Bypass Vulnerability

rapid7: The other Azure vulnerability this month is a Azure Service Connector Security Feature Bypass. Microsoft rates Attack Complexity for CVE-2023-28300 as High, since this vulnerability is only useful when chained with other exploits to defeat other security measures. However, the Azure Service Connector only updates when the Azure Command-Line Interface is updated, and automatic updates are not enabled by default.

77. Memory Corruption - Microsoft Edge (CVE-2023-1819) - Medium [371]

Description: Chromium: CVE-2023-1819 Out of bounds read in Accessibility. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1819 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

78. Remote Code Execution - Visual Studio Code (CVE-2023-24893) - Medium [371]

Description: Visual Studio Code Remote Code Execution Vulnerability

79. Security Feature Bypass - Microsoft Edge (CVE-2023-28286) - Medium [365]

Description: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

MS PT Extended: CVE-2023-28286 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

80. Denial of Service - Windows Kernel (CVE-2023-28298) - Medium [358]

Description: Windows Kernel Denial of Service Vulnerability

81. Remote Code Execution - Microsoft Publisher (CVE-2023-28287) - Medium [357]

Description: Microsoft Publisher Remote Code Execution Vulnerability

82. Remote Code Execution - Microsoft Publisher (CVE-2023-28295) - Medium [357]

Description: Microsoft Publisher Remote Code Execution Vulnerability

83. Security Feature Bypass - Windows Group Policy (CVE-2023-28276) - Medium [353]

Description: Windows Group Policy Security Feature Bypass Vulnerability

84. Information Disclosure - Windows Network File System (CVE-2023-28247) - Medium [347]

Description: Windows Network File System Information Disclosure Vulnerability

rapid7: Windows Server administrators should take note of CVE-2023-28247. Successful exploitation allows an attacker to view contents of kernel memory remotely from the context of a user process. Microsoft lists Windows Server 2012, 2016, 2019, and 2022 as vulnerable. Although Microsoft assesses that exploitation is less likely, Windows stores many secrets in kernel memory, including cryptographic keys.

85. Information Disclosure - Windows Remote Desktop Protocol (CVE-2023-28267) - Medium [347]

Description: Remote Desktop Protocol Client Information Disclosure Vulnerability

86. Spoofing - Microsoft Edge (CVE-2023-1816) - Medium [347]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1816 Incorrect security UI in Picture In Picture. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Incorrect security UI in Picture In Picture in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially perform navigation spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1816 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

87. Spoofing - Microsoft Edge (CVE-2023-1822) - Medium [347]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1822 Incorrect security UI in Navigation. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Incorrect security UI in Navigation in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1822 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

88. Elevation of Privilege - Windows Kernel (CVE-2023-28236) - Medium [346]

Description: Windows Kernel Elevation of Privilege Vulnerability

89. Elevation of Privilege - Windows Kernel (CVE-2023-28248) - Medium [346]

Description: Windows Kernel Elevation of Privilege Vulnerability

90. Elevation of Privilege - Windows Kernel (CVE-2023-28272) - Medium [346]

Description: Windows Kernel Elevation of Privilege Vulnerability

91. Elevation of Privilege - Windows Kernel (CVE-2023-28293) - Medium [346]

Description: Windows Kernel Elevation of Privilege Vulnerability

92. Elevation of Privilege - Windows NTLM (CVE-2023-28225) - Medium [346]

Description: Windows NTLM Elevation of Privilege Vulnerability

93. Elevation of Privilege - Windows Remote Procedure Call Service (RPCSS) (CVE-2023-28297) - Medium [341]

Description: Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-21727 allows an attacker to perform remote code execution on the server side with the same permissions as the RPC service by sending a specially crafted RPC call to an RPC host. CVE-2023-28297 allows an attacker to gain SYSTEM privileges by running a specially crafted application. The specially crafted application may lead to remote code execution with elevated permissions. CVE-2023-28240, an attacker on the same subnet as the target system, may send a specially crafted packet to a server configured as a Network Load Balancing cluster host to exploit this vulnerability. An attacker can trigger CVE-2023-28275 by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB. An attacker can perform remote code execution on successful exploitation. CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243 vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution.

94. Elevation of Privilege - Windows Kernel (CVE-2023-28222) - Medium [334]

Description: Windows Kernel Elevation of Privilege Vulnerability

95. Elevation of Privilege - Windows Win32k (CVE-2023-24914) - Medium [334]

Description: Win32k Elevation of Privilege Vulnerability

96. Elevation of Privilege - Windows Graphics Component (CVE-2023-24912) - Medium [329]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

97. Elevation of Privilege - Windows Registry (CVE-2023-28246) - Medium [329]

Description: Windows Registry Elevation of Privilege Vulnerability

98. Elevation of Privilege - Visual Studio (CVE-2023-28262) - Medium [327]

Description: Visual Studio Elevation of Privilege Vulnerability

99. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24883) - Medium [323]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

100. Information Disclosure - Windows Snipping Tool (CVE-2023-28303) - Medium [321]

Description: Windows Snipping Tool Information Disclosure Vulnerability

MS PT Extended: CVE-2023-28303 was published before April 2023 Patch Tuesday from 2023-03-15 to 2023-04-10

101. Spoofing - Visual Studio (CVE-2023-28299) - Medium [321]

Description: Visual Studio Spoofing Vulnerability

102. Elevation of Privilege - Windows Advanced Local Procedure Call (ALPC) (CVE-2023-28216) - Medium [317]

Description: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

103. Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2023-28218) - Medium [317]

Description: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

104. Elevation of Privilege - Windows CNG Key Isolation Service (CVE-2023-28229) - Medium [317]

Description: Windows CNG Key Isolation Service Elevation of Privilege Vulnerability

105. Elevation of Privilege - Windows Clip Service (CVE-2023-28273) - Medium [317]

Description: Windows Clip Service Elevation of Privilege Vulnerability

106. Elevation of Privilege - Windows Error Reporting Service (CVE-2023-28221) - Medium [317]

Description: Windows Error Reporting Service Elevation of Privilege Vulnerability

107. Information Disclosure - Windows DNS Server (CVE-2023-28277) - Medium [316]