Report Name: Microsoft Patch Tuesday, March 2023
Generated: 2023-03-26 13:52:54

Product Name	Prevalence	U	C	H	M	L	Comment
HTTP Protocol Stack	0.9			1			HTTP Protocol Stack
Remote Procedure Call Runtime	0.9			4			Remote Procedure Call Runtime
Windows DNS Server	0.9			1			Windows component
Windows Kernel	0.9				4		Windows Kernel
CSRSS	0.8				2		Client Server Runtime Subsystem, or csrss.exe , is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem and is included in Windows NT 3.1 and later
ICMP	0.8			1			The Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to diagnose network communication issues
Microsoft Defender	0.8				1		Anti-malware component of Microsoft Windows
Microsoft Edge	0.8				30		Web browser
Microsoft PostScript and PCL6 Class Printer Driver	0.8			10	10		Microsoft standard printer driver for PostScript printers
TPM2.0 Module Library	0.8			1	1		TPM2.0 Module Library
Windows Accounts Picture	0.8				1		Windows component
Windows Bluetooth Driver	0.8				1		Windows component
Windows Bluetooth Service	0.8			1			Windows component
Windows BrokerInfrastructure Service	0.8				1		Windows component
Windows Cryptographic	0.8			1			Windows component
Windows Graphics Component	0.8				2		Windows component
Windows HTTP.sys	0.8				1		Windows component
Windows Internet Key Exchange (IKE) Extension	0.8			1			Windows component
Windows Media	0.8			2			Windows component
Windows Partition Management Driver	0.8				1		Windows component
Windows Point-to-Point Protocol over Ethernet (PPPoE)	0.8			2	1		Windows component
Windows Point-to-Point Tunneling Protocol	0.8			1			Windows component
Windows Resilient File System (ReFS)	0.8				2		Windows component
Windows Secure Channel	0.8				1		Windows component
Windows SmartScreen	0.8		1				Windows component
Microsoft SharePoint	0.7				1		Microsoft SharePoint
Microsoft Excel	0.6			2	1		MS Office product
Microsoft Outlook	0.6	1					MS Office product
Office	0.6				1		MS Office product
Windows Hyper-V	0.6				1		Hardware virtualization component of the client editions of Windows NT
Microsoft Dynamics 365	0.5				1		Microsoft Dynamics 365 is a product line of enterprise resource planning (ERP) and customer relationship management (CRM) intelligent business applications
Microsoft Dynamics 365 (on-premises)	0.5				5		Microsoft Dynamics 365 (on-premises)
Microsoft OneDrive	0.5				4		Microsoft OneDrive
Service Fabric Explorer	0.5				1		Service Fabric Explorer
Azure	0.4				1		Azure
GitHub	0.2			1	3		GitHub, Inc. is an Internet hosting service for software development and version control using Git

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0			26	2		Remote Code Execution
Security Feature Bypass	0.9		1		8		Security Feature Bypass
Denial of Service	0.7			2	2		Denial of Service
Memory Corruption	0.6				18		Memory Corruption
Elevation of Privilege	0.5	1			19		Elevation of Privilege
Cross Site Scripting	0.4				5		Cross Site Scripting
Information Disclosure	0.4			1	14		Information Disclosure
Spoofing	0.4				10		Spoofing

Urgent (1)

1. Elevation of Privilege - Microsoft Outlook (CVE-2023-23397) - Urgent [822]

Description: Microsoft Outlook Elevation of Privilege Vulnerability

qualys: Microsoft Patches for March 2023 Microsoft has addressed 101 vulnerabilities in the month of March, including 22 Microsoft Edge (Chromium-based) vulnerabilities. Microsoft has also addressed two zero-day vulnerabilities known to be exploited in the wild. CISA has also added those two vulnerabilities, CVE-2023-24880 and CVE-2023-23397, to its Known Exploitable Vulnerabilities Catalog after Microsoft released this month’s Patch Tuesday update. Out of the 101 vulnerabilities, nine are rated as critical, 70 as important, and one as moderate. This month’s Patch Tuesday edition includes updates for vulnerabilities in Microsoft Office and Components; Microsoft Dynamics, Microsoft OneDrive, Microsoft Windows Codecs Library, Client Server Runtime Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft PostScript Printer Driver. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing. The March 2023 Microsoft vulnerabilities are classified as follows:  Vulnerability CategoryQuantitySeveritiesSpoofing Vulnerability10Important: 6Denial of Service Vulnerability4Important: 3 Critical: 1Elevation of Privilege Vulnerability21Important: 18 Critical: 3Information Disclosure Vulnerability15Important: 15Remote Code Execution Vulnerability27Important: 22 Critical: 5Security Feature Bypass Vulnerability2Important: 1Microsoft Edge (Chromium-based)22Important: 1

qualys: CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability Microsoft is aware of the active exploitation of this vulnerability that could allow an attacker to access a user’s Net-NTLMv2 hash. The hash can be leveraged to carry out an NTLM Relay attack against another service to authenticate as the user. The vulnerability can be exploited in a low-complexity attack by specially crafted emails sent by an attacker to connect the victim to an external attacker’s control UNC location. The mail will be triggered automatically when retrieved and processed by the Outlook client. This could result in exploitation BEFORE the email is viewed in the Preview Pane. As per Microsoft, the vulnerability was exploited in targeted attacks against a number of European companies in the military, transportation, energy, and government sectors.  The threat actor XXX is thought to be responsible for the attacks.   CVE-2023-23397 has been used in attacks against up to 15 companies, with the most recent incident taking place in December of last year. 

qualys: CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability   This vulnerability has a CVSSv3.1 9.8/10   Policy Compliance Control IDs (CIDs):   17220 Status of the ‘Active Directory Protected Users Security Group’ setting   14028 List of ‘Outbound Rules’ configured in Windows Firewall with Advanced Security via GPO   The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:   control.id: [17220, 14028, 24717]  The next Patch Tuesday falls on April 11th, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the This Month in Vulnerabilities and Patches webinar.

tenable: Microsoft’s March 2023 Patch Tuesday Addresses 76 CVEs (CVE-2023-23397)

tenable: Update March 16: The blog has been updated to include additional information on CVE-2023-23397, including a link to a detailed writeup on the ease of exploitation.

tenable: CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability

tenable: CVE-2023-23397 is an elevation of privilege vulnerability in Microsoft Outlook that was assigned a CVSSv3 score of 9.8 and was exploited in the wild. The vulnerability can be exploited by sending a malicious email to a vulnerable version of Outlook. When the email is processed by the server, a connection to an attacker-controlled device can be established in order to leak the Net-NTLMv2 hash of the email recipient. The attacker can use this hash to authenticate as the victim recipient in an NTLM relay attack. Microsoft notes that this exploitation can occur before the email is viewed in the Preview Pane, meaning no interaction from the victim recipient is needed for a successful attack.

tenable: Update March 16: The blog has been updated to include additional information on CVE-2023-23397, including a link to a detailed writeup on the ease of exploitation.

tenable: Update March 14: This blog has been updated to reflect the correct title for CVE-2023-23397 as well as new information from Microsoft regarding the in-the-wild exploitation of this flaw.

rapid7: CVE-2023-23397 describes a Critical Elevation of Privilege vulnerability affecting Outlook for Windows, which is concerning for several reasons. Microsoft has detected in-the-wild exploitation by a XXX threat actor targeting government, military, and critical infrastructure targets in Europe.

rapid7: The vulnerability was discovered by Microsoft Threat Intelligence, who have published a Microsoft Security Research Center blog post describing the issue in detail, and which provides a Microsoft script and accompanying documentation to detect if an asset has been compromised using CVE-2023-23397.

rapid7: Current self-hosted versions of Outlook – including Microsoft 365 Apps for Enterprise – are vulnerable to CVE-2023-23397, but Microsoft-hosted online services (e.g., Microsoft 365) are not vulnerable. Microsoft has calculated a CVSSv3 base score of 9.8.

zdi: CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability. Although technically a spoofing bug, I would consider the result of this vulnerability to be authentication bypass. The bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system. This hash could then be used in a relay attack to impersonate the user, thus effectively bypassing authentication. Before you ask about the Preview Pane, know that this bug hits before the e-mail is even viewed by the Preview Pane, so disabling that feature has no impact. No information is provided regarding how widespread these attacks may be, but definitely test and deploy this fix quickly.

Critical (1)

2. Security Feature Bypass - Windows SmartScreen (CVE-2023-24880) - Critical [782]

Description: Windows SmartScreen Security Feature Bypass Vulnerability

qualys: Microsoft Patches for March 2023 Microsoft has addressed 101 vulnerabilities in the month of March, including 22 Microsoft Edge (Chromium-based) vulnerabilities. Microsoft has also addressed two zero-day vulnerabilities known to be exploited in the wild. CISA has also added those two vulnerabilities, CVE-2023-24880 and CVE-2023-23397, to its Known Exploitable Vulnerabilities Catalog after Microsoft released this month’s Patch Tuesday update. Out of the 101 vulnerabilities, nine are rated as critical, 70 as important, and one as moderate. This month’s Patch Tuesday edition includes updates for vulnerabilities in Microsoft Office and Components; Microsoft Dynamics, Microsoft OneDrive, Microsoft Windows Codecs Library, Client Server Runtime Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft PostScript Printer Driver. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing. The March 2023 Microsoft vulnerabilities are classified as follows:  Vulnerability CategoryQuantitySeveritiesSpoofing Vulnerability10Important: 6Denial of Service Vulnerability4Important: 3 Critical: 1Elevation of Privilege Vulnerability21Important: 18 Critical: 3Information Disclosure Vulnerability15Important: 15Remote Code Execution Vulnerability27Important: 22 Critical: 5Security Feature Bypass Vulnerability2Important: 1Microsoft Edge (Chromium-based)22Important: 1

qualys: CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability Microsoft has mentioned in the advisory that this vulnerability is being exploited in the wild. To exploit this vulnerability, an attacker must craft a malicious file to bypass the Mark of the Web (MOTW) defenses. Mark of the Web (MOTW) is a Windows feature that protects users from downloading files from unreliable sources. Windows adds a hidden tag called the mark to files obtained from the Internet. The capability and usage of files with the MOTW tag are restricted.

tenable: CVE-2023-24880 | Windows SmartScreen Security Feature Bypass Vulnerability

tenable: CVE-2023-24880 is a Windows SmartScreen Security Feature Bypass vulnerability in Windows operating systems that was assigned a CVSSv3 score of 5.4. The vulnerability has been publicly disclosed and was exploited in the wild. To be exploited, a malicious file needs to be opened by a user on an affected version of Windows. When the email is opened, the Mark of the Web (MoTW) functionality is bypassed, meaning that security features that rely on MoTW tagging are not triggered and could allow for malicious payloads within the file to be executed on the target.

rapid7: The other zero-day vulnerability this month, CVE-2023-24880, describes a Security Feature Bypass in Windows SmartScreen, which is part of Microsoft’s slate of endpoint protection offerings. A specially crafted file could avoid receiving Mark of the Web and thus dodge the enhanced scrutiny usually applied to files downloaded from the internet.

rapid7: Although Microsoft has seen in-the-wild exploitation, and original reporter Google TAG has linked CVE-2023-24880 to delivery of Magniber malware, Microsoft has assessed it as only Moderate severity – the only one this month – and assigned it a relatively low CVSSv3 base score of 5.4; the low impact ratings and requirement for user interaction contribute to the lower scoring. This vulnerability thus has the unusual distinction of being both an exploited-in-the-wild zero-day vulnerability and also the lowest-ranked vulnerability on Microsoft's severity scale in this month's Patch Tuesday. Only more recent versions of Windows are affected: Windows 10 and 11, as well as Server 2016 onwards.

zdi: CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability. This is the other bug listed as under active attack, although this one is much less exciting. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen.

High (29)

3. Denial of Service - Microsoft Excel (CVE-2023-23396) - High [579]

Description: Microsoft Excel Denial of Service Vulnerability

4. Remote Code Execution - HTTP Protocol Stack (CVE-2023-23392) - High [508]

Description: HTTP Protocol Stack Remote Code Execution Vulnerability

qualys: CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability The critical severity vulnerability affects Windows 11 Systems and Windows Server 2022. A server is vulnerable to the flaw if the following two conditions are met: Sever must use buffered I/O Binding has HTTP/3 enabled A server that uses the HTTP Protocol Stack (HTTP.sys) to handle packets could be exploited by an unauthenticated attacker by sending a specially crafted packet to the server.

qualys: CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability   This vulnerability has a CVSSv3.1 9.8/10   Policy Compliance Control IDs (CIDs):   24717 Status of the ‘HTTP/3’ service 

tenable: CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability

tenable: CVE-2023-23392 is a RCE vulnerability in Microsoft operating systems that was given a CVSSv3 score of 9.8 and rated as "Exploitation More Likely." The vulnerability exists in the HTTP. sys component of Windows operating systems. Exploitation can be performed by a remote, unauthenticated attacker sending a malicious packet to the target server. For a server to be vulnerable, it must have HTTP/3 enabled and use buffered I/O. The Microsoft advisory notes that HTTP/3 support is a new feature for Windows Server 2022 and must be enabled with a registry key.

rapid7: A further five critical Remote Code Execution (RCE) vulnerabilities are patched this month in Windows low-level components. Three of these are assessed as Exploitation More Likely, and most of them affect a wide range of Windows versions, with the exception of CVE-2023-23392 which affects only Windows 11 and Windows Server 2022. Only assets where HTTP/3 has been enabled are potentially vulnerable – it is disabled by default – yet Microsoft still assesses this vulnerability as Exploitation More Likely, perhaps because HTTP endpoints are typically accessible.

zdi: CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability. This CVSS 9.8 bug could allow a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. That combination makes this bug wormable – at least through systems that meet the target requirements. The target system needs to have HTTP/3 enabled and set to use buffered I/O. However, this is a relatively common configuration. Note that only Windows 11 and Windows Server 2022 are affected, which means this is a newer bug and not legacy code.

5. Remote Code Execution - Remote Procedure Call Runtime (CVE-2023-21708) - High [508]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability

qualys: CVE-2023-21708 – Remote Procedure Call Runtime Remote Code Execution Vulnerability Microsoft has put this vulnerability in the less likely to be exploited category. With a specially crafted RPC call to an RPC host, an attacker may exploit this vulnerability. An unauthenticated attacker may exploit this vulnerability to perform remote code execution on the server side with the same privileges as the RPC service.

rapid7: CVE-2023-21708 is a Remote Procedure Call (RPC) vulnerability with a base CVSSv3 of 9.8. Microsoft recommends blocking TCP port 135 at the perimeter as a mitigation; given the perennial nature of RPC vulnerabilities, defenders will know that this has always been good advice.

6. Remote Code Execution - ICMP (CVE-2023-23415) - High [489]

Description: Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

qualys: CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability The vulnerability affects the Internet Control Message Protocol (ICMP) network layer protocol. The protocol is used by multiple network devices to detect network communication issues. To exploit this vulnerability, an attacker must send a low-level protocol error with a fragmented IP packet inside another ICMP packet in its header to the target system. An application on the target must be bound to a raw socket to execute the vulnerable code path.

tenable: CVE-2023-23415 | Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

tenable: CVE-2023-23415 is a RCE vulnerability in Windows operating systems and was assigned a CVSSv3 score of 9.8. The vulnerability lies in the way the operating system handles ICMP packets when an application running on the vulnerable Windows host is bound to a raw socket. Exploitation is performed by sending a malicious fragmented IP packet to a vulnerable target, leading to arbitrary code execution. CVE-2023-23415 was given a rating of "Exploitation More Likely" using the Microsoft Exploitability Index.

rapid7: Another veteran class of vulnerability makes a return this month: CVE-2023-23415 describes an attack involving a fragmented packet inside the header of another ICMP packet. Insufficient validation of ICMP packets has been a source of vulnerabilities since the dawn of time; the original and still-infamous Ping of Death vulnerability, which affected a wide range of vendors and operating systems, was one of the first vulnerabilities ever to be assigned a CVE, way back in 1999.

zdi: CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability. Will ICMP fragmentation bugs ever completely go away? I hope not, because I think they are neat. Here’s another potentially wormable bug resulting from an error message containing a fragmented IP packet in its header. It’s also a CVSS 9.8. The only caveat here is that an application on the target system must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. There are some that block ICMP at their perimeter, but doing this has some negative side effects – especially for remote troubleshooting.

7. Remote Code Execution - Remote Procedure Call Runtime (CVE-2023-23405) - High [481]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability

8. Remote Code Execution - Remote Procedure Call Runtime (CVE-2023-24869) - High [481]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability

9. Remote Code Execution - Remote Procedure Call Runtime (CVE-2023-24908) - High [481]

Description: Remote Procedure Call Runtime Remote Code Execution Vulnerability

10. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-23403) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

11. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-23406) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

12. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-23413) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

13. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24867) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

14. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24868) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

15. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24872) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

16. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24876) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

17. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24907) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

18. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24909) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

19. Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24913) - High [475]

Description: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

20. Remote Code Execution - TPM2.0 Module Library (CVE-2023-1017) - High [475]

Description: {'ms_cve_data_all': 'CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.', 'combined_cve_data_all': ''}

qualys: CVE-2023-1017 and CVE-2023-1018 – TPM2.0 Module Library Elevation of Privilege Vulnerability These vulnerabilities were discovered and addressed earlier this month by the upstream vendor TCG in the advisory TCGVRT0007. TPM (Trusted Platform Module) is a hardware-based technology that helps improve PC security. A TPM chip is widely used as a secure cryptoprocessor that provides hardware security through integrated cryptographic keys. Implementing improper length checks may lead to buffer overflow; the buffer passed to the ExecuteCommand() entry point faces this overflow condition. CVE-2023-1017 is an out-of-bounds write vulnerability that could allow an attacker to write 2 bytes past the end of that buffer with attacker-specified values. User-mode applications can trigger this vulnerability by sending malicious commands to TPM 2.0. An attacker can cause an out-of-bounds write to the root partition on a target running Hyper-V using malicious TPM commands from a guest VM. CVE-2023-1018 is an out-of-bound read vulnerability that may allow an attacker to read 2 bytes past the end of that buffer. Successful exploitation of these vulnerabilities may result in local information disclosure or elevation of privileges.

tenable: Microsoft patched 76 CVEs in its March 2023 Patch Tuesday Release, with nine rated as critical, 66 rated as important and one rated as moderate. This CVE count includes two CVEs (CVE-2023-1017 and CVE-2023-1018) in the third party Trusted Platform Module (TPM2.0) Library.

rapid7: Microsoft has addressed two related vulnerabilities introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code published by the Trusted Computing Group industry alliance. CVE-2023-1017 is an out-of-bounds write, and CVE-2023-1018 is an out-of-bounds read. Both may be triggered without elevated privileges, and may allow an attacker to access or modify highly-privileged information inside the TPM itself. Defenders managing non-Microsoft assets should note that a wide range of vendors including widely used Linux distros are also affected by this pair of vulnerabilities.

21. Remote Code Execution - Windows Bluetooth Service (CVE-2023-24871) - High [475]

Description: Windows Bluetooth Service Remote Code Execution Vulnerability

22. Remote Code Execution - Windows DNS Server (CVE-2023-23400) - High [467]

Description: Windows DNS Server Remote Code Execution Vulnerability

23. Remote Code Execution - Windows Cryptographic (CVE-2023-23416) - High [462]

Description: Windows Cryptographic Services Remote Code Execution Vulnerability

qualys: CVE-2023-23416 – Windows Cryptographic Services Remote Code Execution Vulnerability An affected system must import a malicious certificate to exploit this vulnerability successfully. An attacker may encourage an authenticated user to import a certificate on their system, upload it to a service that processes or imports certificates, or both.

tenable: CVE-2023-23416 | Windows Cryptographic Services Remote Code Execution Vulnerability

tenable: CVE-2023-23416 is a RCE vulnerability in Windows operating systems that was assigned a CVSSv3 score of 8.4. The vulnerability exists in Windows Cryptographic Services, a suite of cryptographic tools in Windows operating systems. Exploitation is performed by importing a malicious certificate onto a vulnerable target, requiring the attacker to authenticate to the target or entice an authenticated user into importing the malicious certificate. CVE-2023-23416 was given a rating of "Exploitation More Likely" using the Microsoft Exploitability Index.

24. Remote Code Execution - Windows Media (CVE-2023-23401) - High [462]

Description: Windows Media Remote Code Execution Vulnerability

25. Remote Code Execution - Windows Media (CVE-2023-23402) - High [462]

Description: Windows Media Remote Code Execution Vulnerability

26. Remote Code Execution - Windows Point-to-Point Tunneling Protocol (CVE-2023-23404) - High [462]

Description: Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

qualys: CVE-2023-23404 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Point-to-Point Tunneling Protocol enables secure data transmission from a remote client to a private enterprise server with the help of a virtual private network (VPN) across TCP/IP-based data networks. The vulnerability requires an attacker to win a race condition to exploit this vulnerability. An unauthenticated attacker may send a specially crafted connection request to a RAS server that will lead to remote code execution on the RAS Server machine.

27. Remote Code Execution - Windows Point-to-Point Protocol over Ethernet (PPPoE) (CVE-2023-23407) - High [448]

Description: Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability

28. Remote Code Execution - Windows Point-to-Point Protocol over Ethernet (PPPoE) (CVE-2023-23414) - High [448]

Description: Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability

29. Information Disclosure - GitHub (CVE-2023-22490) - High [429]

Description: GitHub: CVE-2023-22490 mingit Information Disclosure Vulnerability

30. Remote Code Execution - Microsoft Excel (CVE-2023-23399) - High [424]

Description: Microsoft Excel Remote Code Execution Vulnerability

31. Denial of Service - Windows Internet Key Exchange (IKE) Extension (CVE-2023-24859) - High [401]

Description: Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability

Medium (78)

32. Memory Corruption - Microsoft Edge (CVE-2023-0927) - Medium [394]

Description: Chromium: CVE-2023-0927 Use after free in Web Payments API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0927 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

33. Memory Corruption - Microsoft Edge (CVE-2023-0928) - Medium [394]

Description: Chromium: CVE-2023-0928 Use after free in SwiftShader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0928 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

34. Memory Corruption - Microsoft Edge (CVE-2023-0929) - Medium [394]

Description: Chromium: CVE-2023-0929 Use after free in Vulkan. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0929 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

35. Memory Corruption - Microsoft Edge (CVE-2023-0930) - Medium [394]

Description: Chromium: CVE-2023-0930 Heap buffer overflow in Video. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0930 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

36. Memory Corruption - Microsoft Edge (CVE-2023-0931) - Medium [394]

Description: Chromium: CVE-2023-0931 Use after free in Video. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0931 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

37. Memory Corruption - Microsoft Edge (CVE-2023-0932) - Medium [394]

Description: Chromium: CVE-2023-0932 Use after free in WebRTC. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0932 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

38. Memory Corruption - Microsoft Edge (CVE-2023-0933) - Medium [394]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-0933 Integer overflow in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Integer overflow in PDF in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-0933 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

39. Memory Corruption - Microsoft Edge (CVE-2023-0941) - Medium [394]

Description: Chromium: CVE-2023-0941 Use after free in Prompts. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-0941 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

40. Memory Corruption - Microsoft Edge (CVE-2023-1213) - Medium [394]

Description: Chromium: CVE-2023-1213 Use after free in Swiftshader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1213 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

41. Memory Corruption - Microsoft Edge (CVE-2023-1214) - Medium [394]

Description: Chromium: CVE-2023-1214 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1214 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

42. Memory Corruption - Microsoft Edge (CVE-2023-1215) - Medium [394]

Description: Chromium: CVE-2023-1215 Type Confusion in CSS. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1215 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

43. Memory Corruption - Microsoft Edge (CVE-2023-1216) - Medium [394]

Description: Chromium: CVE-2023-1216 Use after free in DevTools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1216 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

44. Memory Corruption - Microsoft Edge (CVE-2023-1218) - Medium [394]

Description: Chromium: CVE-2023-1218 Use after free in WebRTC. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1218 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

45. Memory Corruption - Microsoft Edge (CVE-2023-1219) - Medium [394]

Description: Chromium: CVE-2023-1219 Heap buffer overflow in Metrics. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1219 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

46. Memory Corruption - Microsoft Edge (CVE-2023-1220) - Medium [394]

Description: Chromium: CVE-2023-1220 Heap buffer overflow in UMA. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1220 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

47. Memory Corruption - Microsoft Edge (CVE-2023-1222) - Medium [394]

Description: Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1222 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

48. Security Feature Bypass - Microsoft Edge (CVE-2023-1221) - Medium [387]

Description: Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1221 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

49. Security Feature Bypass - Microsoft Edge (CVE-2023-1223) - Medium [387]

Description: Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1223 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

50. Security Feature Bypass - Microsoft Edge (CVE-2023-1224) - Medium [387]

Description: Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1224 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

51. Security Feature Bypass - Microsoft Edge (CVE-2023-1228) - Medium [387]

Description: Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1228 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

52. Security Feature Bypass - Microsoft Edge (CVE-2023-1229) - Medium [387]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Permission prompts in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1229 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

53. Security Feature Bypass - Microsoft Edge (CVE-2023-1232) - Medium [387]

Description: Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1232 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

54. Security Feature Bypass - Microsoft Edge (CVE-2023-1233) - Medium [387]

Description: Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1233 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

55. Elevation of Privilege - Windows Kernel (CVE-2023-23420) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability

56. Elevation of Privilege - Windows Kernel (CVE-2023-23421) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability

57. Elevation of Privilege - Windows Kernel (CVE-2023-23422) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability

58. Elevation of Privilege - Windows Kernel (CVE-2023-23423) - Medium [379]

Description: Windows Kernel Elevation of Privilege Vulnerability

59. Denial of Service - Windows Secure Channel (CVE-2023-24862) - Medium [374]

Description: Windows Secure Channel Denial of Service Vulnerability

60. Elevation of Privilege - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24864) - Medium [374]

Description: Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability

61. Elevation of Privilege - TPM2.0 Module Library (CVE-2023-1018) - Medium [374]

Description: CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability

qualys: CVE-2023-1017 and CVE-2023-1018 – TPM2.0 Module Library Elevation of Privilege Vulnerability These vulnerabilities were discovered and addressed earlier this month by the upstream vendor TCG in the advisory TCGVRT0007. TPM (Trusted Platform Module) is a hardware-based technology that helps improve PC security. A TPM chip is widely used as a secure cryptoprocessor that provides hardware security through integrated cryptographic keys. Implementing improper length checks may lead to buffer overflow; the buffer passed to the ExecuteCommand() entry point faces this overflow condition. CVE-2023-1017 is an out-of-bounds write vulnerability that could allow an attacker to write 2 bytes past the end of that buffer with attacker-specified values. User-mode applications can trigger this vulnerability by sending malicious commands to TPM 2.0. An attacker can cause an out-of-bounds write to the root partition on a target running Hyper-V using malicious TPM commands from a guest VM. CVE-2023-1018 is an out-of-bound read vulnerability that may allow an attacker to read 2 bytes past the end of that buffer. Successful exploitation of these vulnerabilities may result in local information disclosure or elevation of privileges.

tenable: Microsoft patched 76 CVEs in its March 2023 Patch Tuesday Release, with nine rated as critical, 66 rated as important and one rated as moderate. This CVE count includes two CVEs (CVE-2023-1017 and CVE-2023-1018) in the third party Trusted Platform Module (TPM2.0) Library.

rapid7: Microsoft has addressed two related vulnerabilities introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code published by the Trusted Computing Group industry alliance. CVE-2023-1017 is an out-of-bounds write, and CVE-2023-1018 is an out-of-bounds read. Both may be triggered without elevated privileges, and may allow an attacker to access or modify highly-privileged information inside the TPM itself. Defenders managing non-Microsoft assets should note that a wide range of vendors including widely used Linux distros are also affected by this pair of vulnerabilities.

62. Elevation of Privilege - Windows Bluetooth Driver (CVE-2023-23388) - Medium [374]

Description: Windows Bluetooth Driver Elevation of Privilege Vulnerability

63. Security Feature Bypass - Microsoft OneDrive (CVE-2023-24890) - Medium [371]

Description: Microsoft OneDrive for iOS Security Feature Bypass Vulnerability

64. Memory Corruption - Microsoft Edge (CVE-2023-1217) - Medium [367]

Description: Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1217 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

65. Elevation of Privilege - Windows Accounts Picture (CVE-2023-23412) - Medium [360]

Description: Windows Accounts Picture Elevation of Privilege Vulnerability

66. Elevation of Privilege - Windows Graphics Component (CVE-2023-24910) - Medium [360]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

67. Elevation of Privilege - Windows HTTP.sys (CVE-2023-23410) - Medium [360]

Description: Windows HTTP.sys Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

68. Elevation of Privilege - Windows Partition Management Driver (CVE-2023-23417) - Medium [360]

Description: Windows Partition Management Driver Elevation of Privilege Vulnerability

69. Elevation of Privilege - Windows Resilient File System (ReFS) (CVE-2023-23418) - Medium [360]

Description: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

70. Elevation of Privilege - Windows Resilient File System (ReFS) (CVE-2023-23419) - Medium [360]

Description: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

71. Memory Corruption - Microsoft Edge (CVE-2023-1235) - Medium [354]

Description: Chromium: CVE-2023-1235 Type Confusion in DevTools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-1235 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

72. Denial of Service - Windows Hyper-V (CVE-2023-23411) - Medium [350]

Description: Windows Hyper-V Denial of Service Vulnerability

qualys: CVE-2023-23411 – Windows Hyper-V Denial of Service Vulnerability An attacker can locally exploit this vulnerability in a low-complexity attack to affect the functionality of Hyper-V hosts as a Hyper-V. Hyper-V provides hardware virtualization and allows the creation of virtual hard drives and virtual switches.

73. Remote Code Execution - GitHub (CVE-2023-23618) - Medium [348]

Description: GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability

74. Remote Code Execution - GitHub (CVE-2023-23946) - Medium [348]

Description: GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability

75. Elevation of Privilege - Windows BrokerInfrastructure Service (CVE-2023-23393) - Medium [347]

Description: Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability

76. Elevation of Privilege - Windows Graphics Component (CVE-2023-24861) - Medium [347]

Description: Windows Graphics Component Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

77. Elevation of Privilege - Windows Point-to-Point Protocol over Ethernet (PPPoE) (CVE-2023-23385) - Medium [347]

Description: Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability

78. Elevation of Privilege - Microsoft Defender (CVE-2023-23389) - Medium [333]

Description: Microsoft Defender Elevation of Privilege Vulnerability

79. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24856) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

80. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24857) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

81. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24858) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

82. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24863) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

83. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24865) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

84. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24866) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

85. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24870) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

86. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24906) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

87. Information Disclosure - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24911) - Medium [327]

Description: Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability

88. Spoofing - Microsoft Edge (CVE-2023-24892) - Medium [327]

Description: Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability

89. Information Disclosure - CSRSS (CVE-2023-23394) - Medium [313]

Description: Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability

90. Information Disclosure - CSRSS (CVE-2023-23409) - Medium [313]

Description: Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability

91. Elevation of Privilege - Microsoft OneDrive (CVE-2023-24930) - Medium [304]

Description: Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability

92. Spoofing - Microsoft Excel (CVE-2023-23398) - Medium [289]

Description: Microsoft Excel Spoofing Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

93. Spoofing - Microsoft Edge (CVE-2023-1230) - Medium [286]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 111.0.5563.64 allowed an attacker who convinced a user to install a malicious WebApp to spoof the contents of the PWA installer via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1230 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

94. Spoofing - Microsoft Edge (CVE-2023-1231) - Medium [286]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1231 Inappropriate implementation in Autofill. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Autofill in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to potentially spoof the contents of the omnibox via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1231 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

95. Spoofing - Microsoft Edge (CVE-2023-1234) - Medium [286]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1234 Inappropriate implementation in Intents. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Intents in Google Chrome on Android prior to 111.0.5563.64 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1234 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

96. Spoofing - Microsoft Edge (CVE-2023-1236) - Medium [286]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-1236 Inappropriate implementation in Internals. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Internals in Google Chrome prior to 111.0.5563.64 allowed a remote attacker to spoof the origin of an iframe via a crafted HTML page. (Chromium security severity: Low)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-1236 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

97. Spoofing - Service Fabric Explorer (CVE-2023-23383) - Medium [283]

Description: Service Fabric Explorer Spoofing Vulnerability

rapid7: Azure administrators who update their Service Fabric Cluster manually should note that CVE-2023-23383 describes a spoofing vulnerability in the web management client where a user clicking a suitably-crafted malicious link could unwittingly execute actions against the remote cluster. Azure estates with automatic upgrades enabled are already protected.

98. Spoofing - Office (CVE-2023-23391) - Medium [275]

Description: Office for Android Spoofing Vulnerability

99. Information Disclosure - Microsoft Dynamics 365 (CVE-2023-24922) - Medium [270]

Description: Microsoft Dynamics 365 Information Disclosure Vulnerability

100. Information Disclosure - Microsoft OneDrive (CVE-2023-24882) - Medium [256]

Description: Microsoft OneDrive for Android Information Disclosure Vulnerability

101. Information Disclosure - Microsoft OneDrive (CVE-2023-24923) - Medium [256]

Description: Microsoft OneDrive for Android Information Disclosure Vulnerability

102. Spoofing - Microsoft SharePoint (CVE-2023-23395) - Medium [254]

Description: Microsoft SharePoint Server Spoofing Vulnerability

103. Cross Site Scripting - Microsoft Dynamics 365 (on-premises) (CVE-2023-24879) - Medium [243]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

104. Cross Site Scripting - Microsoft Dynamics 365 (on-premises) (CVE-2023-24891) - Medium [243]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

105. Cross Site Scripting - Microsoft Dynamics 365 (on-premises) (CVE-2023-24919) - Medium [243]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

106. Cross Site Scripting - Microsoft Dynamics 365 (on-premises) (CVE-2023-24920) - Medium [243]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

107. Elevation of Privilege - GitHub (CVE-2023-22743) - Medium [233]

Description: GitHub: CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability

108. Cross Site Scripting - Microsoft Dynamics 365 (on-premises) (CVE-2023-24921) - Medium [229]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

109. Spoofing - Azure (CVE-2023-23408) - Medium [224]

Description: Azure Apache Ambari Spoofing Vulnerability

Low (0)

Exploitation in the wild detected (2)

Elevation of Privilege (1)

• Microsoft Outlook (CVE-2023-23397)

qualys: Microsoft Patches for March 2023 Microsoft has addressed 101 vulnerabilities in the month of March, including 22 Microsoft Edge (Chromium-based) vulnerabilities. Microsoft has also addressed two zero-day vulnerabilities known to be exploited in the wild. CISA has also added those two vulnerabilities, CVE-2023-24880 and CVE-2023-23397, to its Known Exploitable Vulnerabilities Catalog after Microsoft released this month’s Patch Tuesday update. Out of the 101 vulnerabilities, nine are rated as critical, 70 as important, and one as moderate. This month’s Patch Tuesday edition includes updates for vulnerabilities in Microsoft Office and Components; Microsoft Dynamics, Microsoft OneDrive, Microsoft Windows Codecs Library, Client Server Runtime Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft PostScript Printer Driver. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing. The March 2023 Microsoft vulnerabilities are classified as follows:  Vulnerability CategoryQuantitySeveritiesSpoofing Vulnerability10Important: 6Denial of Service Vulnerability4Important: 3 Critical: 1Elevation of Privilege Vulnerability21Important: 18 Critical: 3Information Disclosure Vulnerability15Important: 15Remote Code Execution Vulnerability27Important: 22 Critical: 5Security Feature Bypass Vulnerability2Important: 1Microsoft Edge (Chromium-based)22Important: 1

qualys: CVE-2023-23397 – Microsoft Outlook Elevation of Privilege Vulnerability Microsoft is aware of the active exploitation of this vulnerability that could allow an attacker to access a user’s Net-NTLMv2 hash. The hash can be leveraged to carry out an NTLM Relay attack against another service to authenticate as the user. The vulnerability can be exploited in a low-complexity attack by specially crafted emails sent by an attacker to connect the victim to an external attacker’s control UNC location. The mail will be triggered automatically when retrieved and processed by the Outlook client. This could result in exploitation BEFORE the email is viewed in the Preview Pane. As per Microsoft, the vulnerability was exploited in targeted attacks against a number of European companies in the military, transportation, energy, and government sectors.  The threat actor XXX is thought to be responsible for the attacks.   CVE-2023-23397 has been used in attacks against up to 15 companies, with the most recent incident taking place in December of last year. 

qualys: CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability   This vulnerability has a CVSSv3.1 9.8/10   Policy Compliance Control IDs (CIDs):   17220 Status of the ‘Active Directory Protected Users Security Group’ setting   14028 List of ‘Outbound Rules’ configured in Windows Firewall with Advanced Security via GPO   The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:   control.id: [17220, 14028, 24717]  The next Patch Tuesday falls on April 11th, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the This Month in Vulnerabilities and Patches webinar.

tenable: Microsoft’s March 2023 Patch Tuesday Addresses 76 CVEs (CVE-2023-23397)

tenable: Update March 16: The blog has been updated to include additional information on CVE-2023-23397, including a link to a detailed writeup on the ease of exploitation.

tenable: CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability

tenable: CVE-2023-23397 is an elevation of privilege vulnerability in Microsoft Outlook that was assigned a CVSSv3 score of 9.8 and was exploited in the wild. The vulnerability can be exploited by sending a malicious email to a vulnerable version of Outlook. When the email is processed by the server, a connection to an attacker-controlled device can be established in order to leak the Net-NTLMv2 hash of the email recipient. The attacker can use this hash to authenticate as the victim recipient in an NTLM relay attack. Microsoft notes that this exploitation can occur before the email is viewed in the Preview Pane, meaning no interaction from the victim recipient is needed for a successful attack.

tenable: Update March 16: The blog has been updated to include additional information on CVE-2023-23397, including a link to a detailed writeup on the ease of exploitation.

tenable: Update March 14: This blog has been updated to reflect the correct title for CVE-2023-23397 as well as new information from Microsoft regarding the in-the-wild exploitation of this flaw.

rapid7: CVE-2023-23397 describes a Critical Elevation of Privilege vulnerability affecting Outlook for Windows, which is concerning for several reasons. Microsoft has detected in-the-wild exploitation by a XXX threat actor targeting government, military, and critical infrastructure targets in Europe.

rapid7: The vulnerability was discovered by Microsoft Threat Intelligence, who have published a Microsoft Security Research Center blog post describing the issue in detail, and which provides a Microsoft script and accompanying documentation to detect if an asset has been compromised using CVE-2023-23397.

rapid7: Current self-hosted versions of Outlook – including Microsoft 365 Apps for Enterprise – are vulnerable to CVE-2023-23397, but Microsoft-hosted online services (e.g., Microsoft 365) are not vulnerable. Microsoft has calculated a CVSSv3 base score of 9.8.

zdi: CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability. Although technically a spoofing bug, I would consider the result of this vulnerability to be authentication bypass. The bug allows a remote, unauthenticated attacker to access a user’s Net-NTLMv2 hash just by sending a specially crafted e-mail to an affected system. This hash could then be used in a relay attack to impersonate the user, thus effectively bypassing authentication. Before you ask about the Preview Pane, know that this bug hits before the e-mail is even viewed by the Preview Pane, so disabling that feature has no impact. No information is provided regarding how widespread these attacks may be, but definitely test and deploy this fix quickly.

Security Feature Bypass (1)

• Windows SmartScreen (CVE-2023-24880)

qualys: Microsoft Patches for March 2023 Microsoft has addressed 101 vulnerabilities in the month of March, including 22 Microsoft Edge (Chromium-based) vulnerabilities. Microsoft has also addressed two zero-day vulnerabilities known to be exploited in the wild. CISA has also added those two vulnerabilities, CVE-2023-24880 and CVE-2023-23397, to its Known Exploitable Vulnerabilities Catalog after Microsoft released this month’s Patch Tuesday update. Out of the 101 vulnerabilities, nine are rated as critical, 70 as important, and one as moderate. This month’s Patch Tuesday edition includes updates for vulnerabilities in Microsoft Office and Components; Microsoft Dynamics, Microsoft OneDrive, Microsoft Windows Codecs Library, Client Server Runtime Subsystem (CSRSS), Internet Control Message Protocol (ICMP), Microsoft PostScript Printer Driver. Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing. The March 2023 Microsoft vulnerabilities are classified as follows:  Vulnerability CategoryQuantitySeveritiesSpoofing Vulnerability10Important: 6Denial of Service Vulnerability4Important: 3 Critical: 1Elevation of Privilege Vulnerability21Important: 18 Critical: 3Information Disclosure Vulnerability15Important: 15Remote Code Execution Vulnerability27Important: 22 Critical: 5Security Feature Bypass Vulnerability2Important: 1Microsoft Edge (Chromium-based)22Important: 1

qualys: CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability Microsoft has mentioned in the advisory that this vulnerability is being exploited in the wild. To exploit this vulnerability, an attacker must craft a malicious file to bypass the Mark of the Web (MOTW) defenses. Mark of the Web (MOTW) is a Windows feature that protects users from downloading files from unreliable sources. Windows adds a hidden tag called the mark to files obtained from the Internet. The capability and usage of files with the MOTW tag are restricted.

tenable: CVE-2023-24880 | Windows SmartScreen Security Feature Bypass Vulnerability

tenable: CVE-2023-24880 is a Windows SmartScreen Security Feature Bypass vulnerability in Windows operating systems that was assigned a CVSSv3 score of 5.4. The vulnerability has been publicly disclosed and was exploited in the wild. To be exploited, a malicious file needs to be opened by a user on an affected version of Windows. When the email is opened, the Mark of the Web (MoTW) functionality is bypassed, meaning that security features that rely on MoTW tagging are not triggered and could allow for malicious payloads within the file to be executed on the target.

rapid7: The other zero-day vulnerability this month, CVE-2023-24880, describes a Security Feature Bypass in Windows SmartScreen, which is part of Microsoft’s slate of endpoint protection offerings. A specially crafted file could avoid receiving Mark of the Web and thus dodge the enhanced scrutiny usually applied to files downloaded from the internet.

rapid7: Although Microsoft has seen in-the-wild exploitation, and original reporter Google TAG has linked CVE-2023-24880 to delivery of Magniber malware, Microsoft has assessed it as only Moderate severity – the only one this month – and assigned it a relatively low CVSSv3 base score of 5.4; the low impact ratings and requirement for user interaction contribute to the lower scoring. This vulnerability thus has the unusual distinction of being both an exploited-in-the-wild zero-day vulnerability and also the lowest-ranked vulnerability on Microsoft's severity scale in this month's Patch Tuesday. Only more recent versions of Windows are affected: Windows 10 and 11, as well as Server 2016 onwards.

zdi: CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability. This is the other bug listed as under active attack, although this one is much less exciting. The vulnerability allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen.

Public exploit exists, but exploitation in the wild is NOT detected (2)

Denial of Service (1)

• Microsoft Excel (CVE-2023-23396)

Information Disclosure (1)

• GitHub (CVE-2023-22490)

Other Vulnerabilities (105)

Remote Code Execution (28)

• HTTP Protocol Stack (CVE-2023-23392)

qualys: CVE-2023-23392 – HTTP Protocol Stack Remote Code Execution Vulnerability The critical severity vulnerability affects Windows 11 Systems and Windows Server 2022. A server is vulnerable to the flaw if the following two conditions are met: Sever must use buffered I/O Binding has HTTP/3 enabled A server that uses the HTTP Protocol Stack (HTTP.sys) to handle packets could be exploited by an unauthenticated attacker by sending a specially crafted packet to the server.

qualys: CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability   This vulnerability has a CVSSv3.1 9.8/10   Policy Compliance Control IDs (CIDs):   24717 Status of the ‘HTTP/3’ service 

tenable: CVE-2023-23392 | HTTP Protocol Stack Remote Code Execution Vulnerability

tenable: CVE-2023-23392 is a RCE vulnerability in Microsoft operating systems that was given a CVSSv3 score of 9.8 and rated as "Exploitation More Likely." The vulnerability exists in the HTTP. sys component of Windows operating systems. Exploitation can be performed by a remote, unauthenticated attacker sending a malicious packet to the target server. For a server to be vulnerable, it must have HTTP/3 enabled and use buffered I/O. The Microsoft advisory notes that HTTP/3 support is a new feature for Windows Server 2022 and must be enabled with a registry key.

rapid7: A further five critical Remote Code Execution (RCE) vulnerabilities are patched this month in Windows low-level components. Three of these are assessed as Exploitation More Likely, and most of them affect a wide range of Windows versions, with the exception of CVE-2023-23392 which affects only Windows 11 and Windows Server 2022. Only assets where HTTP/3 has been enabled are potentially vulnerable – it is disabled by default – yet Microsoft still assesses this vulnerability as Exploitation More Likely, perhaps because HTTP endpoints are typically accessible.

zdi: CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability. This CVSS 9.8 bug could allow a remote, unauthenticated attacker to execute code at SYSTEM level without user interaction. That combination makes this bug wormable – at least through systems that meet the target requirements. The target system needs to have HTTP/3 enabled and set to use buffered I/O. However, this is a relatively common configuration. Note that only Windows 11 and Windows Server 2022 are affected, which means this is a newer bug and not legacy code.

• Remote Procedure Call Runtime (CVE-2023-21708, CVE-2023-23405, CVE-2023-24869, CVE-2023-24908)

qualys: CVE-2023-21708 – Remote Procedure Call Runtime Remote Code Execution Vulnerability Microsoft has put this vulnerability in the less likely to be exploited category. With a specially crafted RPC call to an RPC host, an attacker may exploit this vulnerability. An unauthenticated attacker may exploit this vulnerability to perform remote code execution on the server side with the same privileges as the RPC service.

rapid7: CVE-2023-21708 is a Remote Procedure Call (RPC) vulnerability with a base CVSSv3 of 9.8. Microsoft recommends blocking TCP port 135 at the perimeter as a mitigation; given the perennial nature of RPC vulnerabilities, defenders will know that this has always been good advice.

• ICMP (CVE-2023-23415)

qualys: CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability The vulnerability affects the Internet Control Message Protocol (ICMP) network layer protocol. The protocol is used by multiple network devices to detect network communication issues. To exploit this vulnerability, an attacker must send a low-level protocol error with a fragmented IP packet inside another ICMP packet in its header to the target system. An application on the target must be bound to a raw socket to execute the vulnerable code path.

tenable: CVE-2023-23415 | Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

tenable: CVE-2023-23415 is a RCE vulnerability in Windows operating systems and was assigned a CVSSv3 score of 9.8. The vulnerability lies in the way the operating system handles ICMP packets when an application running on the vulnerable Windows host is bound to a raw socket. Exploitation is performed by sending a malicious fragmented IP packet to a vulnerable target, leading to arbitrary code execution. CVE-2023-23415 was given a rating of "Exploitation More Likely" using the Microsoft Exploitability Index.

rapid7: Another veteran class of vulnerability makes a return this month: CVE-2023-23415 describes an attack involving a fragmented packet inside the header of another ICMP packet. Insufficient validation of ICMP packets has been a source of vulnerabilities since the dawn of time; the original and still-infamous Ping of Death vulnerability, which affected a wide range of vendors and operating systems, was one of the first vulnerabilities ever to be assigned a CVE, way back in 1999.

zdi: CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability. Will ICMP fragmentation bugs ever completely go away? I hope not, because I think they are neat. Here’s another potentially wormable bug resulting from an error message containing a fragmented IP packet in its header. It’s also a CVSS 9.8. The only caveat here is that an application on the target system must be bound to a raw socket. Not all applications do this, but the likelihood of one being available is high. There are some that block ICMP at their perimeter, but doing this has some negative side effects – especially for remote troubleshooting.

• Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-23403, CVE-2023-23406, CVE-2023-23413, CVE-2023-24867, CVE-2023-24868, CVE-2023-24872, CVE-2023-24876, CVE-2023-24907, CVE-2023-24909, CVE-2023-24913)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

• TPM2.0 Module Library (CVE-2023-1017)

qualys: CVE-2023-1017 and CVE-2023-1018 – TPM2.0 Module Library Elevation of Privilege Vulnerability These vulnerabilities were discovered and addressed earlier this month by the upstream vendor TCG in the advisory TCGVRT0007. TPM (Trusted Platform Module) is a hardware-based technology that helps improve PC security. A TPM chip is widely used as a secure cryptoprocessor that provides hardware security through integrated cryptographic keys. Implementing improper length checks may lead to buffer overflow; the buffer passed to the ExecuteCommand() entry point faces this overflow condition. CVE-2023-1017 is an out-of-bounds write vulnerability that could allow an attacker to write 2 bytes past the end of that buffer with attacker-specified values. User-mode applications can trigger this vulnerability by sending malicious commands to TPM 2.0. An attacker can cause an out-of-bounds write to the root partition on a target running Hyper-V using malicious TPM commands from a guest VM. CVE-2023-1018 is an out-of-bound read vulnerability that may allow an attacker to read 2 bytes past the end of that buffer. Successful exploitation of these vulnerabilities may result in local information disclosure or elevation of privileges.

tenable: Microsoft patched 76 CVEs in its March 2023 Patch Tuesday Release, with nine rated as critical, 66 rated as important and one rated as moderate. This CVE count includes two CVEs (CVE-2023-1017 and CVE-2023-1018) in the third party Trusted Platform Module (TPM2.0) Library.

rapid7: Microsoft has addressed two related vulnerabilities introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code published by the Trusted Computing Group industry alliance. CVE-2023-1017 is an out-of-bounds write, and CVE-2023-1018 is an out-of-bounds read. Both may be triggered without elevated privileges, and may allow an attacker to access or modify highly-privileged information inside the TPM itself. Defenders managing non-Microsoft assets should note that a wide range of vendors including widely used Linux distros are also affected by this pair of vulnerabilities.

• Windows Bluetooth Service (CVE-2023-24871)
• Windows DNS Server (CVE-2023-23400)
• Windows Cryptographic (CVE-2023-23416)

qualys: CVE-2023-23416 – Windows Cryptographic Services Remote Code Execution Vulnerability An affected system must import a malicious certificate to exploit this vulnerability successfully. An attacker may encourage an authenticated user to import a certificate on their system, upload it to a service that processes or imports certificates, or both.

tenable: CVE-2023-23416 | Windows Cryptographic Services Remote Code Execution Vulnerability

tenable: CVE-2023-23416 is a RCE vulnerability in Windows operating systems that was assigned a CVSSv3 score of 8.4. The vulnerability exists in Windows Cryptographic Services, a suite of cryptographic tools in Windows operating systems. Exploitation is performed by importing a malicious certificate onto a vulnerable target, requiring the attacker to authenticate to the target or entice an authenticated user into importing the malicious certificate. CVE-2023-23416 was given a rating of "Exploitation More Likely" using the Microsoft Exploitability Index.

• Windows Media (CVE-2023-23401, CVE-2023-23402)
• Windows Point-to-Point Tunneling Protocol (CVE-2023-23404)

qualys: CVE-2023-23404 – Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Point-to-Point Tunneling Protocol enables secure data transmission from a remote client to a private enterprise server with the help of a virtual private network (VPN) across TCP/IP-based data networks. The vulnerability requires an attacker to win a race condition to exploit this vulnerability. An unauthenticated attacker may send a specially crafted connection request to a RAS server that will lead to remote code execution on the RAS Server machine.

• Windows Point-to-Point Protocol over Ethernet (PPPoE) (CVE-2023-23407, CVE-2023-23414)
• Microsoft Excel (CVE-2023-23399)
• GitHub (CVE-2023-23618, CVE-2023-23946)

Denial of Service (3)

• Windows Internet Key Exchange (IKE) Extension (CVE-2023-24859)
• Windows Secure Channel (CVE-2023-24862)
• Windows Hyper-V (CVE-2023-23411)

qualys: CVE-2023-23411 – Windows Hyper-V Denial of Service Vulnerability An attacker can locally exploit this vulnerability in a low-complexity attack to affect the functionality of Hyper-V hosts as a Hyper-V. Hyper-V provides hardware virtualization and allows the creation of virtual hard drives and virtual switches.

Memory Corruption (18)

• Microsoft Edge (CVE-2023-0927, CVE-2023-0928, CVE-2023-0929, CVE-2023-0930, CVE-2023-0931, CVE-2023-0932, CVE-2023-0933, CVE-2023-0941, CVE-2023-1213, CVE-2023-1214, CVE-2023-1215, CVE-2023-1216, CVE-2023-1217, CVE-2023-1218, CVE-2023-1219, CVE-2023-1220, CVE-2023-1222, CVE-2023-1235)

MS PT Extended: CVE-2023-0931 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1222 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1216 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1214 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0927 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0929 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0928 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0932 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1218 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1213 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0930 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1235 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1217 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0941 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1215 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1220 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1219 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-0933 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

Security Feature Bypass (8)

• Microsoft Edge (CVE-2023-1221, CVE-2023-1223, CVE-2023-1224, CVE-2023-1228, CVE-2023-1229, CVE-2023-1232, CVE-2023-1233)

MS PT Extended: CVE-2023-1232 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1233 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1229 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1221 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1228 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1224 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1223 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

• Microsoft OneDrive (CVE-2023-24890)

Elevation of Privilege (19)

• Windows Kernel (CVE-2023-23420, CVE-2023-23421, CVE-2023-23422, CVE-2023-23423)
• Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24864)
• TPM2.0 Module Library (CVE-2023-1018)

qualys: CVE-2023-1017 and CVE-2023-1018 – TPM2.0 Module Library Elevation of Privilege Vulnerability These vulnerabilities were discovered and addressed earlier this month by the upstream vendor TCG in the advisory TCGVRT0007. TPM (Trusted Platform Module) is a hardware-based technology that helps improve PC security. A TPM chip is widely used as a secure cryptoprocessor that provides hardware security through integrated cryptographic keys. Implementing improper length checks may lead to buffer overflow; the buffer passed to the ExecuteCommand() entry point faces this overflow condition. CVE-2023-1017 is an out-of-bounds write vulnerability that could allow an attacker to write 2 bytes past the end of that buffer with attacker-specified values. User-mode applications can trigger this vulnerability by sending malicious commands to TPM 2.0. An attacker can cause an out-of-bounds write to the root partition on a target running Hyper-V using malicious TPM commands from a guest VM. CVE-2023-1018 is an out-of-bound read vulnerability that may allow an attacker to read 2 bytes past the end of that buffer. Successful exploitation of these vulnerabilities may result in local information disclosure or elevation of privileges.

tenable: Microsoft patched 76 CVEs in its March 2023 Patch Tuesday Release, with nine rated as critical, 66 rated as important and one rated as moderate. This CVE count includes two CVEs (CVE-2023-1017 and CVE-2023-1018) in the third party Trusted Platform Module (TPM2.0) Library.

rapid7: Microsoft has addressed two related vulnerabilities introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code published by the Trusted Computing Group industry alliance. CVE-2023-1017 is an out-of-bounds write, and CVE-2023-1018 is an out-of-bounds read. Both may be triggered without elevated privileges, and may allow an attacker to access or modify highly-privileged information inside the TPM itself. Defenders managing non-Microsoft assets should note that a wide range of vendors including widely used Linux distros are also affected by this pair of vulnerabilities.

• Windows Bluetooth Driver (CVE-2023-23388)
• Windows Accounts Picture (CVE-2023-23412)
• Windows Graphics Component (CVE-2023-24861, CVE-2023-24910)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

• Windows HTTP.sys (CVE-2023-23410)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

• Windows Partition Management Driver (CVE-2023-23417)
• Windows Resilient File System (ReFS) (CVE-2023-23418, CVE-2023-23419)
• Windows BrokerInfrastructure Service (CVE-2023-23393)
• Windows Point-to-Point Protocol over Ethernet (PPPoE) (CVE-2023-23385)
• Microsoft Defender (CVE-2023-23389)
• Microsoft OneDrive (CVE-2023-24930)
• GitHub (CVE-2023-22743)

Information Disclosure (14)

• Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24856, CVE-2023-24857, CVE-2023-24858, CVE-2023-24863, CVE-2023-24865, CVE-2023-24866, CVE-2023-24870, CVE-2023-24906, CVE-2023-24911)
• CSRSS (CVE-2023-23394, CVE-2023-23409)
• Microsoft Dynamics 365 (CVE-2023-24922)
• Microsoft OneDrive (CVE-2023-24882, CVE-2023-24923)

Spoofing (10)

• Microsoft Edge (CVE-2023-1230, CVE-2023-1231, CVE-2023-1234, CVE-2023-1236, CVE-2023-24892)

MS PT Extended: CVE-2023-1234 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1236 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1231 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

MS PT Extended: CVE-2023-1230 was published before March 2023 Patch Tuesday from 2023-02-15 to 2023-03-13

• Microsoft Excel (CVE-2023-23398)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-23398 allows an attacker to trick a user into enabling content they cannot inspect. Using social engineering to convince a victim to download and open a specially constructed file from a website could result in a local attack on the victim’s computer. CVE-2023-23410 is an elevation of privilege vulnerability in the HTTP.sys web server implementation. The flaw allows an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-24861 is an elevation of privilege vulnerability in the Windows Graphic component. Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker may gain SYSTEM privileges after exploiting this vulnerability. CVE-2023-24876 is a remote code execution vulnerability that affects the Microsoft PostScript and PCL6 Class Printer Driver.

• Service Fabric Explorer (CVE-2023-23383)

rapid7: Azure administrators who update their Service Fabric Cluster manually should note that CVE-2023-23383 describes a spoofing vulnerability in the web management client where a user clicking a suitably-crafted malicious link could unwittingly execute actions against the remote cluster. Azure estates with automatic upgrades enabled are already protected.

• Office (CVE-2023-23391)
• Microsoft SharePoint (CVE-2023-23395)
• Azure (CVE-2023-23408)

Cross Site Scripting (5)

• Microsoft Dynamics 365 (on-premises) (CVE-2023-24879, CVE-2023-24891, CVE-2023-24919, CVE-2023-24920, CVE-2023-24921)