First Patch Tuesday of the year explodes with in-the-wild exploit fix
Plus: Intel, Adobe, SAP and Android bugs
Patch Tuesday Microsoft fixed 98 security flaws in its first Patch Tuesday of 2023 including one that's already been exploited and another listed as publicly known. Of the new January vulnerabilities, 11 are rated critical because they lead to remote code execution.
The bug that's under exploit, tracked as CVE-2023-21674, is an advanced local procedure call elevation of privilege vulnerability that received an 8.8 CVSS rating.
Redmond, per usual, provides scant details about the security hole and zero details about how miscreants are abusing the vulnerability. It does note that it could allow a local attacker to escalate privileges all the way up to SYSTEM level.
"Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware," according to the Zero Day Initiative's Dustin Childs. "Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here."
CVE-2023-21549, another elevation of privilege vulnerability, this one in Windows SMB Witness Service, also received an 8.8 severity score and is listed as publicly known.
"To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host," according to the security alert.
This could allow the attacker to escalate privileges, and then execute RPC functions that can only be sent by privileged accounts.
So many steps
Some of the other more interesting vulnerabilities, according to security researchers, include CVE-2023-21743, a security feature bypass bug in Microsoft Sharepoint Server. Redmond deems "exploitation more likely," for this flaw, and notes that it could allow an unauthenticated attacker to make an anonymous connection.
But in addition to installing the security update for SharePoint server, admins also need to trigger another upgrade action to be protected from possible exploit. Microsoft explains how to trigger this upgrade in the alert, but, as Childs notes: "Situations like this are why people who scream 'Just patch it!' show they have never actually had to patch an enterprise in the real world."
More Exchange server bugs
A pair of spoofing vulnerabilities have been found in Microsoft Exchange servers, tracked as CVE-2023-21762 and CVE-2023-21745, with the second flagged as "exploitation more likely," are notable in that they are Exchange server bugs.
"Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks by sending emails that appear to be legitimate," Immersive Labs' Director of Cyber Threat Research Kev Breen told The Register.
We'd bet that Rackspace would attest to that.
ZDI researcher Piotr Bazydło found the pair, and Childs said they resulted from a failed patch of CVE-2022-41123.
"Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM," he explained. "A recent report showed nearly 70,000 unpatched Exchange servers that were accessible from the internet. If you're running Exchange on-prem, please test and deploy all the Exchange fixes quickly, and hope that Microsoft fixed these bugs correctly this time."
Adobe joins the party
Adobe today released four patches to fix 29 vulnerabilities across its Acrobat and Reader, InDesign, InCopy, and Dimension software. The company said it's not aware of any exploits in the wild for any of the security issues addressed in the updates.
The Reader update address 15 critical and important vulnerabilities, which would lead to application denial-of-service, arbitrary code execution, privilege escalation and memory leak.
InDesign, meanwhile has six critical and important bugs that could allow arbitrary code execution, application denial-of-service and memory leak attacks.
Six vulnerabilities in InCopy could lead to arbitrary code execution and memory leak. And two bugs in Dimension could lead to memory leak and arbitrary code execution in the context of the current user.
SAP released 12 new and updated patches.
While SAP Security Note #3089413 ranks the lowest in terms of the new HotNews Notes with a CVSS of 9.0, "it is possibly the most critical one of SAP's January Patch Day, since it affects the majority of all SAP customers, and its mitigation is a challenge," said Thomas Fritsch, SAP security researcher at Onapsis.
"A Capture-Replay vulnerability in the architecture of trusted-trusting RFC and HTTP communication scenarios allows malicious users to obtain illegitimate access to an SAP system," he explained. "Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations. Both of the systems of a communication scenario need to be patched to mitigate the vulnerability."
- This is the end, Windows 7 and 8 friends: Microsoft drops support this week
- Rackspace blames ransomware woes on zero-day attack
- Microsoft fixes Hyper-V VM problem caused by Patch Tuesday
- Malicious Microsoft-signed Windows drivers wielded in cyberattacks
Two other new HotNews Notes received CVSS ratings of 9.9. Security note #3262810 fixes a crucial code injection vulnerability in SAP BusinessObjects Business Intelligence platform, while #3275391 patches a bug that could allow an unauthenticated attacker to execute crafted database queries in SAP Business Planning and Consolidation Microsoft to read, modify, or delete data.
Intel pushed a fix for a high-severity bug in oneAPI Toolkits that could allow escalation of privilege. The vulnerability is tracked as CVE-2022-4019.
"Improper access control in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow an authenticated user to potentially enable escalation of privilege via local access," the chip giant explained.
Android's January security bulletin addresses more than 50 flaws affecting devices running Google's Android OS. None of these have been exploited in the wild.
The most serious of the bunch is a high-security vulnerability in the Framework component leading to local escalation of privilege with no additional execution privileges needed, we're told.
"Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights," the Center for Internet Security warned ®.