This article is more than 1 year old

April Patch Tuesday: Ransomware gangs already exploiting this Windows bug

Plus Google, SAP, Adobe and Cisco emit fixes

Microsoft patched 97 security flaws today for April's Patch Tuesday including one that has already been found and exploited by miscreants attempting to deploy Nokoyawa ransomware.

Redmond deemed seven of the now-patched vulnerabilities "critical" and the rest merely "important."

Microsoft, as usual, didn't disclose the extent of attacks against CVE-2023-28252, a privilege elevation bug in the Windows Common Log File System (CLFS) driver, infosec folk say they've spotted attempts to deploy the Nokoyawa ransomware via this security hole.

As Microsoft warned: "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." And according to Kaspersky, a cybercriminal crew is attempting to use this vulnerability to help itself spread ransomware among targets in the retail and wholesale, energy, manufacturing, healthcare, and software development industries, plus others. The flaw is similar to another privilege elevation bug Microsoft patched in February.

"To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix," Zero Day Initiative's Dustin Childs said

All seven of the critical-rated bugs are remote code execution (RCE) vulnerabilities, so while Microsoft hasn't detected any in-the-wild exploits for these — yet — miscreants could use these to cause serious havoc. Particularly as Exploit Wednesday follows quickly after Patch Tuesday.

One of the critical flaws, CVE-2023-21554, is an RCE that affects servers with Microsoft's Message Queuing service enabled. It received a 9.8 out of 10 CVSS severity rating, and Redmond labels it as "exploitation more likely." While the Message Queuing service is disabled by default, Childs says it's commonly used by contact-center applications. "It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks," he explained. 

Additionally, a pair of critical layer two tunneling protocol RCEs, CVE-2023-28220 and CVE-2023-28219, that affect Windows Remote Access Servers (RAS) are also marked as "exploitation more likely." 

"An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine," Redmond noted.

According to Immersive Labs' Director Cyber Threat Research Kev Breen, while RAS servers aren't standard in organizations, they do typically have direct access from the internet.

"This makes it extremely enticing for attackers as they don't need to socially engineer their way into an organization," Breen told The Register. "They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices."

In other words, if you use these services, patch quickly.

And remember that Microsoft's rating system for security flaws differs from the Common Vulnerability Scoring System classifications.

Adobe addresses 56 CVEs

Adobe, meanwhile, released six bulletins for 56 CVEs in Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension. 

The Reader security bulletin fixes 16 CVEs, 14 are critical RCEs, and successful exploitation could lead to arbitrary code execution, privilege escalation, security feature bypass and memory leak.

One patch for Digital Edition plugs a critical code execution bug, and the bulletin for InCopy also fixes a single, critical code execution flaw. 

The alert for Substance 3D Designer patches nine critical bugs, while the update for Substance 3D Stager addresses 14 CVEs, of which 10 are critical. 

And finally Adobe Dimension fixes 15 flaws, of which 14 could lead to arbitrary code execution with the other could result in memory leak.

None of the Adobe flaws are listed as publicly known or under active attack.

SAP issues 19 Security Notes

SAP's April Security Patch Day included 19 new Security Notes [PDF]. Note #3305369 received the maximum CVSS score of 10, and concerns two flaws in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector). 

The Onapsis Research Labs (ORL) spotted the pair of perfect bugs, and says they could allow an unauthenticated user to execute scripts on Diagnostics Agents connected to SAP SolutionManager. "In conjunction with insufficient input validation, attackers were able to execute malicious commands on all monitored SAP systems, highly impacting their confidentiality, integrity, and availability," researcher Thomas Fritsch said.

Google patches software nasties in Chrome, Android OS

Google made a number of Android OS and Chrome security fixes this month. This includes two critical bugs in the Android System component "that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed," according to the April Android Security Bulletin

Additionally, no user interaction is needed to exploit this bug. 

"Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the Center for Internet Security warned in its advisory about the Android flaws.

Meanwhile, the Chrome update includes 16 security fixes, the most severe of which could allow for arbitrary code execution.

But wait, there's more... AMD has addressed the medium issue CVE-2023-1018 (out-of-bounds read) and the high severity CVE-2023-1017 (out-of-bounds write) in its TPM 2.0 Module Library. This affects second-generation Threadripper processors. Users are advised to update their BIOS to close the holes, which can be exploited to read sensitive data in the TPM or execute code in its context. Which is not great.

Cisco closes out the patch party

And finally, Cisco joined the patch party this month with 17 new and updated security alerts addressing 40 flaws.

Only one of these alerts is marked critical, and it fixes two vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) that the vendor first disclosed in July 2022. If exploited, the bugs "could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device," the networking giant noted.

Cisco released software updates that fix both flaws, and says there are no workarounds. ®

More about


Send us news

Other stories you might like