Microsoft Flaws Include Secure Boot Bypass, System-Level Takeovers

Microsoft’s Patch Tuesday for May 2023 addresses 38 vulnerabilities, the smallest Patch Tuesday in quite a while. Still, six of the flaws are critical, and two others are currently being exploited in the wild.

The six critical flaws are:

• CVE-2023-24903, a remote code execution vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP)
• CVE-2023-24941, a remote code execution vulnerability in the Windows Network File System — we’ll go more in depth on this one
• CVE-2023-24943, a remote code execution vulnerability in Windows Pragmatic General Multicast (PGM)
• CVE-2023-24955, a remote code execution vulnerability in Microsoft SharePoint Server (more on this one below)
• CVE-2023-28283, a remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP)
• CVE-2023-29325, a remote code execution vulnerability in Windows OLE, also discussed below

Actively Exploited Vulnerabilities

The first of the two flaws that are being actively exploited, CVE-2023-29336, is a Win23k elevation of privilege vulnerability with a CVSS score of 7.8 – but as Ivanti vice president of security products Chris Goettl pointed out in a blog post, the security rating is less important than the fact that it’s actively being exploited. “The exploit doesn’t require user interaction and if exploited would give the attack system-level privileges,” he noted.

The second flaw being actively exploited is CVE-2023-24932, a Windows Secure Boot security feature bypass vulnerability with a CVSS score of 6.7 – again, Goettl said, it’s best to ignore the rating and focus on the confirmed exploits. “The vulnerability does require the attacker to have either physical access or administrative permissions on the target system, with which they can install an affected boot policy that’ll be able to bypass Secure Boot to further compromise the system,” he wrote.

See the Best Patch Management Software & Tools

Flaw Leveraged by BlackLotus for Evasion

Separate Microsoft guidance notes that the vulnerability addressed by CVE-2023-24932 is being used by the BlackLotus bootkit to exploit CVE-2022-21894, a Secure Boot vulnerability first patched more than a year ago. “This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled,” Microsoft noted. “This is used by threat actors primarily as a persistence and defense evasion mechanism.”

Action1 vice president of vulnerability and threat research Mike Walters noted in a blog post that additional steps are required to mitigate CVE-2023-24932, as noted in the Microsoft support article KB5025885. “Considering that this vulnerability is already being actively exploited and poses the risk of delivering malware during boot time, it is strongly advised to promptly apply the provided update and take the necessary precautions,” Walters wrote.

Another significant flaw that demands immediate attention, Walters suggested, is CVE-2023-24941, a critical remote code execution vulnerability in the Windows Network File System (NFS) with a CVSS score of 9.8. “This vulnerability pertains to NFS version 4.1, following a series of vulnerabilities in different NFS versions last year,” he wrote. “Although version 4.1 was previously fixed, it has now been found to possess another flaw.”

“With a network attack vector and low attack complexity, this vulnerability requires no privileges or user interaction to exploit,” Walters added.

Also read: Patch Management Policy: Steps, Benefits and a Free Template

SharePoint and Outlook Vulnerabilities

Silverfort senior researcher Yoav Iellin noted by email that several of the flaws being addressed impact SharePoint, including CVE-2023-24950, CVE-203-24955, and CVE-2023-24954.

“The first two vulnerabilities require user privileges to create a SharePoint site,” Iellin explained. “Once a threat actor has obtained the credentials of a user with these privileges, they could steal the NTLM hash of the SharePoint domain user and escalate their privileges. From this stage and using the three vulnerabilities together, a threat actor could potentially achieve the SharePoint server credentials.”

And while the Windows OLE remote code execution flaw CVE-2023-29325 might seem relatively innocuous, Iellin warned that it’s worth noting for its ease of exploitation.

“With this vulnerability, the simple act of glancing at a carefully crafted malicious email in Outlook’s preview pane is enough to enable remote code execution and potentially compromise the recipient’s computer,” Iellin said. “At this stage, we believe Outlook users will be the main attack vector, although it has the potential to be used in other Office programs as well.”

Read next:

• Automated Patch Management: Definition, Tools & How It Works
• Top Vulnerability Management Tools
• Top Breach and Attack Simulation (BAS) Vendors