By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

March 2023 Patch Tuesday Closes Two Zero-Days Actively Exploited By State-Sponsored Actors

Microsoft’s Patch Tuesday for March 2023 fixes more than 80 vulnerabilities, 9 of which are rated critical severity, and 2 zero-days—an Outlook Elevation of Privilege Vulnerability (CVE-2023-23397) and a Windows SmartScreen Security Feature Bypass Vulnerability (CVE-2023-24880). Administrators are encouraged to apply updates ASAP. If this is not possible, there are some mitigating actions to be taken.

What Is The Nature Of The Zero-Days?

CVE-2023-23397 – Outlook Elevation of Privilege Vulnerability Severe

From the Microsoft advisory: “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”

Previewing the email is not a requirement to trigger the attack, as it “triggers automatically when it is retrieved and processed by the Outlook client.”

Only Microsoft Outlook for Windows is affected. Outlook for Mac, iOS or Android, and Outlook on the web are not. Microsoft 365 does not support NTLM authentication and is not vulnerable.

CVE-2023-24880 – Windows SmartScreen Security Feature Bypass Vulnerability Moderate

From the Microsoft advisory: “An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.”

When a downloaded file is run, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file, which is applied by Mark of the Web as a security feature. If the ADS indicates ZoneID=3 (which means that the file was downloaded from the internet) the SmartScreen does a reputation check. This relies on Mark of the Web functioning properly, and bypass can prevent the ZoneID from being applied.

This is the second of two known SmartScreen vulnerabilities. CVE-2022-44698, patched in December 2022, was notably used to deliver the Magniber ransomware and Qakbot infostealer in the months prior.

Who Is Exploiting These Vulnerabilities?

It is significant that state-sponsored bad actors are utilizing these vulnerabilities to effect attacks on certain targets which may include political motivations.

“Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.”

Microsoft has provided a script to assess if your organization has been targeted:

To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc.

Organizations should review the output of this script to determine risk. Tasks, email messages and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious. If objects are detected, they should be removed or clear the parameter.

How Can I Protect Against These Exploits?

Apply the patches as soon as possible. If this is not possible for some reason, Microsoft has provided some mitigating actions for the Outlook Zero-Day:

  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

No mitigating action was provided for the SmartScreen Bypass.

Resources

Microsoft Outlook Elevation of Privilege Vulnerability – CVE-2023-23397
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Windows SmartScreen Security Feature Bypass VulnerabilityCVE-2023-24880
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880

Windows SmartScreen Security Feature Bypass Vulnerability – CVE-2022-44698
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698

Microsoft March 2023 Patch Tuesday fixes 2 zero-days, 83 flaws
https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2023-patch-tuesday-fixes-2-zero-days-83-flaws/

Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880)
https://www.helpnetsecurity.com/2023/03/14/cve-2023-23397-cve-2023-24880/

Previous Post

Staying on Top of Phishing, What You Need to Know

Next Post

AI Use Cases For The Modern Cybersecurity Professional

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.