Microsoft Patch Tuesday April 2023: CLFS EoP, Word RCE, MSMQ QueueJumper RCE, PCL6, DNS, DHCP

Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2023, including vulnerabilities that were added between March and April Patch Tuesdays.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239123&gt;

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. And this is the first Patch Tuesday report since I added EPSS support to Vulristics.

Compared to March, Microsoft Patch Tuesday for April 2023 is kind of weak.

$ cat comments_links.txt 
ZDI|The April 2023 Security Update Review|https://www.thezdi.com/blog/2023/4/11/the-april-2023-security-update-review
Qualys|The April 2023 Patch Tuesday Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2023/04/11/microsoft-and-adobe-patch-tuesday-april-2023-security-update-review

$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "April" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: April
MS PT Date: 2023-04-11
MS PT CVEs found: 97
Ext MS PT Date from: 2023-03-15
Ext MS PT Date to: 2023-04-10
Ext MS PT CVEs found: 26
ALL MS PT CVEs: 123

• All vulnerabilities: 123
• Urgent: 0
• Critical: 2
• High: 61
• Medium: 60
• Low: 0

First, let's look at two critical vulnerabilities:

1. Elevation of Privilege - Windows Common Log File System Driver (CVE-2023-28252). So far, this is the most critical. On successful exploitation, an attacker will gain SYSTEM privileges. Microsoft has mentioned in the advisory that the vulnerability is being exploited in the wild. Cybercriminals have used the vulnerability to deploy Nokoyawa Ransomware. The attacks are happening in South and North America, regions across Asia, and SMBs in the Middle East. On the other hand, EPSS is unusually low for this vulnerability and there are no rational explanations for this. Apparently this is some kind of bug in EPSS.
2. Remote Code Execution - Microsoft Word (CVE-2023-28311). This vulnerability was not highlighted in Qualys, Tenable, Rapid7 and ZDI reports. However, public exploits have appeared for it. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. EPSS is medium.

Now let's see the most interesting of the rest:

1. Remote Code Execution- Microsoft Message Queuing (CVE-2023-21554). Microsoft Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages). The Windows message queuing service needs to be enabled for the system to be exploitable. When enabled, TCP port 1801 will be listening on the host, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update. EPSS is quite high.
2. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-28250). Pragmatic General Multicast (PGM) is a multicast computer network transport protocol best suited for applications like multi-receiver file transfer. The protocol provides a reliable sequence of packets to multiple recipients simultaneously. The system will be exploitable if the Windows Message Queuing service is enabled. An attacker may send a specially crafted file over the network for remote code execution. The vulnerability is similar to the previous CVE-2023-21554 and also has a high EPSS score.
3. Lots of CVEs Remote Code Execution - Microsoft PostScript and PCL6 Class Printer Driver (CVE-2023-24884, CVE-2023-24885, CVE-2023-24886, CVE-2023-24887, CVE-2023-24924, CVE-2023-24925, CVE-2023-24926, CVE-2023-24927, CVE-2023-24928, CVE-2023-24929, CVE-2023-28243). Vulnerabilities allow an authenticated attacker to send a modified XPS file to a shared printer leading to remote code execution. EPSS is medium.
4. Lots of CVEs Remote Code Execution- Windows DNS Server (CVE-2023-28254, CVE-2023-28255, CVE-2023-28256, CVE-2023-28278, CVE-2023-28305, CVE-2023-28306, CVE-2023-28307, CVE-2023-28308). Maybe something will come of it. EPSS is medium.
5. Remote Code Execution - DHCP Server Service (CVE-2023-28231). An authenticated attacker may exploit this vulnerability by sending a specially crafted RPC call to the DHCP service. An attacker must gain access to the restricted network before performing the attack for successful exploitation. Microsoft rates this vulnerability as “Exploitation More Likely” according to the Microsoft Exploitability Index. EPSS is low.

In general, prioritization with EPSS is consistent with prioritization without EPSS. Excluding Elevation of Privilege - Windows Common Log File System Driver (CVE-2023-28252). So, oddities can be - keep this in mind.

Full Vulristics report: ms_patch_tuesday_april2023