Microsoft released patches to fix 97 vulnerabilities on April 2023 Patch Tuesday including a Windows zero-day privilege execution vulnerability in the Windows Common Log File System (CLFS) driver. Seven of the month’s vulnerabilities have been rated critical, and the remaining 90 have been rated important. 17 flaws were also patched earlier this month for Microsoft Edge and Chromium-based browsers.
The zero-day vulnerability is tracked as CVE-2023-28252 and has a low attack complexity. Exploitation of the vulnerability requires a local attack vector, but only low-level privileges to exploit with no user interaction. Successful exploitation will allow an attacker to gain SYSTEM privileges. The flaw affects all versions of Windows 10 and Windows Server 2008 and later versions. The flaw has been assigned a CVSS v3 severity score of 7.8 out of 10 due to the need to exploit the bug locally, so an attacker would require access before the flaw could be exploited. There are reports that the flaw has been exploited in ransomware attacks involving Nokoyawa ransomware.
The critical vulnerabilities affect Microsoft Message Queuing, Windows DHCP Server, Windows Layer 2 Tunneling Protocol, Windows PGM, Windows Point-to-Point Tunneling Protocol, and Windows Raw Image Extension.
The Microsoft Message Queuing (CVE-2023-21554) bug has been assigned a CVSS v3 score of 9.8 out of 10, and can be exploited by a remote, unauthenticated attacker to run code with elevated privileges on affected servers with the Message Queuing service enabled.
A critical remote code execution vulnerability has been patched in Windows Pragmatic General Multicast. The flaw is tracked as CVE-2023-28250 and has a CVSS score of 9.8 out of 10. The flaw can only be exploited if the Windows Message Queuing service is enabled and can be exploited by sending a specially crafted file over the network.
The DHCP Server Service Remote Code Execution Vulnerability, CVE-2023-28231, has a CVSS severity score of 8.8, and while the bug allows code execution, an attacker would need to gain access to a restricted network before exploiting the vulnerability. The flaw could be exploited via a specially crafted RPC call to the DHCP service.
Two critical vulnerabilities have been patched in the Windows Layer 2 Tunneling Protocol, both of which are remote code execution vulnerabilities – CVE-2023-28219 and CVE-2023-28220. Both have CVSS severity scores of 8.1. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine after winning a race condition.
The Windows Raw Image Extension vulnerability is tracked as CVE-2023-28291 and has a CVSS severity score of 8.4, and exploitation would first require an attacker to log in to the system or by convincing a logged-in user to open a malicious file. Exploitation would permit remote code execution.
The last critical flaw affected the Windows Point-to-Point Tunneling Protocol and is tracked as CVE-2023-28232 and has a CVSS severity score of 7.5. In order to exploit the flaw, an attacker would first need access to the system to prepare the environment. The vulnerability could then be triggered when a user connects a Windows client to a malicious server.
Other notable vulnerabilities, which have been rated important, include CVE-2023-28285, CVE-2023-28295, CVE-2023-28287, and CVE-2023-28311 which affect Microsoft Office, Word, and Publisher. These flaws can permit remote code execution by opening malicious documents, such as those sent in phishing campaigns.