February Microsoft Patch Tuesday Fixes Three Zero-days
Description
On February 14, 2023, Microsoft released more than 70 security patches as part of regular Patch Tuesday. Microsoft observed CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823 were exploited in the wild.
Why is this Significant?
This is significant because three vulnerabilities (CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823) were observed to have been exploited in the field as such corresponding patches should be applied as soon as possible.
What is CVE-2023-21715?
CVE-2023-23376 is a security feature bypass vulnerability in Microsoft Office and allows an attacker to bypass a security feature designed to block malicious macros. Exploiting this vulnerability requires a local authenticated user, and at in parallel a victim needs to be lured into downloading and opening a malicious file from the internet.
The vulnerability has a CVSS base score of 7.3 and is rated important by Microsoft.
What is CVE-2023-23376?
CVE-2023-23376 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). The vulnerability has a CVSS base score of 7.8 and is rated important by Microsoft.
The vulnerability is due to an error when the vulnerable software handles a maliciously crafted application. A remote attacker may be able to exploit this to escalate their privileges on vulnerable systems. Since the vulnerability is a local privilege escalation, an attacker needs to have access to the victims' network to exploit the vulnerability.
What is CVE-2023-21823?
CVE-2023-21823 is an elevation of privilege vulnerability in Windows Graphics Component that allows an attacker to gain SYSTEM privileges and execute commands as such upon successful exploitation. The vulnerability has a CVSS base score of 7.8 and is rated important by Microsoft..
Reportedly Kevin Breen of Immersive Labs claimed that Microsoft OneNote was leveraged in observed attacks involving CVE-2023-21823.
Note that a patch for this vulnerability may only be available via the Microsoft Store. For details, see the Appendix for a link to "CVE-2023-21823 (Microsoft)".
What is the Status of Protection?
FortiGuard Labs released the following IPS signatures in version 22.495 for CVE-2023-23376 and CVE-2023-21823:
- MS.Windows.CVE-2023-23376.Privilege.Elevation (CVE-2023-23376)
- MS.Windows.Win32k.GDI.ExtTextOut.Privilege.Elevation (CVE-2023-21823)
Default action for both signatures are set to "pass".
As of this writing, CVE-2023-21715 has no sufficient information that allows us to investigate coverage. This Threat Signal will be updated once new information becomes available.
Appendix
CVE-2023-21715 (Microsoft)
CVE-2023-23376 (Microsoft)
CVE-2023-21823 (Microsoft)
MS.Windows.CVE-2023-23376.Privilege.Elevation (Fortinet)
MS.Windows.Win32k.GDI.ExtTextOut.Privilege.Elevation (Fortinet)