February Microsoft Patch Tuesday Fixes Three Zero-days

Description

On February 14, 2023, Microsoft released more than 70 security patches as part of regular Patch Tuesday. Microsoft observed CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823 were exploited in the wild.

Why is this Significant?

This is significant because three vulnerabilities (CVE-2023-21715, CVE-2023-23376, and CVE-2023-21823) were observed to have been exploited in the field as such corresponding patches should be applied as soon as possible.

What is CVE-2023-21715?

CVE-2023-23376 is a security feature bypass vulnerability in Microsoft Office and allows an attacker to bypass a security feature designed to block malicious macros. Exploiting this vulnerability requires a local authenticated user, and at in parallel a victim needs to be lured into downloading and opening a malicious file from the internet.

The vulnerability has a CVSS base score of 7.3 and is rated important by Microsoft.

What is CVE-2023-23376?

CVE-2023-23376 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). The vulnerability has a CVSS base score of 7.8 and is rated important by Microsoft.

The vulnerability is due to an error when the vulnerable software handles a maliciously crafted application. A remote attacker may be able to exploit this to escalate their privileges on vulnerable systems. Since the vulnerability is a local privilege escalation, an attacker needs to have access to the victims' network to exploit the vulnerability.

What is CVE-2023-21823?

CVE-2023-21823 is an elevation of privilege vulnerability in Windows Graphics Component that allows an attacker to gain SYSTEM privileges and execute commands as such upon successful exploitation. The vulnerability has a CVSS base score of 7.8 and is rated important by Microsoft..

Reportedly Kevin Breen of Immersive Labs claimed that Microsoft OneNote was leveraged in observed attacks involving CVE-2023-21823.

Note that a patch for this vulnerability may only be available via the Microsoft Store. For details, see the Appendix for a link to "CVE-2023-21823 (Microsoft)".

What is the Status of Protection?

FortiGuard Labs released the following IPS signatures in version 22.495 for CVE-2023-23376 and CVE-2023-21823:

• MS.Windows.CVE-2023-23376.Privilege.Elevation (CVE-2023-23376)
• MS.Windows.Win32k.GDI.ExtTextOut.Privilege.Elevation (CVE-2023-21823)

Default action for both signatures are set to "pass".

As of this writing, CVE-2023-21715 has no sufficient information that allows us to investigate coverage. This Threat Signal will be updated once new information becomes available.

Appendix

CVE-2023-21715 (Microsoft)

CVE-2023-23376 (Microsoft)

CVE-2023-21823 (Microsoft)

MS.Windows.CVE-2023-23376.Privilege.Elevation (Fortinet)

MS.Windows.Win32k.GDI.ExtTextOut.Privilege.Elevation (Fortinet)