Threat Signal ReportMicrosoft March Patch Tuesday Release Contains Two New Zero Days and 80 Security Updates
Description
Editors Note - 3/21. IPS signature for CVE-2023-23397 (MS.Outlook.CVE-2023-23397.Elevation.Of.Privilege) added to "What is the Status of Coverage?" section.
Today - March 14, 2023, Microsoft released 80 security updates for this month's Patch Tuesday release. Two of the releases address known Zero Days in Microsoft Office (CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability) and Windows Operating Systems (CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability) which is related to last year's December's 2022 Patch Tuesday advisory for CVE-2022-44698 (Windows SmartScreen Security Feature Bypass Vulnerability).
CVE-2023-23397 was observed being exploited in the wild by APT28/Fancy Bear attributed to the GRU which is an arm of the Russian government.
What are the details for Both Zero Days?
CVE-2023-23397 - is an Elevation of Privilege vulnerability (EoP) in Microsoft Outlook where an attacker that successfully exploits this vulnerability can access a user's Net-NTLMv2 hash that could be used for an NTLM relay attack against another service to authenticate as the user. External attackers can create specially crafted emails that will cause a connection from the victim to an external UNC location of attackers' control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then use to authenticate as the victim via another service.
CVE-2023-24880 is a vulnerability in Windows where an attacker can create a malicious file that would allow for the evasion of Mark of the Web (MOTW) protocols, resulting in the loss of security features such as Protected View in Microsoft Office, which rely on MOTW tagging. This vulnerability is related to CVE-2022-44698 (Windows SmartScreen Security Feature Bypass Vulnerability) which was released in the December 2022 Microsoft Monthly Update.
Are Both Vulnerabilities Being Exploited in the Wild?
According to Microsoft CVE-2023-23397 (Microsoft Outlook Elevation of Privilege Vulnerability) has been exploited in the wild. This vulnerability was exploited by APT28/Fancy Bear which is attributed to GRU, an outpost of the Russian government.
Regarding CVE-2023-24880 (Windows SmartScreen Security Feature Bypass Vulnerability) has not been reported to be exploited in the wild. However reports have previously connected last Decembers CVE-2022-44698 vulnerability being exploited by Magniber Ransomware group.
What Suggested Mitigation is Available?
For those unable to apply the patch for CVE-2023-23397, Microsoft recommends adding users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Also, blocking TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
Microsoft suggests downloading the following document - "Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2." This document discusses Pass-the-Hash (PtH) attacks against Windows operating systems and provides detailed insight against PtH attacks. This document can be found here.
For CVE-2023-24880 - it is suggested to apply the available patches as soon as possible.
What are the CVSS scores?
For CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability the CVSS score is 9.8 (CRITICAL).
For CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability the CVSS score is 5.4 (MEDIUM).
What is the Status of Coverage?
Fortinet customers running the latest version of IPS definitions are protected against exploitation of CVE-2023-24880 and CVE-2023-23397 by:
MS.Windows.SmartScreen.Security.Feature.Bypass (CVE-2023-24880)
MS.Outlook.CVE-2023-23397.Elevation.Of.Privilege (CVE-2023-23397) definitions version 23.517
Outbreak Alert
CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Microsoft Outlook. It is a zero-touch exploit, meaning the security flaw requires no user interaction to be abused. All supported versions of Microsoft Outlook for Windows are affected including other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web.
Appendix
Microsoft Outlook Elevation of Privilege Vulnerability (Microsoft)
Windows SmartScreen Security Feature Bypass Vulnerability (Microsoft)
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft)
CVE-2023-23397 (MITRE)
