Cart

Your Cart is Empty

Back To Shop

Cart

Your Cart is Empty

Back To Shop

The January 2023 Security Update Review

Welcome to the first patch Tuesday of the new year. As expected, Adobe and Microsoft have released their latest fixes and updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for January 2023

For January, Adobe released four patches addressing 29 CVEs in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. A total of 22 of these bugs were submitted through the ZDI program. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity. The most severe of these would allow arbitrary code execution if an affected system opened a specially crafted file. The patch for InDesign fixes six bug, four of which are rated Critical. Similar to the Reader patch, opening a malicious file could result in code execution. That’s also true for InCopy, which also received fixes for six CVEs. The update for Dimension only addresses two CVEs, but the fix also includes an update for dependencies in SketchUp. The old version has February 22 timestamp, while the version shipped today is stamped November 9.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for January 2023

This month, Microsoft released 98 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; .NET Core and Visual Studio Code, 3D Builder, Azure Service Fabric Container, Windows BitLocker, Windows Defender, Windows Print Spooler Components, and Microsoft Exchange Server. A total of 25 of these CVEs were submitted through the ZDI program.

Of the 98 new patches released today, 11 are rated Critical and 87 are rated Important in severity. This volume is the largest we’ve seen from Microsoft for a January release in quite some time. It will be interesting to see if this volume of fixes continues throughout the year.

One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

–       CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
This is the one bug listed as under active attack for this month. It allows a local attacker to escalate privileges from sandboxed execution inside Chromium to kernel-level execution and full SYSTEM privileges. Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here.

–       CVE-2023-21743 – Microsoft SharePoint Server Security Feature Bypass Vulnerability
You rarely see a Critical-rated Security Feature Bypass (SFB), but this one seems to qualify. This bug could allow a remote, unauthenticated attacker to make an anonymous connection to an affected SharePoint server. Sysadmins need to take additional measures to be fully protected from this vulnerability. To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update. Full details on how to do this are in the bulletin. Situations like this are why people who scream “Just patch it!” show they have never actually had to patch an enterprise in the real world.

–       CVE-2023-21763/CVE-2023-21764 – Microsoft Exchange Server Elevation of Privilege Vulnerability
These bugs were found by ZDI researcher Piotr Bazydło and result from a failed patch of CVE-2022-41123. As such, these vulnerabilities were reported under our new timelines for bugs resulting from incomplete patches. Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM. A recent report showed nearly 70,000 unpatched Exchange servers that were accessible from the internet. If you’re running Exchange on-prem, please test and deploy all the Exchange fixes quickly, and hope that Microsoft fixed these bugs correctly this time.

Here’s the full list of CVEs released by Microsoft for January 2023:



CVE Title Severity CVSS Public Exploited Tupe
CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC)
Elevation of Privilege Vulnerability
Important 8.8 No Yes EoP
CVE-2023-21549 Windows Workstation Service Elevation of
Privilege Vulnerability
Important 8.8 Yes No EoP
CVE-2023-21561 Microsoft Cryptographic Services Elevation
of Privilege Vulnerability
Critical 8.8 No No EoP
CVE-2023-21551 Microsoft Cryptographic Services Elevation
of Privilege Vulnerability
Critical 7.8 No No EoP
CVE-2023-21743 Microsoft SharePoint Server Security Feature
Bypass Vulnerability
Critical 8.2 No No SFB
CVE-2023-21730 Windows Cryptographic Services Remote Code
Execution Vulnerability
Critical 7.8 No No EoP
CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21555 Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21556 Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21679 Windows Layer 2 Tunneling Protocol (L2TP)
Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21535 Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21548 Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical 8.1 No No RCE
CVE-2023-21538 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-21780 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21781 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21782 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21784 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21786 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21791 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21793 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21783 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21785 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21787 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21788 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21789 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21790 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21792 3D Builder Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21531 Azure Service Fabric Container Elevation of
Privilege Vulnerability
Important 7 No No EoP
CVE-2023-21563 BitLocker Security Feature Bypass
Vulnerability
Important 6.8 No No SFB
CVE-2023-21536 Event Tracing for Windows Information
Disclosure Vulnerability
Important 4.7 No No Info
CVE-2023-21753 Event Tracing for Windows Information
Disclosure Vulnerability
Important 5.5 No No Info
CVE-2023-21547 Internet Key Exchange (IKE) Protocol Denial
of Service Vulnerability
Important 7.5 No No DoS
CVE-2023-21724 Microsoft DWM Core Library Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21764 Microsoft Exchange Server Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21763 Microsoft Exchange Server Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21761 Microsoft Exchange Server Information
Disclosure Vulnerability
Important 7.5 No No Info
CVE-2023-21762 Microsoft Exchange Server Spoofing
Vulnerability
Important 8 No No Spoofing
CVE-2023-21745 Microsoft Exchange Server Spoofing
Vulnerability
Important 8 No No Spoofing
CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation
of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21732 Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important 8.8 No No RCE
CVE-2023-21734 Microsoft Office Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21735 Microsoft Office Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21741 Microsoft Office Visio Information
Disclosure Vulnerability
Important 7.1 No No Info
CVE-2023-21736 Microsoft Office Visio Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21737 Microsoft Office Visio Remote Code Execution
Vulnerability
Important 7.8 No No RCE
CVE-2023-21738 Microsoft Office Visio Remote Code Execution
Vulnerability
Important 7.1 No No RCE
CVE-2023-21744 Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important 8.8 No No RCE
CVE-2023-21742 Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important 8.8 No No RCE
CVE-2023-21681 Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2023-21725 Microsoft Windows Defender Elevation of
Privilege Vulnerability
Important 6.3 No No EoP
CVE-2023-21779 Visual Studio Code Remote Code Execution
Vulnerability
Important 7.3 No No RCE
CVE-2023-21768 Windows Ancillary Function Driver for
WinSock Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21539 Windows Authentication Remote Code Execution
Vulnerability
Important 7.5 No No RCE
CVE-2023-21752 Windows Backup Service Elevation of
Privilege Vulnerability
Important 7.1 No No EoP
CVE-2023-21733 Windows Bind Filter Driver Elevation of
Privilege Vulnerability
Important 7 No No EoP
CVE-2023-21739 Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important 7 No No EoP
CVE-2023-21560 Windows Boot Manager Security Feature Bypass
Vulnerability
Important 6.6 No No SFB
CVE-2023-21726 Windows Credential Manager User Interface
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21540 Windows Cryptographic Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2023-21550 Windows Cryptographic Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2023-21559 Windows Cryptographic Services Information
Disclosure Vulnerability
Important 6.2 No No Info
CVE-2023-21525 Windows Encrypting File System (EFS) Denial
of Service Vulnerability
Important 5.9 No No DoS
CVE-2023-21558 Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21552 Windows GDI Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21532 Windows GDI Elevation of Privilege
Vulnerability
Important 7 No No EoP
CVE-2023-21542 Windows Installer Elevation of Privilege
Vulnerability
Important 7 No No EoP
CVE-2023-21683 Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2023-21677 Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2023-21758 Windows Internet Key Exchange (IKE)
Extension Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2023-21527 Windows iSCSI Service Denial of Service
Vulnerability
Important 7.5 No No DoS
CVE-2023-21755 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21754 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21747 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21748 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21749 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21772 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21773 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21774 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21675 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21750 Windows Kernel Elevation of Privilege
Vulnerability
Important 7.1 No No EoP
CVE-2023-21776 Windows Kernel Information Disclosure
Vulnerability
Important 5.5 No No Info
CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP)
Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2023-21557 Windows Lightweight Directory Access
Protocol (LDAP) Denial of Service Vulnerability
Important 7.5 No No DoS
CVE-2023-21676 Windows Lightweight Directory Access
Protocol (LDAP) Remote Code Execution Vulnerability
Important 8.8 No No RCE
CVE-2023-21524 Windows Local Security Authority (LSA)
Elevation of Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21771 Windows Local Session Manager (LSM)
Elevation of Privilege Vulnerability
Important 7 No No EoP
CVE-2023-21728 Windows Netlogon Denial of Service
Vulnerability
Important 7.5 No No DoS
CVE-2023-21746 Windows NTLM Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21767 Windows Overlay Filter Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21766 Windows Overlay Filter Information
Disclosure Vulnerability
Important 4.7 No No Info
CVE-2023-21682 Windows Point-to-Point Protocol (PPP)
Information Disclosure Vulnerability
Important 5.3 No No Info
CVE-2023-21760 Windows Print Spooler Elevation of Privilege
Vulnerability
Important 7.1 No No EoP
CVE-2023-21765 Windows Print Spooler Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21678 Windows Print Spooler Elevation of Privilege
Vulnerability
Important 7.8 No No EoP
CVE-2023-21759 Windows Smart Card Resource Management
Server Security Feature Bypass Vulnerability
Important 3.3 No No SFB
CVE-2023-21541 Windows Task Scheduler Elevation of
Privilege Vulnerability
Important 7.8 No No EoP
CVE-2023-21680 Windows Win32k Elevation of Privilege
Vulnerability
Important 7.8 No No EoP

Looking at the remaining Critical-rated fixes, I already mentioned the other two patches for Cryptographic Services, but these are privilege escalations rather than RCEs. There are five patches for the Layer 2 Tunneling Protocol (L2TP), which was introduced back in Windows 2000. An unauthenticated attacker could send a specially crafted connection request to a RAS server to get code execution. Microsoft lists exploit complexity as high due to the exploit needing to win a race condition, but you should not rely on that mitigation. The same is true for the two bugs in Secure Socket Tunneling Protocol (SSTP).

Moving to the other 25 code execution bugs fixed in this release, there are 14 fixes for the 3D Builder component reported by ZDI researcher Mat Powell. All of these require the user to open a maliciously crafted file to get code execution at the level of the logged-on user. That’s also true for the other Visual Studio and Office-related bugs, including two of the Visio bugs, which were also reported by Mr. Powell. There’s a fix for an LDP bug, which normally would concern me. However, in this case, it’s listed as requiring authentication. There’s an RCE bug in Windows Authentication, but the description is confusing. According to Microsoft, “An attacker must already have access and the ability to run code on the target system.” Hopefully, the researchers who reported the bug will provide more information. There are two fixes for SharePoint for RCE bugs that require authentication. However, every user by default has the permissions required to exploit these bugs. There are a couple of SQL-related fixes. The first is in the ODBC driver. An attacker can execute code if they can convince an authenticated user into attempting to connect to a malicious SQL server via ODBC. It’s a similar scenario for the WDAC OLE DB provider for SQL component.

Including those already mentioned, there are a total of 38 Elevation of Privilege (EoP) bugs receiving patches this month. The vast majority of these require the attacker to execute their code on a target in order to escalate privileges – typically to SYSTEM. However, there are a few that stand out. The publicly-know bug in the Workstation Service could actually be hit remotely through RPC. If successful, they could run RPC functions that are normally restricted to local clients only. However, it only hits on systems with less than 3.5 GB of RAM, so feel free to use this as justification to buy more RAM. There are three fixes for the Print Spooler, and one of these was reported by the National Security Agency. One of the escalations in LSA leads to executing code with the group Managed Service Account (gMSA), an exception to the SYSTEM escalations. The bug in the Backup Service could allow for either privilege escalation or data deletion. The same goes for the vulnerability in Defender. Finally, the fix for the Azure Service fabric addresses a vulnerability that impacts Service Fabric clusters orchestrated by Docker. To be protected from this, you need to manually update your Service Fabric and enable and configure the “BlockAccessToWireServer” feature flag.

There are fixes for 11 different information disclosure bugs this month, and seven of these merely result in info leaks consisting of unspecified memory contents. The others are much more interesting. To start, there are three bugs in the Cryptographic Service that result in disclosing “Windows cryptographic secrets.” One of these bugs was reported by Canada’s Communications Security Establishment – similar to the USA’s NSA. I would think they know a thing or two about crypto. There’s an info disclosure bug in Exchange, but Microsoft simply states that it could result in disclosing “sensitive information.”

Looking at the security feature bypasses, there are patches for three more in addition to the SharePoint bug already mentioned above. One is for BitLocker and could allow a physical attacker to gain access to encrypted data. Physical access is also a requirement for the SFB in the Boot Manager. If you’re relying on these to protect systems from theft and other physical attacks, make sure you get these patches. The bypass in Smart Card Resource Management Server could allow an attacker to gain access to data related to FIDO keys managed on an affected system.

The January release fixes 10 different Denial-of-Service (DoS) bugs. Microsoft provides no real detail about these bugs, so it isn’t clear if successful exploitation results in the service stopping or the system crashing. I would be most concerned about the bugs in the Netlogon and LDAP services as a successful DoS attack on these components would significantly impact an enterprise. 

Finally, there are two spoofing bugs in the Exchange server receiving fixes, although the descriptions imply a different impact. One notes that successful exploitation could disclose NTLM hashes, which I would describe as info disclosure. The other notes an authenticated attacker could achieve exploitation given a Powershell remoting session to the server, which would probably classify as privilege escalation. Regardless, make sure you update your Exchange server to ensure you remediate the multiple bugs being fixed this month.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2023 will be on February 14, which also happens to be a pretty romantic holiday – the first day of Pwn2Own Miami! We’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!