Top Trending CVEs of April 2023

April was a busy month for Microsoft. Patch Tuesday introduced critical Windows fixes to address a pair of remote command execution (RCE) vulnerabilities, one of which features exploit code in the wild. We also cover RCE vulnerabilities in Sophos Web Appliance and Apache Superset. Finally, would you believe that ProxyNotShell is still alive and kicking? Researchers love kicking this can down the road! But how bad is the latest ProxyNotShell variant? Find out and get informed with the trending CVEs for April 2023.

1. Microsoft Exchange PowerShell Remoting RCE CVE-2023-21707

We’re going to begin with a favorite target in recent months, Microsoft Exchange. If you recall from our previous posts, we’ve covered a few variants of Exchange server-side-request-forgery (SSRF) vulnerability that resulted in RCE as a result of insecure deserialization. Researchers determined that authenticated threat actors could leverage the AutoDiscovery or OWA Exchange endpoints to trigger the deserialization sink. Microsoft addressed the SSRF vulnerability, which mitigated the ability of an attacker to reach the vulnerable deserialization function. However, researchers found that under certain circumstances it was possible to access the PowerShell remoting endpoint at /powershell.

By leveraging a similar attack chain to ProxyNotShell, it was possible to trigger the deserialization of a malicious payload. Exploitation is only possible if an attacker can reach port eighty (80) and the PowerShell entry point must use Kerberos for authentication. Kerberos authentication is only available if the vulnerable Exchange server has access to port eighty-eight (88) of the domain controller, which is only accessible on private networks (please please please don’t expose your DC to the Internet). The vulnerability is not likely to lead to mass exploitation due to these restrictions, but it could prove to be a useful vector for malware or penetration testers. Successful exploitation results in SYSTEM level access on the vulnerable system, which would serve as an ideal platform for lateral movement and domain takeover.

Systems Impacted: 

• Microsoft Exchange 2013, 2016, 2019

Read more:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21707
• https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-deserialization-leading-to-rce-cve-2023-21707/

2. Microsoft Message Queuing RCE CVE-2023-21554

CVE-2023-21554 is an RCE vulnerability present in the Microsoft Message Queuing (MSMQ) service. The MSMQ service operates on TCP port 1801. According to a quick search of Shodan there are nearly 280,000 servers operating MSMQ exposed to the Internet and almost certainly a great deal more operating on private networks. MSQM is considered a legacy service and available in all versions of Windows. It should be noted that it is relatively easy to unknowingly install MSQM when installing Microsoft Exchange by selecting the option “Automatically install server Windows Server roles and features that are required to install Exchange server”. The vulnerability in question can be triggered by a single packet sent to the vulnerable service. 

This is a zero-touch, unauthenticated remote exploit meaning no user interaction or network proximity is required to trigger the vulnerability. Microsoft has patched the vulnerability in MSMQ. Check Point indicated that a more detailed technical analysis would be released in the coming month. Patch now before a proof-of-concept hits the public.

Systems/Applications Impacted:

• Windows Server 2012 and 2012 R2
• Windows Server 2008 and 2008 R2
• Windows Server 2016
• Windows 10 
• Windows 11
• Windows Server 2022
• Windows Server 2019

Read more: 

• https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554

3. Sophos Web Appliance Pre-Auth RCE CVE-2023-1671

Sophos published an advisory that detailed a pre-authentication RCE vulnerability that impacts Sophos Web Appliance versions prior to 4.3.10.4. The vulnerability, identified by an external researcher and reported to Sophos through their bug bounty program, was related to the insecure processing of user-controlled data. The patch released by Sophos to address the vulnerability made changes to the Perl script “ftsblistpack”. The PHP script UsrBlocked.php is the source script that makes external calls to the vulnerable Perl script using unsanitized end user input. Exploitation is fairly straightforward, because the variables used within the Perl script are wrapped in single quotes. An attacker can terminate the quoted string, and define a Bash variable that results in trivial RCE. Successful exploitation is trivial and can be achieved using the command line tool cURL. Although this is a trivial, critical vulnerability it is not likely to result in mass exploitation. The Sophos appliance in question is a bit long in the tooth and scheduled for end-of-life support in July 2023. Sophos also requires that the web appliance receive updates automatically by default. Finally, the web appliance should generally not be exposed to the Internet, which limits mass exposure.

Systems/Applications Impacted:

• Sophos Web Appliance prior to 4.3.10.4

Read more: 

• https://vulncheck.com/blog/cve-2023-1671-analysis
• https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce

4. Microsoft DHCPv6 RCE CVE-2023-28231

Researchers have reported a heap-based buffer overflow that impacts the DHCPv6 service. DHCP or dynamic host configuration protocol is used to facilitate the automatic assignment of IP addresses. A heap-based buffer overflow was identified in the DHCPv6 server due to improper handling of DHCPv6 Relay-Forward messages. DHCPv6 supports a number of different message types which include solicit, advertise, request, renew, and reply. The structure of these messages is shared by DHCPv6 nodes designated as relays. In a DHCPv6 environment it’s possible that systems seeking a DCHPv6 address are not on the same link as the DHCPv6 server. To accommodate this, network topology servers can be configured as DCHPv6 relays and relay client requests to the primary DHCPv6 server.

When a relay-forward message is sent to the relay server it is processed by the function ProcessRelayForwardMessage(). When executed, the function initializes an array of 32 structures for each relay-forward message. Due to a lack of bound checking, if a crafted message is submitted that contains greater than 32 nested structures, it’s possible to write to arbitrary memory resulting in a buffer overflow. Successful exploitation would result in access to the vulnerable system at the same privilege level as the DHCPv6 service, which would provide a probable path to escalate to SYSTEM. This is a vulnerability that will likely be leveraged by malware, but is only exploitable on private networks. Mass exploitation is unlikely, but PoC code has been published to GitHub, so expect attacks to mature quickly. As a tactical strategy to eliminate the risk, disable IPv6. As a long term solution it is recommended that you patch now.

Systems/Applications Impacted:

• Windows Server 2012 and 2012 R2
• Windows Server 2008 and 2008 R2
• Windows Server 2016
• Windows 10 
• Windows 11
• Windows Server 2022
• Windows Server 2019

Read More: 

• https://www.zerodayinitiative.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-windows-dhcpv6-service
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28231
• https://nvd.nist.gov/vuln/detail/CVE-2023-28231

5. Apache Superset RCE CVE-2023-27524

Apache SuperSet is an open-source software application for data exploration and data visualization. The software is not widely deployed, but researchers indicate that there are in the neighborhood of 2000 nodes exposed to the Internet. The software has had a checkered past with regards to default configuration settings that resulted in unauthorized administrative access. Apache Superset is coded in Python and based on the Flask framework, which is used to develop web applications with Python. A common practice of Flask applications is to use a server side SECRTE_KEY to cryptographically sign protected values, such as session cookies. However, by default Apache Superset is deployed with a static SECRET_KEY, which means that unless changed post installation, many deployments will sign session cookies with the default key.

Using the “flask-unsign” toolkit it’s possible for an attacker to forge administrative session cookies using the known SECRET_KEY value and gain unauthorized admin access to vulnerable deployments. Administrators have a broad range of capabilities, which includes RCE on the Superset server. It’s possible that RCE could also be achieved on the database servers accessible via Superset depending on the privileges assigned to the Superset administrator.

A patch has been released by Apache to address the insecure default configuration, which prevents the service from starting if the default SECRET_KEY value is present. Patch now!

Systems/Applications Impacted:

• Apache Superset versions up to and including 2.0.1

Read More: 

• https://github.com/Paradoxis/Flask-Unsign
• https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
• https://nvd.nist.gov/vuln/detail/CVE-2023-27524
• https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk

To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.