Threat and Exposure Research
Top Trending CVEs of February 2023
- Mar 01, 2023
- Shawn Evans
In this month’s trending CVEs we have a number of patches released by Microsoft to address critical vulnerabilities identified in Exchange and Windows operating systems. ClamAV, a popular open-source antivirus engine, was found to be prone to a buffer overflow vulnerability that could result in unauthenticated remote command execution (RCE). Fortinet released a patch for a critical remote command execution vulnerability that impacted their FortiNAC products. Mature exploit code is readily available. Read on and patch later in February’s trending CVEs.
1. Microsoft Exchange CVE-2023-21529, CVE-2023-21706, and CVE-2023-21707
Microsoft’s patch Tuesday did not disappoint in February. Microsoft released patches to address three vulnerabilities in Microsoft Exchange that could result in RCE. RCE is only achievable via authenticated vectors, however elevated privileges are not required. Few details have been released regarding specific exploit paths, but if you hedge your bets on recent history (ProxyNotShell and OWASSRF) I would not be surprised to learn that these vulnerabilities are exploitable via server-side-request-forgery by an authenticated threat actor. It’s unclear what vector would be exploited, however ProxyNotShell and OWASSRF leveraged AutoDiscovery and OWA endpoints respectively. Without concrete details, this is all speculative, but the adage remains constant – patch now to avoid issues later. We’ll be sure to keep a pulse on these issues and provide an update if proof of concept code is made publicly available.
| Severity | Complexity | CVSS Score |
| High | Low | 8.8 |
Systems Impacted: Microsoft Exchange Server 2013, 2016, 2019
Read more:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21707
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21706
- https://www.nopsec.com/blog/top-trending-cves-of-december-2022/
2. Microsoft RCE and Privilege Escalation CVE-2023-21823 and CVE-2023-23376
Microsoft addressed a kismet pair of vulnerabilities on patch Tuesday that impacts Windows 2008 to 2022. These vulnerabilities are well suited to be chained together and exploitation has been documented in the wild. The privilege escalation vulnerability was identified in the Windows common log file system driver. The RCE vulnerability was identified in the Windows graphics component. These vulnerabilities are not remotely exploitable and require local access. However there is evidence that these vulnerabilities have been exploited in the wild, although public exploit code is not readily available. It is highly likely that the vulnerabilities will be chained. An attacker can leverage local access to elevate privileges to SYSTEM via CVE-2023-23376 and execute commands in the context of a privileged session via CVE-2023-21823 – resulting in total system compromise. Patch your systems now.
| Severity | Complexity | CVSS Score |
| Moderate | Low | 7.8 |
Systems/Applications Impacted:
- Windows 10 Versions 1607, 1809, 20H2, 21H2, 22H2
- Windows 11 Versions 21H2 and 22H2
- Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
Read more:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23376
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21823
3. ClamAV Heap Buffer Overflow CVE-2023-20032
ClamAV is a popular open source antivirus engine used on a variety of platforms. The vulnerability is present in ClamAV’s HFS+ file-system parsing functions. By submitting a crafted HFS+ file to a vulnerable deployment of ClamAV it’s possible to cause a denial of service or remote command execution. HFS+ is a journaling file system developed by Apple, which is used as the primary file system on all modern systems. HFS+ typically divides partitions into 512 byte sectors, but the size can vary and is defined in the volume header. ClamAV queries the header values to determine the block size and identify the location of the catalog, which contains an index of the files and directories present in the HFS+ file system. With a crafted HFS+ file it’s possible to create a condition in which the size of a sector is larger than that of a given node within the catalog. Due to a lack of validation, when data is read from the sector into a catalog node buffer a buffer overflow is triggered, which can result in a denial of service or remote command execution. To this point no weaponized exploit code has been released, but the research available is detailed and hints that it is likely possible. This vector could be exploited by remote adversaries through payloads submitted via email, where inbound emails are scanned by ClamAV prior to being sent to the destination inbox. The potential for unauthenticated remote command execution is quite likely. It is highly recommended that if your server is running ClamAV, that you patch this now.
| Severity | Complexity | CVSS Score |
| Critical | Low | 9.8 |
Systems/Applications Impacted:
- ClamAV 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier
- Cisco Secure Endpoint for Linux, Windows, and MacOS
- Cisco Secure Endpoint Cloud
- Cisco Secure Web Appliance
Read more:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy
- https://github.com/google/security-research/security/advisories/GHSA-r6g3-3wqj-m3c8
- https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
4. Fortinet FortiNAC unauthenticated RCE CVE-2022-39952
Fortinet released a patch to address a critical RCE vulnerability that impacted their FortiNAC product. The vulnerability is attributed to an unauthorized arbitrary file write within the “keyUpload.jsp” script. The vulnerable script is accessible to unauthenticated attackers and accepts a Zip file in the “key” POST parameter. If the “key” value is present, the script parses the file and copies the contents to disk. Once the uploaded file is output to disk a bash script is called that unarchives the Zip file. The bash script in question executes a “cd /” command prior to unarchiving the key file, which means that the present working directory is the root of the filesystem. When using “unzip” it’s possible to define where a file within the archive should be output. The vulnerability is thus exploited not via path traversal, but through a crafted Zip archive that outputs the payload to specific locations on disk. In the proof of concept released by the Horizon3 research team, the crafted key file is unarchived to create a malicious cron job that, when executed, establishes a reverse shell with an attacker-defined system. It is strongly recommended that you update now.
| Severity | Complexity | CVSS Score |
| High | Low | 9.8 |
Systems/Applications Impacted:
- FortiNAC version 9.4.0
- FortiNAC version 9.2.0 through 9.2.5
- FortiNAC version 9.1.0 through 9.1.7
- FortiNAC 8.8 all versions
- FortiNAC 8.7 all versions
- FortiNAC 8.6 all versions
- FortiNAC 8.5 all versions
- FortiNAC 8.3 all versions
Read More:
- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
- https://www.fortiguard.com/psirt/FG-IR-22-300
- https://nvd.nist.gov/vuln/detail/CVE-2022-39952
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.
