Top Trending CVEs of March 2023
- Mar 30, 2023
- Shawn Evans
In March 2023, security researchers identified a number of critical vulnerabilities that could be exploited by attackers to gain access to systems or data. These vulnerabilities were found in a variety of software and hardware products, including Microsoft Windows, Exchange, and a number of mobile devices, including Google’s Pixel.
The most critical trending vulnerability in March was CVE-2023-23397, a privilege escalation vulnerability that impacts Microsoft Outlook. Other critical vulnerabilities trending this March included CVE-2023-23392, a remote code execution vulnerability in the Windows HTTP protocol stack, and CVE-2023-23415, an ICMP remote code execution vulnerability. These vulnerabilities could allow attackers to remotely execute code on a victim’s system by exploiting a vulnerability in the Windows operating system or the ICMP protocol. Finally, we have a hardware vulnerability that impacts any mobile device that uses a subset of Exynos Modem produced by Samsung Semiconductor.
CVE-2023-23397 is a privilege escalation vulnerability in Microsoft Outlook. The vulnerability is caused by a lack of data validation in the Message Application Program Interface (MAPI) property parser. An attacker can exploit this vulnerability by sending a specially crafted calendar invite message that contains a PidLidReminderFileParameter property with a Universal Naming Convention (UNC) path. The PidLidReminderFileParameter property points to a custom sound that is played when the calendar invite reminder is triggered. By sending a malicious message an attack can compel the victim system to connect to an attacker defined SMB server, which leads to the hijack of the victims NTLM credentials in the form of a NetNTLMv2 hash. The hash can be cracked offline or relayed to other systems for lateral movement. Successful exploitation under the correct conditions, for example if the victim was an admin within the domain, could result in domain compromise.
Microsoft has released a script to assist Exchange administrators in locating any message that contains the PidLidReminderFileParameter property set to help isolate any offending messages present on the server.
This is a zero-touch, unauthenticated remote exploit meaning no user interaction or network proximity is required to trigger the vulnerability. Microsoft has patched the vulnerability in Microsoft Outlook. The patch is available for all supported versions of Microsoft Outlook. Patch now!
CVE-2023-23392 is a remote code execution vulnerability in the HTTP Protocol Stack of Windows Server. The vulnerability allows an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.
The vulnerability is caused by a buffer overflow in the HTTP Protocol Stack. The attacker can exploit this vulnerability by sending a specially crafted packet to the targeted server. The packet will cause the HTTP Protocol Stack to overflow a buffer, which will allow the attacker to execute arbitrary code on the server.
This is present only on newer versions of Windows 11 and Windows Server 2022, but only if HTTP /3 is enabled and the server uses buffered I/O, which is a common configuration though not default. If patching is not an immediate option, it is possible to disable HTTP /3 as a temporary work around. To do so remove the EnableHttp3 registry key:
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /f
To this point active exploitation has not been observed in the wild, but it is likely. It should be noted that this can affect not only Microsoft HTTP servers, but also AD FS and web application proxy servers, which means successful exploitation will likely result in elevated privileges to facilitate domain compromise.
CVE-2023-23415 is an interesting vulnerability because the root cause was identified in an old, lower level protocol. Technical details have yet to be released, but Microsoft has indicated that the overall attack complexity is low. This was somewhat disputed by the researcher who identified the vulnerability, claiming that it was trivial to trigger a DoS, but RCE was significantly more difficult to reliably achieve.
The issue is rooted in the way in which fragmented IP packets wrapped in ICMP packets are processed by raw sockets. Raw sockets are atypical on a majority of systems, but are more likely to be present in enterprise environments. Any application used to monitor network traffic, such as WireShark or security appliances, would likely be vulnerable to exploitation. Any application that requires raw sockets must also run with admin privileges, which means successful exploitation is likely to result in trivial lateral movement and domain compromise.
It’s possible to mitigate the risk of this issue by blocking inbound ICMP traffic to critical endpoints, specifically those endpoints prone to inspect network traffic.
In a funny twist, exploits were published for this vulnerability that later turned out to be trojans. Github has since removed the malicious repos. Apply those patches or monitor less network traffic.
Google’s Project Zero team recently identified eighteen zero-day vulnerabilities that impacted a broad range of devices that use a specific subset of Exynos modems developed by Samsung Semiconductor. Four (4) of the most critical vulnerabilities permitted internet-to-baseband RCE. That is to say, it is possible for a remote adversary from the Internet to compromise vulnerable devices with zero user interaction. In controlled tests, the Project Zero team confirmed that an attacker required only the phone number of the victim to trigger the vulnerability. The vulnerabilities are reported as memory corruption by Samsung Semiconductors, but the specific nature of the corruption is not yet publicly known.
Public exploit code is not yet available, but it is likely that skilled adversaries will eventually develop functional payloads that can silently and remotely facilitate device compromise. This is a particularly scary vuln, due to the ease of remote exploitation and the fact it manifests at the hardware level. It is therefore the responsibility of the vendors that utilize the vulnerable modem to release a patch, which may or may not happen.
If patching is not possible or unavailable, it is recommended that vulnerable devices disable Wi-Fi calling and Voice-over-LTE (VoLTE) until a patch is ready.
To stay up to date on the latest trending and critical celebrity vulnerabilities, subscribe to NopSec’s newsletter. If you don’t like having to keep up with vulnerabilities like these yourself, let our Unified VRM platform do it for you. It takes into account new critical vulnerabilities as they emerge, ensuring your risks are prioritized accordingly in your unique environment. If you’d like to see what NopSec’s Unified VRM can do in action watch this on-demand product tour.