Microsoft’s monthly security update – March 2023

Details

1. The products for which security updates have been published are:
   • Azure
   • Client Server Run-time Subsystem (CSRSS)
   • Internet Control Message Protocol (ICMP)
   • Microsoft Bluetooth Driver
   • Microsoft Dynamics
   • Microsoft Edge (Chromium-based)
   • Microsoft Graphics Component
   • Microsoft Office Excel
   • Microsoft Office Outlook
   • Microsoft Office SharePoint
   • Microsoft OneDrive
   • Microsoft PostScript Printer Driver
   • Microsoft Printer Drivers
   • Microsoft Windows Codecs Library
   • Office for Android
   • Remote Access Service Point-to-Point Tunneling Protocol
   • Role: DNS Server
   • Role: Windows Hyper-V
   • Service Fabric
   • Visual Studio
   • Windows Accounts Control
   • Windows Bluetooth Service
   • Windows Central Resource Manager
   • Windows Cryptographic Services
   • Windows Defender
   • Windows HTTP Protocol Stack
   • Windows HTTP.sys
   • Windows Internet Key Exchange (IKE) Protocol
   • Windows Kernel
   • Windows Partition Management Driver
   • Windows Point-to-Point Protocol over Ethernet (PPPoE)
   • Windows Remote Procedure Call
   • Windows Remote Procedure Call Runtime
   • Windows Resilient File System (ReFS)
   • Windows Secure Channel
   • Windows SmartScreen
   • Windows TPM
   • Windows Win32K
2. Attention that some of the updates are in the link https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar There is a reference to more details and some of them may require the performance of additional actions beyond the installation of the update itself. The link also contains information about known issues in these security updates.
3. Details of all the updates for this month can be found at the link https://isc.sans.edu/diary/Microsoft+March+2023+Patch+Tuesday/29634.
4. If you do not install a cumulative security update, but choose individually which updates to implement, it is recommended to prioritize the testing and installation of the updates marked as critical in the above link, or marked as “More Likely” under the Exploitability column, or allowing Remote Code Execution ), or actually used by attackers (Zero Day).
5. It is recommended to prioritize examining and installing updates for the following vulnerabilities:
   1. A critical vulnerability that is actually exploited by attackers (Zero Day) in the Outlook software may allow the attacker to raise privileges by leaking the user’s Net-NTLMv2 hash to a server under the attacker’s control, and using it to implement an NTLM Relay attack. The user to whom the malicious message is sent is not required to open it in order for the attack to take place. It is highly recommended to review and prioritize this update as soon as possible. The company recommends making sure that traffic on port 445 (SMB) is blocked from the corporate network out to the Internet. From various reports on the net it appears that this is a partial step (but recommended in any case) since the vulnerability can probably be exploited also through other protocols. Documentation of the vulnerability has been published so it is expected to be exploited quickly even by attackers who are not yet doing so. The company indicates a workaround for the vulnerability by putting users in the Protected Users group that prevents the use of NTLM, but these users will not be able to identify themselves to applications that support the use of NTLM only, so it is recommended to carefully examine this workaround and prioritize it for critical users such as network administrators. The company provided a script that allows organizations to check whether an attack attempt has been made against them using this vulnerability. see https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397.
   2. A vulnerability that is actually exploited by attackers allows a bypass of a security mechanism in the SmartScreen component, evading protections that depend on the marking of the file as Mark of the Web, i.e. a file downloaded from the Internet. Information about this vulnerability has been made public.
   3. A critical vulnerability in the HTTP Protocol Stack, which under certain conditions could allow an attacker to execute remote code execution (RCE).
   4. 2 critical vulnerabilities in the TPM 2.0 library, could allow an attacker to elevate privileges.
   5. A critical vulnerability in the ICMP protocol could under certain conditions allow remote code execution (RCE) without the need for authentication.
   6. A critical vulnerability in the RPC protocol could allow an attacker to execute remote code without the need for authentication, with the permission of the RPC service. There are 3 other vulnerabilities in this service that could allow remote code execution. It is highly recommended to make sure that port 135 is blocked for access from the Internet to the corporate network.
   7. Critical vulnerability in Windows Cryptographic Services could allow remote code execution.
   8. A critical vulnerability in the Windows Hyper-V service could allow a denial of service attack.
   9. Critical vulnerability in Windows Point-to-Point Tunneling Protocol service could allow remote code execution.
   10. 20 Microsoft PostScript and PCL6 Class Printer Driver vulnerabilities, some of which could allow remote code execution.
   11. 2 Vulnerabilities in Microsoft Windows Codecs Library could allow remote code execution.
   12. 2 Vulnerabilities in the Windows Point-to-Point Protocol over Ethernet (PPPoE) component could allow remote code execution.
   13. Vulnerability in Excel could allow remote code execution.
   14. A vulnerability in the Windows HTTP.sys component could allow local elevation of privilege to the System level.
   15. A vulnerability in a DNS server may allow remote code execution, but requires specific elevated privileges for the attacker or the attacked user to execute.
   16. A few days ago, security updates for Exchange servers that were released in February were re-released to address issues that a small number of users were experiencing.
   17. Attention that next month the support for Exchange 2013 servers will end. It is highly recommended to examine and start the process of upgrading these servers as soon as possible.
   18. 30 Vulnerabilities in the following components/software may allow remote code execution:
       1. CVE-2023-23415 Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability
       2. CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability
       3. CVE-2023-23399 Microsoft Excel Remote Code Execution Vulnerability
       4. CVE-2023-24913 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       5. CVE-2023-24909 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       6. CVE-2023-24907 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       7. CVE-2023-24876 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       8. CVE-2023-24872 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       9. CVE-2023-24868 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       10. CVE-2023-24867 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       11. CVE-2023-23413 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       12. CVE-2023-23406 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       13. CVE-2023-23403 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
       14. CVE-2023-23402 Windows Media Remote Code Execution Vulnerability
       15. CVE-2023-23401 Windows Media Remote Code Execution Vulnerability
       16. CVE-2022-43552 Open Source Curl Remote Code Execution Vulnerability
       17. CVE-2023-23404 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
       18. CVE-2023-23400 Windows DNS Server Remote Code Execution Vulnerability
       19. CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability
       20. CVE-2023-23946 GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability
       21. CVE-2023-23618 GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability
       22. CVE-2023-24871 Windows Bluetooth Service Remote Code Execution Vulnerability
       23. CVE-2023-23416 Windows Cryptographic Services Remote Code Execution Vulnerability
       24. CVE-2023-23392 HTTP Protocol Stack Remote Code Execution Vulnerability
       25. CVE-2023-23414 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability
       26. CVE-2023-23407 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability
       27. CVE-2023-21708 Remote Procedure Call Runtime Remote Code Execution Vulnerability
       28. CVE-2023-24908 Remote Procedure Call Runtime Remote Code Execution Vulnerability
       29. CVE-2023-24869 Remote Procedure Call Runtime Remote Code Execution Vulnerability
       30. CVE-2023-23405 Remote Procedure Call Runtime Remote Code Execution Vulnerability
   19. 21 Vulnerabilities in the following components/software may allow elevation of privileges:
       1. CVE-2023-23388 Windows Bluetooth Driver Elevation of Privilege Vulnerability
       2. CVE-2023-24910 Windows Graphics Component Elevation of Privilege Vulnerability
       3. CVE-2023-23397 Microsoft Outlook Elevation of Privilege Vulnerability
       4. CVE-2023-24930 Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability
       5. CVE-2023-24864 Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability
       6. CVE-2023-22743 GitHub: CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability
       7. CVE-2023-23412 Windows Accounts Picture Elevation of Privilege Vulnerability
       8. CVE-2023-23393 Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability
       9. CVE-2023-23389 Microsoft Defender Elevation of Privilege Vulnerability
       10. CVE-2023-23410 Windows HTTP.sys Elevation of Privilege Vulnerability
       11. CVE-2023-23423 Windows Kernel Elevation of Privilege Vulnerability
       12. CVE-2023-23422 Windows Kernel Elevation of Privilege Vulnerability
       13. CVE-2023-23421 Windows Kernel Elevation of Privilege Vulnerability
       14. CVE-2023-23420 Windows Kernel Elevation of Privilege Vulnerability
       15. CVE-2023-23417 Windows Partition Management Driver Elevation of Privilege Vulnerability
       16. CVE-2023-23385 Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability
       17. CVE-2023-23419 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
       18. CVE-2023-23418 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
       19. CVE-2023-1018   CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability
       20. CVE-2023-1017   CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability
       21. CVE-2023-24861 Windows Graphics Component Elevation of Privilege Vulnerability
   20. 4 Vulnerabilities in the following components/software may enable a denial of service attack:
       1. CVE-2023-23396 Microsoft Excel Denial of Service Vulnerability
       2. CVE-2023-23411 Windows Hyper-V Denial of Service Vulnerability
       3. CVE-2023-24859 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
       4. CVE-2023-24862 Windows Secure Channel Denial of Service Vulnerability
   21. 3 Vulnerabilities in the following components/software may enable bypassing of security measures:
       1. CVE-2023-24890 Microsoft OneDrive for iOS Security Feature Bypass Vulnerability
       2. CVE-2021-26414 Windows DCOM Server Security Feature Bypass
       3. CVE-2023-24880 Windows SmartScreen Security Feature Bypass Vulnerability

ways of handling

1. Private users with supported systems – it is recommended to use the automatic update interface of the operating system as soon as possible in order to update your systems (“Check for updates”, in the management interface).
2. Corporate users – it is recommended to test the suitability of the updates for your systems in a test environment, and install them as soon as possible.
3. Attached is an Excel file detailing the vulnerabilities divided into product families. Source – Microsoft’s update site.

Sharing information with the national CERT does not replace the obligation to report to any governing body, insofar as such an obligation applies to the body. The information is provided as it is (as is), its use is the responsibility of the user and it is recommended to use a professional with appropriate training for its implementation.