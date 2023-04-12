



On Patch Tuesday, April 2023, Microsoft released fixes for 97 vulnerabilities with CVE numbers. This includes one actively exploited zero-day (CVE-2023-28252).

About CVE-2023-28252

CVE-2023-28252 is a vulnerability in Windows Common Log File System (CLFS) that allows an attacker to gain SYSTEM privileges on a target machine.

Satnam Narang, Senior Staff Research Engineer at Tenable, told Help Net Security:

“CVE-2023-28252 is the second CLFS zero-day privilege escalation attack this year (the first was CVE-2023-23376, which was patched in February), and 4 in the last two years. It’s also the second CLFS zero-day disclosed to Microsoft by researchers at Mandiant and DBAPPSecurity, but it’s unclear if these findings are related to the same actor.”

Dustin Childs, head of threat awareness for Trend Micro Inc.’s Zero Day Initiative, said the February fix wasn’t enough and attackers may have found ways to circumvent it. I’m just guessing, but I don’t have enough information to confirm this.

“This type of exploit is usually combined with code execution bugs to spread malware and ransomware. Please test and deploy this patch immediately,” he added.

Other Notable Vulnerabilities

CVE-2023-21554 is a critical remote code execution vulnerability in the Microsoft Message Queuing Service, an optional Windows component available on all Windows operating systems. This can be triggered by a specially crafted malicious MSMQ packet being sent to the MSMQ server.

The vulnerability, named QueueJumper, is one of three discovered by Haifei Li, lead vulnerability researcher at Check Point, and Wayne Low of Fortinet’s FortiGuard Lab. The other two are CVE-2023-21769 and CVE-2023-28302 and are only rejected as a result. of service state.

“This unauthorized RCE bug (CVE-2023-21554) in the ‘forgotten’ MSMQ service could have a high impact. If you are a Windows administrator, you should check your environment as soon as possible (you may have enabled services unknowingly),” explains Li.

“This is a simple bug and it’s not allowed. Anyone who can reach 1801/TCP can trigger the bug with one packet. So patch patch! Check your firewalls for untrusted connections Please block me!”

Li also shared that during his research, he found over 360,000 internet-facing IPs running MSMQ services and 1801 ports open to the internet.Also, “When installing the official his Microsoft Exchange Server, the user[Exchange のインストールに必要な Windows Server の役割と機能を自動的にインストールする]After selecting the option, the setup wizard app will enable the MSMQ service in the background. Microsoft. ”

Check Point’s research will release technical details about the vulnerability later this month, giving administrators time to implement a patch or workaround: 1801/TCP port from untrusted sources. Block incoming connections for

Microsoft also fixed CVE-2023-28250, a critical RCE in the Pragmatic General Multicast protocol installed with the MSMQ service. “If the Windows Message Queuing Service is enabled, an attacker who successfully exploited this vulnerability could send a specially crafted file over the network to cause remote code execution and trigger malicious code. We may try,” the company said.

Child also pointed out that Microsoft has republished CVE-2013-3900. This is an old WinVerifyTrust signature verification vulnerability recently exploited by attackers in the 3CX supply chain attack.

This fix is ​​still optional and involves setting a key in the system registry.

“Anonymous attackers can modify existing signed executables by exploiting unverified portions of the files in such a way as to add malicious code to the files without invalidating their signatures. , could exploit the vulnerability An attacker who successfully exploited this vulnerability could take complete control of the affected system.

“Enabling the new stricter verification behavior primarily applies to Portable Executable (PE) binaries signed with the Windows Authenticode signature format. The binaries most likely to be affected are , is a PE installer file distributed over the Internet.The most common scenario where users are impacted is during the download and installation of new applications, where customers choose to enable stricter validation behavior. If you do, then you may get a warning message if you try to install a new application with a signature that fails verification.”

Update (April 12, 2023 4:10 AM ET):

CVE-2023-28252 is being exploited by sophisticated cybercriminal groups trying to distribute the Nokoyawa ransomware.

“This group is notable for using a number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. At least 2022 Since June 2019, we have identified five different exploits used in attacks against retail and wholesale, energy, manufacturing, healthcare, software development, and other industries,” said Boris Larin, a Kaspersky Lab researcher. I’m here.

