Microsoft patched 97 security flaws today for April’s Patch Tuesday including one that has already been found and exploited by miscreants attempting to deploy Nokoyawa ransomware.
Redmond deemed seven of the now-patched vulnerabilities “critical” and the rest “important.”
And while Microsoft, per usual, didn’t disclose how widespread attacks against CVE-2023-28252, a privilege elevation bug in the Windows Common Log File System (CLFS) driver, may be, infosec folk say they’ve spotted attempts to deploy the Nokoyawa ransomware via this security hole.
As Microsoft warned: “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” And according to Kaspersky, a cybercriminal crew is attempting to use this vulnerability to help itself spread ransomware among targets in retail and wholesale, energy, manufacturing, healthcare, software development and others. The flaw is similar to another privilege elevation bug Microsoft patched in February.
“To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix,” Zero Day Initiative’s Dustin Childs said.
All seven of the critical-rated bugs are remote code execution (RCE) vulnerabilities, so while Microsoft hasn’t detected any in-the-wild exploits for these — yet — miscreants could use these to cause serious havoc. Particularly as Exploit Wednesday follows quickly after patch Tuesday.
One, in particular, CVE-2023-21554, is an RCE that affects servers with Microsoft’s Message Queuing service enabled. It received a 9.8 out of 10 CVSS severity rating, and Redmond labels it as “exploitation more likely.” While the service is disabled by default, Childs says it’s commonly used by contact-center applications. “It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks,” he explained.
“An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine,” Redmond noted.
According to Immersive Labs’ Director Cyber Threat Research Kev Breen, while RAS servers aren’t standard in organizations, they do typically have direct access from the internet.
“This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization,” Breen told The Register. “They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”
In other words, if you use these services, patch quickly.
Adobe addresses 56 CVEs
Adobe, meanwhile, released six bulletins for 56 CVEs in Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension.
The Reader security bulletin fixes 16 CVEs, 14 are critical RCEs, and successful exploitation could lead to arbitrary code execution, privilege escalation, security feature bypass and memory leak.
And finally Adobe Dimension fixes 15 flaws, of which 14 could lead to arbitrary code execution with the other could result in memory leak.
None of the Adobe flaws are listed as publicly known or under active attack.
SAP issues 19 Security Notes
SAP’s April Security Patch Day included 19 new Security Notes [PDF]. This includes note #3305369, which received the maximum CVSS score of 10, and fixes two flaws in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector).
The Onapsis Research Labs (ORL) spotted these two, and says they could allow an unauthenticated user to execute scripts on Diagnostics Agents connected to SAP SolutionManager. “In conjunction with insufficient input validation, attackers were able to execute malicious commands on all monitored SAP systems, highly impacting their confidentiality, integrity, and availability,” researcher Thomas Fritsch said.
Google patches software nasties in Chrome, Android OS
Google made a number of Android OS and Chrome security fixes this month. This includes two critical bugs in the Android System component “that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed,” according to the April Android Security Bulletin.
Additionally, no user interaction is needed to exploit this bug.
“Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Center for Internet Security warned in its advisory about the Android flaws.
Meanwhile, the Chrome update includes 16 security fixes, the most severe of which could allow for arbitrary code execution.
But wait, there’s more… AMD has addressed the medium issue CVE-2023-1018 (out-of-bounds read) and the high severity CVE-2023-1017 (out-of-bounds write) in its TPM 2.0 Module Library. This affects second-generation Threadripper processors. Users are advised to update their BIOS to close the holes, which can be exploited to read sensitive data in the TPM or execute code in its context. Which is not great.
Cisco closes out the patch party
And finally, Cisco joined the patch party this month with 17 new and updated security alerts addressing 40 flaws.
Only one of these alerts is marked critical, and it fixes two vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) that the vendor first disclosed in July 2022. If exploited, the bugs “could allow a remote attacker to overwrite arbitrary files or conduct null byte poisoning attacks on an affected device,” the networking giant noted.
Cisco released software updates that fix both flaws, and says there are no workarounds. ®