By Satnam Narang, Sr. Staff Research Engineer, Tenable
“The February 2023 Patch Tuesday release includes fixes for 75 CVEs — nine rated critical, and 66 rated important. We omitted one CVE from our count as it was disclosed by MITRE.
“Microsoft patched CVE-2023-23376, an elevation of privilege flaw in the Common Log File System (CLFS) Driver. Its discovery is credited to researchers at Microsoft’s Threat Intelligence Center (MSTIC) and Microsoft’s Security Response Center (MSRC), though details about the in-the-wild exploitation have not yet been shared. Interestingly, Microsoft patched two similar flaws in the CLFS Driver in 2022. CVE-2022-37969 was patched as part of the April 2022 Patch Tuesday release and is credited to researchers at the NSA and CrowdStrike, while CVE-2022-37969 was patched as part of the September 2022 Patch Tuesday and is credited to several research outfits.
“CVE-2023-21823 is an additional elevation of privilege bug, this time in the Microsoft Windows Graphics Component that was exploited in the wild. Being able to elevate privileges once on a target system is important for attackers seeking to do more damage. These flaws are useful in various contexts, whether an attacker launches an attack exploiting known vulnerabilities or through spear-phishing and malware payloads, which is why we often see elevation of privilege flaws routinely appear in Patch Tuesday releases as being exploited in the wild. Researchers at Mandiant were credited for discovering this flaw.
“CVE-2023-21715 is a security feature bypass in Microsoft Office. This vulnerability was also exploited in the wild. A local, authenticated attacker could exploit this vulnerability by utilizing social engineering techniques to convince a potential victim to execute a specially crafted file on their system, which would result in the bypass of Microsoft Office security features that would normally block macros from being executed. Its discovery is credited to Hidetake Jo, a researcher at Microsoft.
“Microsoft also patched three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) which are rated Exploitation More Likely. Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabShell. These flaws have become valuable assets to state-sponsored threat actors in Iran, Russia and the People’s Republic of China to Ransomware groups and their affiliates as part of devastating ransomware attacks. We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they’ve applied the latest Cumulative Updates for Exchange Server.”