It’s Patch Tuesday Week (if you’ll enable us our day by day pleonasm), and Microsoft’s updates embrace fixes for numerous safety holes that the corporate has dubbed Critical, together with a zero-day repair, though the 0-day solely will get a score of Important.
The 0-day in all probability received away with not being Critical as a result of it’s not an outright distant code execution (RCE) gap, that means that it might probably’t be exploited by somebody who hasn’t already hacked into your laptop.
That one is CVE-2023-28252, an elevation of privilege (EoP) bug within the Windows Common Log File System Driver.
The drawback with Windows EoP bugs, particularly in drivers which are put in by default on each Windows laptop, is that they virtually at all times enable attackers with few or no important entry privileges to advertise themselves on to the SYSTEM account, giving them as-good-as whole management over your laptop.
Programs working as SYSTEM can sometimes: load and unload kernel drivers; set up, cease and begin system companies; learn and write most information on the pc; change current entry privileges; run or kill off different packages; spy on different packages; mess with safe components of the registry; and rather more.
Ironically, the Common Log File System (CLFS) is designed to just accept and handle offical logging requests on behalf of any service or app on the pc, in an effort to make sure order, precision, consistency and safety in official system-level report protecting.
Two high-scoring Critical holes
Two Critical bugs specifically grabbed our curiosity.
The first one is CVE-2023-21554, an RCE gap within the Microsoft Message Queue system, or MSMQ, a part that’s supposed to offer a failsafe method for packages to speak reliably, no matter what kind of community connections exist between them.
The MSMQ service isn’t turned on by default, however in high-reliability back-end techniques the place common TCP or UDP community messages will not be thought of strong sufficient, you might need MSMQ enabled.
(Microsoft’s personal examples of functions which may profit from MSMQ embrace monetary processing companies on e-commerce platforms, and airport bagage dealing with techniques.)
Unfortunately, regardless that this bug isn’t within the wild, it obtained a score of Critical and a CVSS “danger score” of 9.8/10.
Microsoft’s two-sentence bug description says merely:
To exploit this vulnerability, an attacker would wish to ship a specifically crafted malicious MSMQ packet to a MSMQ server. This may lead to distant code execution on the server facet.
Based on the excessive CVSS rating and what Microsoft didn’t point out within the above description, we’re assuming that attackers exploiting this gap wouldn’t should be logged on, or to have gone by means of any authentication course of first.
DHCP hazard
The second Critical bug that caught our eye is CVE-2023-28231, an RCE gap within the Microsoft DHCP Server Service.
DHCP is brief for dynamic host configuration protocol, and it’s utilized in virtually all Windows networks at hand out community addresses (IP numbers) to computer systems that hook up with the community.
This helps stop two customers from by accident attempting to make use of the identical IP quantity (which might trigger their community packets to conflict with one another), in addition to to maintain observe of which units are linked at any time.
Usually, distant code execution bugs in DHCP servers are ultra-dangerous, regardless that DHCP servers typically solely work on the native community, and never throughout the web.
That’s as a result of DHCP is designed to trade community packets, as a part of in its “configuration dance”, not merely earlier than you’ve put in a password or earlier than you’ve supplied a username, however because the very first step of getting your laptop on-line on the community degree.
In different phrases, DHCP servers need to be strong sufficient to just accept and reply to packets from unknown and untrusted units, simply to get your community to the purpose that it might probably begin deciding how a lot belief to place in them.
Fortunately, nevertheless, this specific bug will get a barely decrease rating than the aforementioned MSMQ bug (its CVSS hazard degree is 8.8/10) as a result of it’s in part of the DHCP service that’s solely accessible out of your laptop after you’ve logged on.
In Microsoft’s phrases:
An authenticated attacker may leverage a specifically crafted RPC name to the DHCP service to take advantage of this vulnerability.
Successful exploitation of this vulnerability requires that an attacker might want to first achieve entry to the restricted community earlier than working an assault.
When Secure Boot is simply Boot
The final two bugs that intrigued us had been CVE-2023-28249 and CVE-2023-28269, each listed underneath the headline Windows Boot Manager Security Feature Bypass Vulnerability.
According to Microsoft:
An attacker who efficiently exploited [these vulnerabilities] may bypass Secure Boot to run unauthorized code. To achieve success the attacker would wish both bodily entry or administrator privileges.
Ironically, the principle function of the much-vaunted Secure Boot system is that it’s supposed that can assist you hold your laptop on a strict and unwavering path from the time you flip it on to the purpose that Windows takes management.
Indeed, Secure Boot is meant to cease attackers who steal your laptop from injecting any booby-trapped code that might modify or subvert the preliminary startup course of itself, a trick that’s identified within the jargon as a bootkit.
Examples embrace secretly logging the keystrokes you sort in when getting into your BitLocker disk encryption unlock code (with out which booting Windows is unimaginable), or sneakily feeding modified disk sectors into the bootloader code that reads within the Windows kernel so it begins up insecurely.
This type of treachery is sometimes called an “evil cleaner” assault, primarily based on the state of affairs that anybody with official entry to your resort room when you’re out, akin to a traitorous cleaner, would possibly have the ability to inject a bootkit unobtrusively, for instance by beginning up your laptop computer briefly from a USB drive and letting an automated script do the soiled work…
…after which use a equally fast and hands-off trick the subsequent day to retrieve stolen information akin to keystrokes, and take away any proof that the bootkit was ever there.
In different phrases, Secure Boot is supposed to maintain a properly-encrypted laptop computer protected from being subverted – even, or maybe particularly, by a cybercriminal who has bodily entry to it.
So if we had a Windows laptop for day-to-day use, we’d be patching these bugs as in the event that they had been Critical, regardless that Microsoft’s personal score is barely Important.
What to do?
- Patch now. With one zero-day already being exploited by criminals, two high-CVSS-score Critical bugs that might result in distant malware implantation, and two bugs that might take away the Secure from Secure Boot, why delay? Just do it at the moment!
- Read the SophosLabs report that appears at this month’s patches extra broadly. With 97 CVEs patched altogether in Windows itself, Visual Studio Code, SQL Server, Sharepoint and plenty of different parts, there are a lot extra bugs that sysadmins have to learn about.