ºÚÁÏÉç

On 11 April, 2023, Microsoft published their April 2023 Security Update and patched multiple high to critical vulnerabilities, with one of them being actively exploited in ransomware campaigns prior to a patch being released. ?

Windows?

(CVSS 7.2): An actively exploited Elevation of Privilege (EoP) vulnerability impacting the Windows Common Log File System (CLFS) driver, which could allow a threat actor to obtain SYSTEM level privileges after successful exploitation. This vulnerability was exploited as a zero-day during and was leveraged in Nokoyawa ransomware intrusions. ?

(CVSS 8.5): A Remote Code Execution (RCE) vulnerability impacting Windows message queuing service. A threat actor can leverage this vulnerability by sending a specially crafted MSMQ packet to the MSMQ server, resulting in RCE capabilities. ?

Note: The MSMQ service must be enabled for a system to be vulnerable. This can be checked by looking for a service running named ¡°Message Queuing¡± and TCP port 1801 listening on the host machine.?

(CVSS 7.1): A layer 2 tunneling protocol RCE vulnerability impacting Windows systems with Remote Access Service (RAS). This vulnerability can be exploited by sending a specially crafted connection request to a vulnerable RAS server, allowing for RCE capabilities on the RAS server.?

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition. ?

(CVSS 7.1): A layer 2 tunneling protocol RCE vulnerability impacting Windows devices with Remote Access Service (RAS). This vulnerability can be exploited by sending a specially crafted connection request to a vulnerable RAS server, allowing for RCE capabilities on the RAS server.?

Note: Successful exploitation for this vulnerability would require a threat actor to win a race condition. ?

(CVSS 7.7): A DHCP Server service RCE vulnerability impacting Windows servers. An authenticated threat actor could exploit this vulnerability to perform RCE by leveraging a specially crafted RPC call to the DHCP service.?

• Only impacts Windows Server products. ?

Note: A threat actor must first gain access to the restricted network prior to exploiting this vulnerability.?

(CVSS 6.5): A Windows point-to-point tunneling protocol RCE vulnerability impacting Windows systems. This vulnerability could be triggered after a targeted user connects a Windows client to a malicious server to perform RCE on the victim¡¯s environment.?

Note: A threat actor must perform additional unknown actions prior to successful exploit. ?

(CVSS 8.5): A Windows Pragmatic General Multicast (PGM) RCE vulnerability impacting Windows devices. When the Windows Message Queuing service is enabled, a remote threat actor who successfully exploited this vulnerability could send a carefully crafted file to perform RCE on a targeted system and attempt to trigger malicious code.?

Note: For a system to be vulnerable, the MSMQ service must first be enabled. This can be checked by looking for a service running named ¡°Message Queuing¡± and TCP port 1801 listening on the host machine.?

Recommendations?

Recommendation #1: Apply Security Updates to Impacted Products?

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.?

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.?

?

Recommendation #2: Disable MSMQ if Not Required?

To be vulnerable, CVE-2023-21554 and CVE-2023-28250 require Windows messaging queuing service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation. ?

Note: You can check by looking for a service running named ¡°Message Queuing¡± and for TCP port 1801 listening on the system. ?

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.?

References?

5. ?
8. ?