Microsoft patches include two bugs already exploited

Two bugs under active exploitation are included in today’s Microsoft Patch Tuesday collection of 76 fixes.

There’s a touch of nostalgia to be found in the bugs: CVE-2023-23415 looks like a “ping of death”.

It’s an ICMP remote code execution (RCE) bug with a CVSS score of 9.8, and would be exploited by sending a fragment inside another ICMP packet to the target.

Successful exploitation needs an application on the target to be bound to a raw TCP/IP socket.

A Microsoft Outlook privilege escalation, CVE-2023-23397, is rated critical with a CVSS score of 9.1 and Microsoft said it has been exploited in the wild.

It’s a spoofing attack which Microsoft describes this way: “An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.”

The vulnerability is exploited by getting the Outlook client to process a malicious email, and can lead to exploitation before the attack message is viewed in the Preview Pane.

CVE-2023-23392 is an RCE vulnerability in the Windows Server HTTP protocol stack.

Microsoft provides only scant detail about the vulnerability, but does note that it first appeared in Windows Server 2022, because it requires the HTTP/3 protocol to be enabled with the server using buffered I/O. 

CVE-2023-21708 also carries a 9.8 CVSS rating.

“An unauthenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service," Microsoft said.

Microsoft also recommends blocking TCP port 135 at the perimeter to mitigate the vulnerability.

A vulnerability in Windows Cryptographic Services, CVE-2023-23416, is rated critical but can only be exploited if the attacker gets a user to import a malicious certificate to their machine.

The second bug listed as under exploitation only carries a CVSS score of 5.4: CVE-2023-24880 is a Mark of the Web bug that would let an attacker bypass Windows SmartScreen.

The full list of security updates is here.