A day after the February Patch Tuesday, security researchers indicated that two of the three Microsoft CVEs that made the Cybersecurity Infrastructure and Security Agency's Known Exploited Vulnerabilities (KEV) catalog are vulnerabilities that would let attackers escalate privileges to the SYSTEM level.
The two CVEs that could let attackers reach the SYSTEM level are CVE-2023-23376 and CVE-2023-21823. The former was an elevation of privilege vulnerability in the Windows Common Log File System Driver, and the latter was a vulnerability in the Windows Graphics Component. The other Microsoft CVE that made the KEV catalog was a security feature bypass in Microsoft Publisher CVE-2023-21715
Ryan Cribelar, a vulnerability research engineer at Nucleus Security, explained that by gaining SYSTEM access, an attacker can pair the vulnerability with a code execution and move laterally throughout a network.
“So in Phase 1 they would take over the machine and in Phase 2 they could move laterally,” Cribelar said. “If a ransomware campaign actor were to put together this exploit with another bug that allows them to move across the machine, that’s where a ransomware campaign could succeed at its highest level.”
Casey Ellis, founder and CTO at Bugcrowd, added that CVE-2023-23376 certainly looks like the worst vulnerability of the lot given the ubiquity of the vulnerable components, its low complexity to exploit, and the fact that it’s likely to lead to SYSTEM-level privilege, the highest available on a Windows machine.
“The vulnerability is a local privilege escalation bug, which means it requires an attacker to have some form of existing access to the system they are wanting to attack,” Ellis said. “However, there are a very wide variety of far more common exploits and methods available to achieve this.”
Chris Goettl, vice president of product management at Ivanti, added that CVE-2023-21823 was rated as "Important" and affects Windows 10 and Server 2008 and later Windows editions. It also affects Microsoft Office for iOS, Android and Universal. “Windows customers are urged to update to the latest OS version,” said Goettl. “For the app updates Microsoft included additional notes regarding how to update through the Microsoft Store or Play Store.”
Goettl also pointed out that security pros should focus on the four CVEs (none of which were exploited in the wild) that affect Microsoft Exchange, pointing out that there have been two significant attacks on Exchange in the past two years and he anticipated another such attack in the first six months of 2023.