Overview
On May 10, NSFOCUS CERT monitored that Microsoft had released a security update patch for May, which fixed 38 security issues, involving Win32k, Windows OLE, Microsoft SharePoint Server, Windows Pragmatic General Multicast (PGM) and other widely used products, including high-risk vulnerability types such as privilege enhancement and remote code execution.
Among the vulnerabilities fixed in Microsoft’s monthly updates this month, there are 6 critical vulnerabilities and 32 important vulnerabilities, including 3 0day vulnerabilities:
- Win32k Privilege Escalation Vulnerability (CVS 2023-29336)
- Security Launch Security Function Bypass Vulnerability (CVC-2023-24932)
- Windows OLE Remote Execution Code Vulnerability (CVS 2023-29325)
Please update the patch as soon as possible for protection. Please refer to the appendix for a complete list of vulnerabilities.
Reference link: https://msrc.microsoft.com/update-guide/releaseNote/2023-May
Key Vulnerabilities
Based on product popularity and vulnerability importance, we have identified vulnerabilities with significant impact in this update. Relevant users are advised to pay close attention to them:
Win32k privilege escalation vulnerability (CVE-2023-29336):
Due to the application program in Win32k not implementing the correct security restrictions, local attackers with low privileges can bypass security restrictions by exploiting this vulnerability, thereby elevating SYSTEM privileges on the target system without user interaction. At present, it has been detected that the vulnerability is being exploited in the wild, with a CVSS score of 7.8.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29336
Security Launch Security Function Bypass Vulnerability (CVS 2023 24932):
Due to the malicious software implanted in the BlackLotus UEFI boot kit and loaded during the initial stage of the boot sequence, attackers with physical access or administrative privileges to the target device can install affected boot policies, and attackers who successfully exploit this vulnerability can bypass secure boot. At present, it has been detected that the vulnerability is being exploited in the wild, with a CVSS score of 6.7.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932
Windows OLE Remote Execution Code Vulnerability (CVS 2023-29325):
There is a remote code execution vulnerability in Windows OLE, which allows attackers to create malicious emails. After successfully inducing users to open or preview customized emails using the affected Outlook software on the affected system, attackers without authentication can use this vulnerability to execute arbitrary code on the target system. Additionally, Microsoft officials suggest that the preview window can also serve as an attack medium. The CVSS score is 8.1.
Official announcement link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29325
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVS 2023-24903):
There is a remote code execution vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP). Due to the security limitations of the Windows Secure Socket Tunneling Protocol (SSTP), remote attackers without authentication can send malicious data packets to the SSTP server in specific configuration environments, ultimately leading to arbitrary code execution on the target server. The CVSS score is 8.1.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24903
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVS 2023-24943)
There is a remote code execution vulnerability in Windows Pragmatic General Multicast (PGM). When the Windows Message Queuing service runs in a PGM environment, an unauthenticated attacker sends a crafted file over the network, ultimately achieving remote code execution. The CVSS score is 9.8.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24943
Windows Network File System remote code execution vulnerability (CVE-2023-24941):
There is a remote code execution vulnerability in the Windows Network File System. Unauthenticated remote attackers can use this vulnerability through a specially made call to finally implement remote code execution without user interaction. The CVSS score is 9.8.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24941
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVS 2023-28283):
There is a remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP), which can be triggered by unauthorized remote attackers through crafted LDAP calls, ultimately leading to the execution of arbitrary code in the context of the LDAP service. The CVSS score is 8.1.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28283
Microsoft SharePoint Server Remote Code Execution Vulnerability (CVS 2023-24955):
There is a remote code execution vulnerability in Microsoft SharePoint Server, which allows authenticated attackers to create a site using crafted code. Successful exploitation of the vulnerability can lead to remote code execution on the target server. The CVSS score is 7.2.
Official announcement link:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955
Scope of Impact
The following are some affected product versions that focus on vulnerabilities. For other product ranges affected by vulnerabilities, please refer to the official announcement link.
Vulnerability number | Affected product version |
CVE-2023-29336 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems |
CVE-2023-24932 CVE-2023-29325 CVE-2023-24903 CVE-2023-24943 CVE-2023-28283 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows 10 Version 22H2 for 32-bit Systems Windows 10 Version 22H2 for ARM64-based Systems Windows 10 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for x64-based Systems Windows 11 Version 22H2 for ARM64-based Systems Windows 10 Version 21H2 for x64-based Systems Windows 10 Version 21H2 for ARM64-based Systems Windows 10 Version 21H2 for 32-bit Systems Windows 11 version 21H2 for ARM64-based Systems Windows 11 version 21H2 for x64-based Systems Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems |
CVE-2023-24941 | Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 |
CVE-2023-24955 | Microsoft SharePoint Server Subscription Edition Microsoft SharePoint Server 2019 Microsoft SharePoint Enterprise Server 2016 |
Mitigation
At present, Microsoft has officially released security patches to fix the above vulnerabilities for supported product versions. It is strongly recommended that affected users install the patch as soon as possible for protection. The official download link is: https://msrc.microsoft.com/update-guide/releaseNote/2023-May
Appendix: Vulnerability List
Impact product | CVE number | Vulnerability Title | Severity |
Microsoft Office SharePoint | CVE-2023-24955 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical |
Windows LDAP – Lightweight Directory Access Protocol | CVE-2023-28283 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Critical |
Windows Network File System | CVE-2023-24941 | Windows Network File System Remote Code Execution Vulnerability | Critical |
Windows OLE | CVE-2023-29325 | Windows OLE Remote Code Execution Vulnerability | Critical |
Windows PGM | CVE-2023-24943 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical |
Windows Secure Socket Tunneling Protocol (SSTP) | CVE-2023-24903 | Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability | Critical |
Microsoft Bluetooth Driver | CVE-2023-24947 | Windows Bluetooth Driver Remote Code Execution Vulnerability | Important |
Microsoft Bluetooth Driver | CVE-2023-24948 | Windows Bluetooth driver privilege escalation vulnerability | Important |
Microsoft Bluetooth Driver | CVE-2023-24944 | Windows Bluetooth Driver Information Disclosure Vulnerability | Important |
Microsoft Graphics Component | CVE-2023-24899 | Windows Graphics Component Privilege Escalation Vulnerability | Important |
Microsoft Office | CVE-2023-29344 | Microsoft Office Remote Code Execution Vulnerability | Important |
Microsoft Office Access | CVE-2023-29333 | Microsoft Access Denial of Service Access Vulnerability | Important |
Microsoft Office Excel | CVE-2023-24953 | Microsoft Excel Remote Code Execution Vulnerability | Important |
Microsoft Office SharePoint | CVE-2023-24954 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
Microsoft Office SharePoint | CVE-2023-24950 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
Microsoft Office Word | CVE-2023-29335 | Microsoft Word Security Feature Bypass Vulnerability | Important |
Microsoft Teams | CVE-2023-24881 | Microsoft Teams Information Disclosure Vulnerability | Important |
Microsoft Windows Codecs Library | CVE-2023-29340 | AV1 Video Extension Remote Code Execution Vulnerability | Important |
Microsoft Windows Codecs Library | CVE-2023-29341 | AV1 Video Extension Remote Code Execution Vulnerability | Important |
Remote Desktop Client | CVE-2023-24905 | Remote Desktop Client Remote Code Execution Vulnerability | Important |
SysInternals | CVE-2023-29343 | SysInternal Sysmon for Windows privilege escalation vulnerability | Important |
Visual Studio Code | CVE-2023-29338 | Visual Studio Code Information Disclosure Vulnerability | Important |
Windows Backup Engine | CVE-2023-24946 | Windows Backup Service Privilege Escalation Vulnerability | Important |
Windows Installer | CVE-2023-24904 | Windows Installer Privilege Escalation Vulnerability | Important |
Windows iSCSI Target Service | CVE-2023-24945 | Windows iSCSITarget Service Information Disclosure Vulnerability | Important |
Windows Kernel | CVE-2023-24949 | Windows kernel privilege escalation vulnerability | Important |
Windows MSHTML Platform | CVE-2023-29324 | Windows MSHTML Platform Security Feature Bypass Vulnerability | Important |
Windows NFS Portmapper | CVE-2023-24901 | Windows NFS Port Mapper Information Disclosure Vulnerability | Important |
Windows NFS Portmapper | CVE-2023-24939 | NFS Denial of Service Server Vulnerability | Important |
Windows NTLM | CVE-2023-24900 | Windows NTLM Security Support Provider Information Disclosure Vulnerability | Important |
Windows PGM | CVE-2023-24940 | Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability | Important |
Windows RDP Client | CVE-2023-28290 | Microsoft Remote Desktop Application Vulnerability for Windows Information | Important |
Windows Remote Procedure Call Runtime | CVE-2023-24942 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
Windows Secure Boot | CVE-2023-28251 | Windows Driver Revocation List Security Feature Bypass Vulnerability | Important |
Windows Secure Boot | CVE-2023-24932 | Security Launch Security Function Bypass Vulnerability | Important |
Windows SMB | CVE-2023-24898 | Windows SMB Denial of Service Vulnerability | Important |
Windows Win32K | CVE-2023-29336 | Win32k privilege escalation vulnerability | Important |
Windows Win32K | CVE-2023-24902 | Win32k privilege escalation vulnerability | Important |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.