Microsoft’s May security update for multiple high-risk product vulnerabilities

Microsoft’s May security update for multiple high-risk product vulnerabilities

maio 11, 2023 | NSFOCUS

Overview

On May 10, NSFOCUS CERT monitored that Microsoft had released a security update patch for May, which fixed 38 security issues, involving Win32k, Windows OLE, Microsoft SharePoint Server, Windows Pragmatic General Multicast (PGM) and other widely used products, including high-risk vulnerability types such as privilege enhancement and remote code execution.

Among the vulnerabilities fixed in Microsoft’s monthly updates this month, there are 6 critical vulnerabilities and 32 important vulnerabilities, including 3 0day vulnerabilities:

  • Win32k Privilege Escalation Vulnerability (CVS 2023-29336)
  • Security Launch Security Function Bypass Vulnerability (CVC-2023-24932)
  • Windows OLE Remote Execution Code Vulnerability (CVS 2023-29325)

Please update the patch as soon as possible for protection. Please refer to the appendix for a complete list of vulnerabilities.

Reference link: https://msrc.microsoft.com/update-guide/releaseNote/2023-May

Key Vulnerabilities

Based on product popularity and vulnerability importance, we have identified vulnerabilities with significant impact in this update. Relevant users are advised to pay close attention to them:

Win32k privilege escalation vulnerability (CVE-2023-29336):

Due to the application program in Win32k not implementing the correct security restrictions, local attackers with low privileges can bypass security restrictions by exploiting this vulnerability, thereby elevating SYSTEM privileges on the target system without user interaction. At present, it has been detected that the vulnerability is being exploited in the wild, with a CVSS score of 7.8.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29336

Security Launch Security Function Bypass Vulnerability (CVS 2023 24932):

Due to the malicious software implanted in the BlackLotus UEFI boot kit and loaded during the initial stage of the boot sequence, attackers with physical access or administrative privileges to the target device can install affected boot policies, and attackers who successfully exploit this vulnerability can bypass secure boot. At present, it has been detected that the vulnerability is being exploited in the wild, with a CVSS score of 6.7.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932

Windows OLE Remote Execution Code Vulnerability (CVS 2023-29325):

There is a remote code execution vulnerability in Windows OLE, which allows attackers to create malicious emails. After successfully inducing users to open or preview customized emails using the affected Outlook software on the affected system, attackers without authentication can use this vulnerability to execute arbitrary code on the target system. Additionally, Microsoft officials suggest that the preview window can also serve as an attack medium. The CVSS score is 8.1.

Official announcement link:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29325

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVS 2023-24903):

There is a remote code execution vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP). Due to the security limitations of the Windows Secure Socket Tunneling Protocol (SSTP), remote attackers without authentication can send malicious data packets to the SSTP server in specific configuration environments, ultimately leading to arbitrary code execution on the target server. The CVSS score is 8.1.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24903

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVS 2023-24943)

There is a remote code execution vulnerability in Windows Pragmatic General Multicast (PGM). When the Windows Message Queuing service runs in a PGM environment, an unauthenticated attacker sends a crafted file over the network, ultimately achieving remote code execution. The CVSS score is 9.8.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24943

Windows Network File System remote code execution vulnerability (CVE-2023-24941):

There is a remote code execution vulnerability in the Windows Network File System. Unauthenticated remote attackers can use this vulnerability through a specially made call to finally implement remote code execution without user interaction. The CVSS score is 9.8.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24941

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVS 2023-28283):

There is a remote code execution vulnerability in Windows Lightweight Directory Access Protocol (LDAP), which can be triggered by unauthorized remote attackers through crafted LDAP calls, ultimately leading to the execution of arbitrary code in the context of the LDAP service. The CVSS score is 8.1.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28283

Microsoft SharePoint Server Remote Code Execution Vulnerability (CVS 2023-24955):

There is a remote code execution vulnerability in Microsoft SharePoint Server, which allows authenticated attackers to create a site using crafted code. Successful exploitation of the vulnerability can lead to remote code execution on the target server. The CVSS score is 7.2.

Official announcement link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24955

Scope of Impact

The following are some affected product versions that focus on vulnerabilities. For other product ranges affected by vulnerabilities, please refer to the official announcement link.

Vulnerability numberAffected product version
CVE-2023-29336Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
CVE-2023-24932
CVE-2023-29325
CVE-2023-24903
CVE-2023-24943
CVE-2023-28283
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
CVE-2023-24941Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
CVE-2023-24955Microsoft SharePoint Server Subscription Edition
Microsoft SharePoint Server 2019
Microsoft SharePoint Enterprise Server 2016

Mitigation

At present, Microsoft has officially released security patches to fix the above vulnerabilities for supported product versions. It is strongly recommended that affected users install the patch as soon as possible for protection. The official download link is: https://msrc.microsoft.com/update-guide/releaseNote/2023-May

Appendix: Vulnerability List

Impact productCVE number Vulnerability TitleSeverity
Microsoft Office SharePointCVE-2023-24955Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical
Windows LDAP – Lightweight Directory Access ProtocolCVE-2023-28283Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityCritical
Windows Network File SystemCVE-2023-24941Windows Network File System Remote Code Execution VulnerabilityCritical
Windows OLECVE-2023-29325Windows OLE Remote Code Execution VulnerabilityCritical
Windows PGMCVE-2023-24943Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical
Windows Secure Socket Tunneling Protocol (SSTP)CVE-2023-24903Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityCritical
Microsoft Bluetooth DriverCVE-2023-24947Windows Bluetooth Driver Remote Code Execution VulnerabilityImportant
Microsoft Bluetooth DriverCVE-2023-24948Windows Bluetooth driver privilege escalation vulnerabilityImportant
Microsoft Bluetooth DriverCVE-2023-24944Windows Bluetooth Driver Information Disclosure VulnerabilityImportant
Microsoft Graphics ComponentCVE-2023-24899Windows Graphics Component Privilege Escalation VulnerabilityImportant
Microsoft OfficeCVE-2023-29344Microsoft Office Remote Code Execution VulnerabilityImportant
Microsoft Office AccessCVE-2023-29333Microsoft Access Denial of Service Access VulnerabilityImportant
Microsoft Office ExcelCVE-2023-24953Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointCVE-2023-24954Microsoft SharePoint Server Information Disclosure VulnerabilityImportant
Microsoft Office SharePointCVE-2023-24950Microsoft SharePoint Server Spoofing VulnerabilityImportant
Microsoft Office WordCVE-2023-29335Microsoft Word Security Feature Bypass VulnerabilityImportant
Microsoft TeamsCVE-2023-24881Microsoft Teams Information Disclosure VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2023-29340AV1 Video Extension Remote Code Execution VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2023-29341AV1 Video Extension Remote Code Execution VulnerabilityImportant
Remote Desktop ClientCVE-2023-24905Remote Desktop Client Remote Code Execution VulnerabilityImportant
SysInternalsCVE-2023-29343SysInternal Sysmon for Windows privilege escalation vulnerabilityImportant
Visual Studio CodeCVE-2023-29338Visual Studio Code Information Disclosure VulnerabilityImportant
Windows Backup EngineCVE-2023-24946Windows Backup Service Privilege Escalation VulnerabilityImportant
Windows InstallerCVE-2023-24904Windows Installer Privilege Escalation VulnerabilityImportant
Windows iSCSI Target ServiceCVE-2023-24945Windows iSCSITarget Service Information Disclosure VulnerabilityImportant
Windows KernelCVE-2023-24949Windows kernel privilege escalation vulnerabilityImportant
Windows MSHTML PlatformCVE-2023-29324Windows MSHTML Platform Security Feature Bypass VulnerabilityImportant
Windows NFS PortmapperCVE-2023-24901Windows NFS Port Mapper Information Disclosure VulnerabilityImportant
Windows NFS PortmapperCVE-2023-24939NFS Denial of Service Server VulnerabilityImportant
Windows NTLMCVE-2023-24900Windows NTLM Security Support Provider Information Disclosure VulnerabilityImportant
Windows PGMCVE-2023-24940Windows Pragmatic General Multicast (PGM) Denial of Service VulnerabilityImportant
Windows RDP ClientCVE-2023-28290Microsoft Remote Desktop Application Vulnerability for Windows InformationImportant
Windows Remote Procedure Call RuntimeCVE-2023-24942Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Secure BootCVE-2023-28251Windows Driver Revocation List Security Feature Bypass VulnerabilityImportant
Windows Secure BootCVE-2023-24932Security Launch Security Function Bypass VulnerabilityImportant
Windows SMBCVE-2023-24898Windows SMB Denial of Service VulnerabilityImportant
Windows Win32KCVE-2023-29336Win32k privilege escalation vulnerabilityImportant
Windows Win32KCVE-2023-24902Win32k privilege escalation vulnerabilityImportant

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.