Last updated at Tue, 03 Sep 2024 19:59:59 GMT

Microsoft is offering fixes for 101 security issues for March 2023 Patch Tuesday, including two zero-day vulnerabilities; the most interesting of the two zero-day vulnerabilities is a flaw in Outlook which allows an attacker to authenticate against arbitrary remote resources as another user.

CVE-2023-23397 describes a Critical Elevation of Privilege vulnerability affecting Outlook for Windows, which is concerning for several reasons. Microsoft has detected in-the-wild exploitation by a Russia-based threat actor targeting government, military, and critical infrastructure targets in Europe.

An attacker could use a specially-crafted email to cause Outlook to send NTLM authentication messages to an attacker-controlled SMB share, and can then use that information to authenticate against other services offering NTLM authentication. Given the network attack vector, the ubiquity of SMB shares, and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement.

The vulnerability was discovered by Microsoft Threat Intelligence, who have published a Microsoft Security Research Center blog post describing the issue in detail, and which provides a Microsoft script and accompanying documentation to detect if an asset has been compromised using CVE-2023-23397.

Current self-hosted versions of Outlook – including Microsoft 365 Apps for Enterprise – are vulnerable to CVE-2023-23397, but Microsoft-hosted online services (e.g., Microsoft 365) are not vulnerable. Microsoft has calculated a CVSSv3 base score of 9.8.

The other zero-day vulnerability this month, CVE-2023-24880, describes a Security Feature Bypass in Windows SmartScreen, which is part of Microsoft’s slate of endpoint protection offerings. A specially crafted file could avoid receiving Mark of the Web and thus dodge the enhanced scrutiny usually applied to files downloaded from the internet.

Although Microsoft has seen in-the-wild exploitation, and original reporter Google TAG has linked CVE-2023-24880 to delivery of Magniber malware, Microsoft has assessed it as only Moderate severity – the only one this month – and assigned it a relatively low CVSSv3 base score of 5.4; the low impact ratings and requirement for user interaction contribute to the lower scoring. This vulnerability thus has the unusual distinction of being both an exploited-in-the-wild zero-day vulnerability and also the lowest-ranked vulnerability on Microsoft's severity scale in this month's Patch Tuesday. Only more recent versions of Windows are affected: Windows 10 and 11, as well as Server 2016 onwards.

A further five critical Remote Code Execution (RCE) vulnerabilities are patched this month in Windows low-level components. Three of these are assessed as Exploitation More Likely, and most of them affect a wide range of Windows versions, with the exception of CVE-2023-23392 which affects only Windows 11 and Windows Server 2022. Only assets where HTTP/3 has been enabled are potentially vulnerable – it is disabled by default – yet Microsoft still assesses this vulnerability as Exploitation More Likely, perhaps because HTTP endpoints are typically accessible.

CVE-2023-21708 is a Remote Procedure Call (RPC) vulnerability with a base CVSSv3 of 9.8. Microsoft recommends blocking TCP port 135 at the perimeter as a mitigation; given the perennial nature of RPC vulnerabilities, defenders will know that this has always been good advice.

Another veteran class of vulnerability makes a return this month: CVE-2023-23415 describes an attack involving a fragmented packet inside the header of another ICMP packet. Insufficient validation of ICMP packets has been a source of vulnerabilities since the dawn of time; the original and still-infamous Ping of Death vulnerability, which affected a wide range of vendors and operating systems, was one of the first vulnerabilities ever to be assigned a CVE, way back in 1999.

Rounding out the remaining Critical RCE vulnerabilities this month are a malicious certificate attack leading to Arbitrary Code Execution (ACE), and an attack against Windows Remote Access Server (RAS) which happily requires the attacker to win a race condition and is thus harder to exploit.

Microsoft has addressed two related vulnerabilities introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code published by the Trusted Computing Group industry alliance. CVE-2023-1017 is an out-of-bounds write, and CVE-2023-1018 is an out-of-bounds read. Both may be triggered without elevated privileges, and may allow an attacker to access or modify highly-privileged information inside the TPM itself. Defenders managing non-Microsoft assets should note that a wide range of vendors including widely used Linux distros are also affected by this pair of vulnerabilities.

Admins who still remember the aptly-named PrintNightmare vulnerability from the summer of 2021 may well raise a wary eyebrow at this month’s batch of 18 fixes for the Microsoft PostScript and PCL6 Class Printer Driver, but there’s no sign that any of these are cause for the same level of concern, not least because there has been no known public disclosure prior to Microsoft releasing patches.

Azure administrators who update their Service Fabric Cluster manually should note that CVE-2023-23383 describes a spoofing vulnerability in the web management client where a user clicking a suitably-crafted malicious link could unwittingly execute actions against the remote cluster. Azure estates with automatic upgrades enabled are already protected.

Summary charts

A bar chart showing vulnerability count by severity for Microsoft Patch Tuesday March 2023. Most are rated Important, with some Critical, a single Moderate and none ranked Low at all.
Lots of Important vulnerabilities

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday March 2023. Many are categorized as either Remote Code Execution or Elevation of Privilege, with some Information Disclosure and Spoofing and a few other options.
Remote Code Execution and Elevation of Privilege vulnerabilities remain a key focus

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday March 2023. Microsoft Edge and the Microsoft PostScript Printer Driver are the most frequent components.
As always, vulnerability count is not necessarily a proxy for risk or exposure
A heatmap showing vulnerability count by component and impact for Microsoft Path Tuesday March 2023. Printer drivers, Microsoft Dynamics, and the Windows Kernel stand out from the pack.
Printer drivers and Microsoft Dynamics received a significant number of fixes

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-24890 Microsoft OneDrive for iOS Security Feature Bypass Vulnerability No No 6.5

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-23383 Service Fabric Explorer Spoofing Vulnerability No No 8.2
CVE-2023-23408 Azure Apache Ambari Spoofing Vulnerability No No 4.5

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-24892 Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability No No 7.1
CVE-2023-1236 Chromium: CVE-2023-1236 Inappropriate implementation in Internals No No N/A
CVE-2023-1235 Chromium: CVE-2023-1235 Type Confusion in DevTools No No N/A
CVE-2023-1234 Chromium: CVE-2023-1234 Inappropriate implementation in Intents No No N/A
CVE-2023-1233 Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing No No N/A
CVE-2023-1232 Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing No No N/A
CVE-2023-1231 Chromium: CVE-2023-1231 Inappropriate implementation in Autofill No No N/A
CVE-2023-1230 Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs No No N/A
CVE-2023-1229 Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts No No N/A
CVE-2023-1228 Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents No No N/A
CVE-2023-1224 Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API No No N/A
CVE-2023-1223 Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill No No N/A
CVE-2023-1222 Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API No No N/A
CVE-2023-1221 Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API No No N/A
CVE-2023-1220 Chromium: CVE-2023-1220 Heap buffer overflow in UMA No No N/A
CVE-2023-1219 Chromium: CVE-2023-1219 Heap buffer overflow in Metrics No No N/A
CVE-2023-1218 Chromium: CVE-2023-1218 Use after free in WebRTC No No N/A
CVE-2023-1217 Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting No No N/A
CVE-2023-1216 Chromium: CVE-2023-1216 Use after free in DevTools No No N/A
CVE-2023-1215 Chromium: CVE-2023-1215 Type Confusion in CSS No No N/A
CVE-2023-1214 Chromium: CVE-2023-1214 Type Confusion in V8 No No N/A
CVE-2023-1213 Chromium: CVE-2023-1213 Use after free in Swiftshader No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-23946 GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability No No N/A
CVE-2023-23618 GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability No No N/A
CVE-2023-22743 GitHub: CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability No No N/A
CVE-2023-22490 GitHub: CVE-2023-22490 mingit Information Disclosure Vulnerability No No N/A

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21708 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 9.8
CVE-2023-23415 Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability No No 9.8
CVE-2023-23405 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1
CVE-2023-24908 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1
CVE-2023-24869 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1
CVE-2023-23401 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2023-23402 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2023-23420 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23421 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23422 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23423 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23410 Windows HTTP.sys Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23407 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability No No 7.1
CVE-2023-23414 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability No No 7.1
CVE-2023-23385 Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability No No 7
CVE-2023-24861 Windows Graphics Component Elevation of Privilege Vulnerability No No 7
CVE-2023-24862 Windows Secure Channel Denial of Service Vulnerability No No 5.5
CVE-2023-23394 Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability No No 5.5
CVE-2023-23409 Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability No No 5.5

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-24922 Microsoft Dynamics 365 Information Disclosure Vulnerability No No 6.5
CVE-2023-24919 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 5.4
CVE-2023-24879 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 5.4
CVE-2023-24920 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 5.4
CVE-2023-24891 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 5.4
CVE-2023-24921 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 4.1

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-23397 Microsoft Outlook Elevation of Privilege Vulnerability Yes No 9.8
CVE-2023-24930 Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23399 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-23398 Microsoft Excel Spoofing Vulnerability No No 7.1
CVE-2023-23396 Microsoft Excel Denial of Service Vulnerability No No 6.5
CVE-2023-23391 Office for Android Spoofing Vulnerability No No 5.5
CVE-2023-24923 Microsoft OneDrive for Android Information Disclosure Vulnerability No No 5.5
CVE-2023-24882 Microsoft OneDrive for Android Information Disclosure Vulnerability No No 5.5
CVE-2023-23395 Microsoft SharePoint Server Spoofing Vulnerability No No 3.1

Microsoft Office ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-24910 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-23389 Microsoft Defender Elevation of Privilege Vulnerability No No 6.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-23392 HTTP Protocol Stack Remote Code Execution Vulnerability No No 9.8
CVE-2023-24871 Windows Bluetooth Service Remote Code Execution Vulnerability No No 8.8
CVE-2023-23388 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 8.8
CVE-2023-23403 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-23406 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-23413 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24867 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24907 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24868 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24909 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24872 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24913 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24876 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-24864 Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability No No 8.8
CVE-2023-1018 CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability No No 8.8
CVE-2023-1017 CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability No No 8.8
CVE-2023-23416 Windows Cryptographic Services Remote Code Execution Vulnerability No No 8.4
CVE-2023-23404 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2023-23418 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23419 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23417 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-23412 Windows Accounts Picture Elevation of Privilege Vulnerability No No 7.8
CVE-2023-24859 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-23400 Windows DNS Server Remote Code Execution Vulnerability No No 7.2
CVE-2023-23393 Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability No No 7
CVE-2023-23411 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2023-24856 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24857 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24858 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24863 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24865 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24866 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24906 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24870 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24911 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability No No 6.5
CVE-2023-24880 Windows SmartScreen Security Feature Bypass Vulnerability Yes Yes 5.4

Note that Microsoft has not provided CVSSv3 scores for vulnerabilities in Chromium, which is an open-source software consumed by Microsoft Edge. Chrome, rather than Microsoft, is the assigning CNA for Chromium vulnerabilities. Microsoft documents this class of vulnerability in the Security Upgrade Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.