April Patch Tuesday: Ransomware gangs are already exploiting this Windows bug

Microsoft fixed 97 security vulnerabilities today for April’s Patch Tuesday, including one that has already been discovered and exploited by criminals attempting to deploy Nokoyawa ransomware.

Redmond rated seven of the now patched vulnerabilities as “critical” and the others as simply “significant”.

Microsoft, as usual, did not disclose the extent of the attacks against CVE-2023-28252, an elevation of privilege bug in the Windows Common Log File System (CLFS) driver, the folks at infosec say that they spotted attempts to deploy Nokoyawa ransomware through this security hole.

As Microsoft warned: “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” And according to Kaspersky, a team of cybercriminals are trying to use this vulnerability to help spread ransomware among targets in the retail and wholesale, energy, manufacturing, healthcare and other industries. software development, among others. The flaw is similar to another privilege escalation bug patched by Microsoft in February.

“To me, this implies that the original patch was insufficient and that the attackers found a method to circumvent this patch,” said Dustin Childs of Zero Day Initiative.

All seven bugs rated critical are Remote Code Execution (RCE) vulnerabilities. So, while Microsoft has yet to detect any exploits in the wild for these, malefactors could use them to cause serious havoc. Especially since Exploit Wednesday quickly follows Patch Tuesday.

One of the critical flaws, CVE-2023-21554, is an RCE that affects servers that have Microsoft’s Message Queuing service enabled. It received a CVSS severity rating of 9.8 out of 10, and Redmond calls it a “most likely exploitation.” While the Message Queuing service is disabled by default, Childs says it’s commonly used by contact center apps. “It listens on TCP port 1801 by default, so blocking it at the perimeter would prevent external attacks,” he explained.

In addition, a pair of critical Layer 2 Tunneling Protocol RCEs, CVE-2023-28220 and CVE-2023-28219, which affect Windows Remote Access (RAS) servers are also marked as “most likely exploitation”. .

“An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine,” Redmond noted.

According to Immersive Labs Director of Cyber ​​Threat Research Kev Breen, although RAS servers are not standard in organizations, they usually have direct access from the internet.

“That makes it extremely attractive to attackers because they don’t have to socially navigate their way through an organization,” Breen said. The register. “They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”

In other words, if you use these services, fix them quickly.

And remember that Microsoft’s rating system for security vulnerabilities differs from the Common Vulnerability Scoring System classifications.

Adobe fixes 56 CVEs

Adobe, meanwhile, issued six bulletins for 56 CVEs in Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension.

Reader Security Bulletin fixes 16 CVEs, 14 are critical RCEs, and successful exploitation could lead to arbitrary code execution, elevation of privilege, security feature bypass, and memory leak.

A patch for Digital Edition fixes a critical code execution bug, and the bulletin for InCopy also fixes a single critical code execution flaw.

The alert for Substance 3D Designer fixes nine critical bugs, while the update for Substance 3D Stager fixes 14 CVEs, 10 of which are critical.

And finally Adobe Dimension fixes 15 flaws, 14 of which could lead to the execution of arbitrary code with the other could lead to a memory leak.

None of Adobe’s flaws are listed as publicly known or under active attack.

SAP publishes 19 security notes

SAP’s April Security Patch Day included 19 new security notes [PDF]. Note #3305369 received the maximum CVSS score of 10 and relates to two flaws in SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector).

Onapsis Research Laboratories (ORL) spotted the perfect pair of bugs and say they could allow an unauthenticated user to run scripts on diagnostic agents connected to SAP SolutionManager. “In conjunction with insufficient input validation, the attackers were able to execute malicious commands on all monitored SAP systems, which has a significant impact on their confidentiality, integrity and availability,” said researcher Thomas Fritsch.

Google fixes malware in Chrome, Android OS

Google made a number of security patches for Android OS and Chrome this month. This includes two critical bugs in the Android System component “that could lead to remote code execution (proximal/adjacent) without additional execution privileges needed,” according to the April Android Security Bulletin.

Additionally, no user interaction is required to exploit this bug.

“Depending on the privileges associated with the user, an attacker could then install programs; view, modify, or delete data; or create new accounts with full user rights,” the Center for Internet Security warned in its opinion on Android vulnerabilities.

Meanwhile, the Chrome update includes 16 security patches, the most serious of which could allow arbitrary code execution.

But wait, there’s more… AMD has addressed medium issue CVE-2023-1018 (read out of bounds) and high severity issue CVE-2023-1017 (write out of bounds) in its TPM 2.0 module library. This affects second generation Threadripper processors. Users are advised to update their BIOS to close the holes, which can be exploited to read sensitive data in the TPM or execute code in its context. Which isn’t great.

Cisco closes the patch party

And finally, Cisco joined the patch party this month with 17 new and updated security alerts addressing 40 flaws.

Only one of these alerts is marked as critical and addresses two vulnerabilities in the API and web management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) that the vendor first disclosed in July 2022 If exploited, the bugs “could allow a remote attacker to overwrite arbitrary files or perform null-byte poisoning attacks on an affected device,” the networking giant noted.

Cisco has released software updates that correct both defects and indicate that there is no workaround. ®

#April #Patch #Tuesday #Ransomware #gangs #exploiting #Windows #bug

Leave a Reply

Your email address will not be published. Required fields are marked *