Patch Tuesday is back! I have been doing this series for some time, and my themes are getting thin, to say the least. With that in mind, did you know March is named after a god of war? So I am declaring war on security holes ... or something. I’m already tired of this theme, so here are some updates about what’s getting patched this month.
Total exploits patched: 81
Critical patches: 9
Already known or exploited: 2
Apparently, the war is not going well: 81 is a very reasonable number of patches for a month, but there are several 9.8 risks this month that are a very large concern. Here are the lowlights for you to peruse at your leisure.
Some highlights (or lowlights)
CVE-2023-23397: We are covering a lot of 9.8 CVSS threats this month, but this one earned top billing as it has already been actively exploited. This exploit is an elevation of privilege for Outlook. Normally, when you see Outlook ranking this high, you assume it’s because it can be executed in the preview pane. It’s worse than that, however; this executes BEFORE the preview pane even loads. But you do have a few mitigating options: You can add the users to the Protected Users Security Group to prevent NTLM as an authentication, or you can prevent port TCP 445/SMB from going outbound (whether on your perimeter firewall or the local firewall).
CVE-2023-23415: This is a 9.8 on the CVSS that requires no authentication, no user interaction, and can be attacked remotely. It exploits a vulnerability in ICMP. The attacker could send a fragmented packet, allowing them to run code against that system. One slight mitigating factor: it must attack an application tied to a raw socket (a socket that allows access to the underlying transport provider). You may want to dig up this information before you decide how hard to panic right now.
CVE-2023-21708: This is another 9.8 CVSS that also requires no user interaction, no permissions, and has a remote attack vector. That's an ongoing theme of these lowlights. This one attacks the RPC protocol. It allows the attacker to execute code at the same permissions as the RPC service. The best mitigation listed is to block TCP 135 on your perimeter firewall, which you've hopefully already done, but pop on by your network admin’s desk and double-check before you feel all safe and secure.
CVE-2023-23392: This critical exploit is the third 9.8 on the CVSS score. It is a remote code execution attacking the HTTP protocol stack. This one requires no authentication or user interaction, and the attacker can do it remotely. Those are all the indicators of a zero-day/wormable exploit. However, it has a mitigating factor that keeps it from being a full zero-day: It requires both HTTP/3 and use buffered I/O. HTTP/3 is not on by default and requires a registry change to implement. If you are using these, then fly like the wind to patch!
Now that I’m here, I can see that war was a terrible choice — so I’m changing themes mid-blog. So make sure you patch your labs first or else you might need to roll back your servers. (Get it? Because daylight saving time! I’ll be honest; I have no idea if that horrible joke even lands outside of the United States as the entire concept of daylight saving is … very silly.)
As you can see from this blog, I go off the rails when I lack structure. But do you know what is structured? Automating out your Patch Tuesday stress. If you’re looking to do that, I would recommend looking at the best damn products on the market: PDQ Deploy and PDQ Inventory. Now get out of here before I go into a third theme. Nobody wants me waxing poetic about the vernal equinox or Pi Day.
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.