February’s Patch Tuesday Brings 3 Zero-Days and More Woes for Exchange Server Admins

17 Feb, 2021
36 Comments

February’s Patch Tuesday Brings 3 Zero-Days and More Woes for Exchange Server Admins

February’s Patch Tuesday is undoubtedly headlined by three zero-days and several important vulnerabilities in Microsoft Exchange Server that allow remote code execution for authenticated attackers. Nothing has been exploited yet, but it’s a fairly safe bet that will be.

Apart from the Exchange Server vulnerabilities, February sees 76 vulnerabilities fixed by Microsoft, 7 of which are critical and 3 actively exploited zero-days, which you’ll want to patch within 24 hours of release, ideally. One of the zero-days is CVE-2023-23376, an important vulnerability in Windows Common Log File System driver that affects most versions of Windows 10 and 11, as well as Server 2008-2022. The vulnerability allows attackers to elevate to SYSTEM privileges on unpatched endpoints.

There’s also a critical, CVSSv3.1 9.8/10 vulnerability in Microsoft’s Protected Extensible Authentication Protocol (PEAP) that allows remote code execution without privileges or user interaction. Only organizations that have clients with NPS running and have a network policy that allows PEAP are vulnerable. Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy.

Organizations using Microsoft 365 Applications for Enterprise should also fix CVE-2023-21715 within 24 hours. This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features and potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering.

Microsoft Patch Tuesday Vulnerabilities: A Brief History

CVE-2023-23376 - Windows Common Log File System Driver Elevation of Privilege Vulnerability - IMPORTANT

Another elevation of privilege to rock to the boat is the Windows Common Log File System (WCLF) Driver Elevation of Privilege affecting versions of Windows 10, Windows 11 as well as Windows Server 2008, 2012, 2016, 2019, and 2022. Identified by the Microsoft Threat Intelligence Center, this vulnerability leverages existing system access to exploit a device actively and is a result of how the CLFS driver interacts with objects in memory on a system. To exploit this vulnerability successfully, a bad actor would need to log in and then execute a maliciously crafted binary to elevate the privilege level. An attacker who successfully exploits this vulnerability could then gain system privileges.

With both low attack complexity and no user interaction required, it is imperative to patch with the official fix from Microsoft as soon as possible. - Gina Geisel

CVE-2023-21529 - Microsoft Exchange Server Remote Code Execution Vulnerability - IMPORTANT

CVE-2023-21689 Remote code execution (RCE) is an attack where the attacker can access the device and execute malicious code. The impact of Remote code execution can make the attacker gain complete control over the compromised machine. This vulnerability impacts Microsoft Exchange servers (2013, 2016, and 2019).

While the attacker must authenticate to leverage the vulnerability and remotely execute malicious code, the privileges required for the attacker are low, making this vulnerability more likely to be exploited. Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risks. -Preetham Gurram

CVE-2023-21689 - Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability - CRITICAL

Remote code execution (RCE) is an attack where the attacker can access the device and execute malicious code. The impact of Remote code execution can make the attacker gain complete control over the compromised machine.

CVE-2023-21689 is a critical vulnerability that affects all versions of Windows desktops (Windows 10 and above) and server editions (Server 2008 R2 and above). This vulnerability allows the attacker to target the server accounts to trigger malicious code through a network call.

Additionally, this vulnerability impacts customers who have Microsoft Protected Extensible Authentication Protocol (PEAP) as an allowed Extensible Authentication Protocol (EAP) type in the Network Policy Server (NPS). Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risks. - Preetham Gurram

CVE-2023-21715 - Microsoft Office Security Feature Bypass Vulnerability - IMPORTANT

CVE-2023-21715 is an important and actively exploited vulnerability that allows for bypass of Microsoft Office security features. Attackers could leverage social engineering to coerce an authenticated end user to download and open a specially crafted file that enables a local attack on the device. 82% of breaches involved a human element such as social engineering, according to Verizon’s 2022 Data Breach Investigation Report (DBIR), which is why Automox recommends patching this zero-day within 24 hours of the patch release. Organizations running either 32 and/or 64-bit Microsoft 365 Apps for Enterprise are vulnerable to attack and should be patched. - Peter Pflaster