VULNERA Pulse

Ruckus Wireless — Multiple Products

CVE-2023-25717 / Added: May 12, 2023

CRITICAL CVSS 9.80

Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs.

Headlines

• May 12, 2023 - CISA warns of critical Ruckus bug used to infect Wi-Fi access points
• May 11, 2023 - Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
• May 9, 2023 - Critical Ruckus RCE flaw exploited by new DDoS botnet malware
• May 9, 2023 - New Botnet Campaign Exploits Ruckus Wireless Flaw
• May 9, 2023 - Fortinet warns of a spike of the activity linked to AndoryuBot DDoS botnet
• May 9, 2023 - AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability

Back to top ↑

Apache — Tomcat

CVE-2016-8735 / Added: May 12, 2023

CRITICAL CVSS 9.80

Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.

Back to top ↑

Oracle — Java SE and JRockit

CVE-2016-3427 / Added: May 12, 2023

CRITICAL CVSS 9.00

Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions (JMX). This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.

Back to top ↑

Red Hat — Polkit

CVE-2021-3560 / Added: May 12, 2023

HIGH CVSS 7.80

Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation.

Back to top ↑

Linux — Kernel

CVE-2010-3904 / Added: May 12, 2023

HIGH CVSS 7.20

Linux Kernel contains an improper input validation vulnerability in the Reliable Datagram Sockets (RDS) protocol implementation that allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

Back to top ↑

Linux — Kernel

CVE-2014-0196 / Added: May 12, 2023

MEDIUM CVSS 6.90

Linux Kernel contains a race condition vulnerability within the n_tty_write function that allows local users to cause a denial-of-service or gain privileges via read and write operations with long strings.

Back to top ↑

Jenkins — Jenkins User Interface (UI)

CVE-2015-5317 / Added: May 12, 2023

MEDIUM CVSS 5.00

Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages.

Back to top ↑

Microsoft — Win32k

CVE-2023-29336 / Added: May 9, 2023

HIGH CVSS 7.80

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation up to SYSTEM privileges.

Headlines

• May 12, 2023 - CISA warns of critical Ruckus bug used to infect Wi-Fi access points
• May 11, 2023 - May's Patch Tuesday update includes 3 zero-day flaws; fix them ASAP
• May 11, 2023 - Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
• May 10, 2023 - Microsoft reveals small but vital security upgrade - so patch your devices now
• May 10, 2023 - Microsoft Patches Three Zero-Day Bugs This Month
• May 10, 2023 - Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
• May 10, 2023 - Microsoft Patch Tuesday for May 2023 fixed 2 actively exploited zero-day flaws
• May 10, 2023 - Microsoft Patch Tuesday, May 2023 Edition –
• May 10, 2023 - Microsoft's patches include Outlook preview pane vulnerability
• May 9, 2023 - Microsoft warns of two bugs under active exploit
• May 9, 2023 - Microsoft Patches Two Zero-Day Vulnerabilities
• May 9, 2023 - Critical Patches Issued for Microsoft Products, May 9, 2023
• May 9, 2023 - May’s Patch Tuesday haul touches a six-pack of product families
• May 9, 2023 - Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws
• May 9, 2023 - Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

Back to top ↑

CVE-2023-27350

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: April 20, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Vendor Impacted: Papercut

Products Impacted: Mf/ng, Papercut Ng, Papercut Mf

Quotes

• In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet
• According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present
• FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity
• The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet
• After public POCs were published for CVE-2023-27350, Mint Sandstorm & Mango Sandstorm quickly adapted the exploit in their operations to achieve initial access. This activity shows Mint Sandstorm’s continued ability to rapidly incorporate POC exploits into their operations
• This activity shows Mint Sandstorm's continued ability to rapidly incorporate [proof-of-concept] exploits into their operations
• More actors are exploiting unpatched CVE-2023-27350 in print management software Papercut since we last reported on Lace Tempest. Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350
• The PaperCut exploitation activity by Mint Sandstorm appears opportunistic, affecting organizations across sectors and geographies
• This report shows that detections that focus on one code execution method, or that focus on a small subset of techniques used by one threat actor, are doomed to be useless in the next round of attacks

Headlines

• May 12, 2023 - FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks
• May 12, 2023 - PaperCut Software Flaw Sparks Ransomware Attacks, CISA Warns
• May 12, 2023 - CISA, FBI: Ransomware Gang Exploited PaperCut Flaw Against Education Facilities
• May 12, 2023 - Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability
• May 11, 2023 - Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
• May 11, 2023 - CISA and FBI Release Joint Advisory in Response to Active Exploitation of PaperCut Vulnerability | CISA
• May 9, 2023 - Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability
• May 9, 2023 - Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
• May 9, 2023 - Iran-linked APT groups started exploiting Papercut flaw
• May 8, 2023 - Microsoft: Iranian hacking groups join Papercut attack spree
• May 6, 2023 - New PaperCut RCE exploit created that bypasses existing detections

CVE-2023-23397

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: March 14, 2023

Microsoft Outlook Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Office, Outlook, 365 Apps

Quotes

• All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable
• An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server. This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction
• An attacker can craft a malicious URL that would evade zone checks, resulting in a limited loss of integrity and availability of the victim machine
• A limited loss of integrity and availability of the victim machine
• Our research indicates that the new vulnerability re-enables the exploitation of a critical vulnerability that was seen in the wild and used by APT operators
• The new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators
• An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server

Headlines

• May 12, 2023 - Microsoft fixes serious Outlook security flaw, so patch now
• May 11, 2023 - Microsoft patches bypass for recently fixed Outlook zero-click bug
• May 11, 2023 - Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day
• May 11, 2023 - A zero-click vulnerability in Windows allows stealing NTLM credentials
• May 10, 2023 - Microsoft Fixes Failed Patch for Exploited Outlook Vulnerability
• May 10, 2023 - Microsoft fixes bypass for critical Outlook zero-click flaw patch
• May 10, 2023 - Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324)
• May 10, 2023 - Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft

CVE-2023-24941

CRITICAL CVSS 9.80

Remote Code Execution

Published: May 9, 2023

Windows Network File System Remote Code Execution Vulnerability

Quotes

• Local Privilege escalation vulnerabilities are a key part of attackers’ objectives
• When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code
• This type of privilege escalation is usually combined with a code execution bug to spread malware
• The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change
• This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it
• An attacker to take additional actions prior to exploitation to prepare the target environment

Headlines

• May 10, 2023 - Microsoft Patch Tuesday, May 2023 Edition –
• May 10, 2023 - Microsoft's patches include Outlook preview pane vulnerability
• May 9, 2023 - Microsoft Patches Two Zero-Day Vulnerabilities
• May 9, 2023 - May’s Patch Tuesday haul touches a six-pack of product families
• May 9, 2023 - Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

CVE-2023-32243

CRITICAL CVSS 9.80

Actively Exploited

Published: May 12, 2023

Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.

Quotes

• This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site
• It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account
• It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account
• [By exploiting the flaw] It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account

Headlines

• May 12, 2023 - Essential Addons Plugin Flaw Exposes One Million WordPress Websites
• May 12, 2023 - One of the most popular WordPress plugins has a serious security flaw
• May 12, 2023 - 1 Million WordPress Sites Impacted by Exploited Plugin Vulnerability
• May 12, 2023 - Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack
• May 12, 2023 - A flaw in the Essential ‘Addons for Elementor’ WordPress plugin poses 1M sites at risk of hacking
• May 11, 2023 - WordPress Elementor plugin bug let attackers hijack accounts on 1M sites

CVE-2023-25717

CRITICAL CVSS 9.80

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Feb. 13, 2023

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

Vendors Impacted: Ruckus Wireless, Ruckuswireless

Products Impacted: Q710, R730, E510, R720, Zd1000, H500, T301s, T504, R760, H550, M510-Jp, R320, R700, H350, Q910, T710s, R500, T811-Cm, Sz300-Federal, Zd1200, T310s, R310, Ruckus Wireless Admin, T350c, Multiple Products, Zd1100, T350d, R550, R710, T710, T750, R300, Sz-144, R350, Sz300, T310c, T750se, R650, Sz100, M510, T300, H320, T310d, Q410, Smartzone, R750, T350se, Zd3000, R850, R510, T310n, T301n, T811-Cm\(Non-Spf\), P300, R600, Sz-144-Federal, R560, R610, Smartzone Ap, T610, Zd5000, H510

Quotes

• It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies
• [AndoryuBot] contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies
• Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands

Headlines

• May 12, 2023 - CISA warns of critical Ruckus bug used to infect Wi-Fi access points
• May 11, 2023 - Andoryu Botnet Exploits Critical Ruckus Wireless Flaw for Widespread Attack
• May 9, 2023 - Critical Ruckus RCE flaw exploited by new DDoS botnet malware
• May 9, 2023 - New Botnet Campaign Exploits Ruckus Wireless Flaw
• May 9, 2023 - Fortinet warns of a spike of the activity linked to AndoryuBot DDoS botnet
• May 9, 2023 - AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability

CVE-2023-29325

HIGH CVSS 8.10

Remote Code Execution

Published: May 9, 2023

Windows OLE Remote Code Execution Vulnerability

Quotes

• Attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled
• It has a local attack vector, meaning the attacker needs access to the targeted system. The attack complexity is low, requiring minimal privileges and no user interaction
• This number is expected to rise in the coming months
• Local Privilege escalation vulnerabilities are a key part of attackers’ objectives
• When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code
• This type of privilege escalation is usually combined with a code execution bug to spread malware
• The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change
• This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• An attacker to take additional actions prior to exploitation to prepare the target environment

Headlines

• May 11, 2023 - May's Patch Tuesday update includes 3 zero-day flaws; fix them ASAP
• May 10, 2023 - Microsoft Patches Three Zero-Day Bugs This Month
• May 10, 2023 - Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
• May 10, 2023 - Microsoft Patch Tuesday, May 2023 Edition –
• May 10, 2023 - Microsoft's patches include Outlook preview pane vulnerability
• May 9, 2023 - Microsoft warns of two bugs under active exploit
• May 9, 2023 - Microsoft Patches Two Zero-Day Vulnerabilities
• May 9, 2023 - Critical Patches Issued for Microsoft Products, May 9, 2023
• May 9, 2023 - May’s Patch Tuesday haul touches a six-pack of product families
• May 9, 2023 - Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws
• May 9, 2023 - Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

CVE-2023-29336

HIGH CVSS 7.80

CISA Known Exploited

Published: May 9, 2023

Win32k Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Product Impacted: Win32k

Quotes

• Attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• It has a local attack vector, meaning the attacker needs access to the targeted system. The attack complexity is low, requiring minimal privileges and no user interaction
• This number is expected to rise in the coming months
• Local Privilege escalation vulnerabilities are a key part of attackers’ objectives
• When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code
• This type of privilege escalation is usually combined with a code execution bug to spread malware
• The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change
• This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it
• An attacker to take additional actions prior to exploitation to prepare the target environment

Headlines

• May 12, 2023 - CISA warns of critical Ruckus bug used to infect Wi-Fi access points
• May 11, 2023 - May's Patch Tuesday update includes 3 zero-day flaws; fix them ASAP
• May 11, 2023 - Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
• May 10, 2023 - Microsoft reveals small but vital security upgrade - so patch your devices now
• May 10, 2023 - Microsoft Patches Three Zero-Day Bugs This Month
• May 10, 2023 - Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
• May 10, 2023 - Microsoft Patch Tuesday for May 2023 fixed 2 actively exploited zero-day flaws
• May 10, 2023 - Microsoft Patch Tuesday, May 2023 Edition –
• May 10, 2023 - Microsoft's patches include Outlook preview pane vulnerability
• May 9, 2023 - Microsoft warns of two bugs under active exploit
• May 9, 2023 - Microsoft Patches Two Zero-Day Vulnerabilities
• May 9, 2023 - Critical Patches Issued for Microsoft Products, May 9, 2023
• May 9, 2023 - May’s Patch Tuesday haul touches a six-pack of product families
• May 9, 2023 - Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws
• May 9, 2023 - Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

CVE-2023-24932

MEDIUM CVSS 6.70

Actively Exploited

Published: May 9, 2023

Secure Boot Security Feature Bypass Vulnerability

Quotes

• The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up
• Attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled
• Why don’t MSI immediately revoke the stolen keys, stop using them, and then push out new firmware signed with new keys
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• It has a local attack vector, meaning the attacker needs access to the targeted system. The attack complexity is low, requiring minimal privileges and no user interaction
• This number is expected to rise in the coming months
• Local Privilege escalation vulnerabilities are a key part of attackers’ objectives
• When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code
• This type of privilege escalation is usually combined with a code execution bug to spread malware
• The May 9, 2023 security update provides configuration options to manually enable protections for the Secure Boot bypass but these protections are not enabled automatically. Before you enable these protections, you must verify your devices and all bootable media are updated and ready for this security hardening change
• This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it
• To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections
• Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894

Headlines

• May 12, 2023 - Microsoft is working on a mega security patch for some of its most crucial issues
• May 11, 2023 - May's Patch Tuesday update includes 3 zero-day flaws; fix them ASAP
• May 11, 2023 - Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
• May 10, 2023 - Bootkit zero-day fix – is this Microsoft’s most cautious patch ever?
• May 10, 2023 - Microsoft reveals small but vital security upgrade - so patch your devices now
• May 10, 2023 - Microsoft Patches Three Zero-Day Bugs This Month
• May 10, 2023 - Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
• May 10, 2023 - Microsoft Patch Tuesday for May 2023 fixed 2 actively exploited zero-day flaws
• May 10, 2023 - Microsoft Patch Tuesday, May 2023 Edition –
• May 10, 2023 - Microsoft's patches include Outlook preview pane vulnerability
• May 9, 2023 - Microsoft warns of two bugs under active exploit
• May 9, 2023 - Microsoft Patches Two Zero-Day Vulnerabilities
• May 9, 2023 - Critical Patches Issued for Microsoft Products, May 9, 2023
• May 9, 2023 - May’s Patch Tuesday haul touches a six-pack of product families
• May 9, 2023 - Microsoft Patch Tuesday: 40 Vulnerabilities, 2 Zero-Days
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft issues optional fix for Secure Boot zero-day used by malware
• May 9, 2023 - Microsoft fixes Secure Boot zero-day used by BlackLotus UEFI malware
• May 9, 2023 - Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws

CVE-2023-29324

MEDIUM CVSS 6.50

Risk Context N/A

Published: May 9, 2023

Windows MSHTML Platform Security Feature Bypass Vulnerability

Quotes

• All Windows versions are affected by the vulnerability. As a result, all Outlook client versions on Windows are exploitable
• Attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled
• An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server. This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction
• An attacker can craft a malicious URL that would evade zone checks, resulting in a limited loss of integrity and availability of the victim machine
• A limited loss of integrity and availability of the victim machine
• Our research indicates that the new vulnerability re-enables the exploitation of a critical vulnerability that was seen in the wild and used by APT operators
• The new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators
• An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server
• An attacker to take additional actions prior to exploitation to prepare the target environment

Headlines

• May 12, 2023 - Microsoft fixes serious Outlook security flaw, so patch now
• May 11, 2023 - Microsoft patches bypass for recently fixed Outlook zero-click bug
• May 11, 2023 - May's Patch Tuesday update includes 3 zero-day flaws; fix them ASAP
• May 11, 2023 - Microsoft Makes Second Attempt to Patch Recent Outlook Zero-Day
• May 11, 2023 - A zero-click vulnerability in Windows allows stealing NTLM credentials
• May 10, 2023 - Microsoft Fixes Failed Patch for Exploited Outlook Vulnerability
• May 10, 2023 - Microsoft fixes bypass for critical Outlook zero-click flaw patch
• May 10, 2023 - Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324)
• May 10, 2023 - Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
• May 9, 2023 - Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

CVE-2022-21894

MEDIUM CVSS 4.40

Actively Exploited Remote Code Execution Public Exploits Available

Published: Jan. 11, 2022

Secure Boot Security Feature Bypass Vulnerability.

Vendor Impacted: Microsoft

Products Impacted: Windows Server, Windows 8.1, Windows 11, Windows Server 2012, Windows 10, Windows Server 2016, Windows Server 2019

Quotes

• The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up
• This number is expected to rise in the coming months
• This is the fifth month in a row that an elevation of privilege vulnerability was exploited in the wild as a zero day. We anticipate details surrounding its exploitation to be made public soon by the researchers that discovered it
• Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges

Headlines

• May 12, 2023 - Microsoft is working on a mega security patch for some of its most crucial issues
• May 10, 2023 - Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug
• May 9, 2023 - Microsoft fixes two actively exploited bugs, one used by BlackLotus bootkit (CVE-2023-29336, CVE-2023-24932)
• May 9, 2023 - Microsoft issues optional fix for Secure Boot zero-day used by malware
• May 9, 2023 - Microsoft fixes Secure Boot zero-day used by BlackLotus UEFI malware
• May 9, 2023 - Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws