Vulnerabilities are one of the ways to bypass any organization’s defenses. Of late, we have seen a rising trend in new vulnerabilities and unpatched vulnerabilities which are being exploited by threat actors to gain access to sensitive data.. In this blog, we would like to talk about some of the key 2023 vulnerabilities which were mainly exploited in the wild.
- CVE-2023-28252– Windows Common Log File System Driver Elevation of Privilege Vulnerability.
- CVE-2023-7024– Google Chromium WebRTC Heap Buffer Overflow Vulnerability.
- CVE-2023-23397– Microsoft Outlook Elevation of Privilege Vulnerability.
- CVE-2023-34362– Progress MOVEit Transfer SQL Injection Vulnerability.
- CVE-2023-38831– RARLAB WinRAR Code Execution Vulnerability.
- CVE-2023-21674– Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability.
- CVE-2023-23376– Windows Common Log File System Driver Elevation of Privilege Vulnerability.
- CVE-2023-32434– Apple Multiple Products Integer Overflow Vulnerability.
- CVE-2023-41763– Skype for Business Elevation of Privilege Vulnerability.
- CVE-2023-36033– Windows DWM Core Library Elevation of Privilege Vulnerability.
Now let’s dive into these.
CVE-2023-28252
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Common Log File System (CLFS) is a general-purpose logging subsystem in Windows that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs. The CLFS driver is also responsible for providing support for transaction logs in Windows.
This out-of-bounds memory read/write vulnerability was exploited by Nokoyawa Ransomware group, a well known ransomware family active from Feb 2022. They targeted Microsoft Windows servers of small and medium-sized companies present in North America, Middle-East and ASEAN countries. The patch for this CVE-2023-28252 was released in April 2023, as a part of April Patch Tuesday [1].
Exploit for this vulnerability is publicly available [IOC-1].
CVSS score: 7.8
Affected Version(s):
- Windows 10, 11
- Windows Server 2008, 2016, 2019, 2022
CVE-2023-7024
Google Chromium WebRTC Heap Buffer Overflow Vulnerability
Google‘s Chromium WebRTC is a free, open-source project that allows web browsers and mobile applications to integrate real-time peer-to-peer connection for quick audio and video communication functionality. You can communicate directly inside web pages and applications without requiring additional plug-ins with these WebRTC data channels using Javascript APIs.
For this exploitation, the attacker would need to craft a HTML page which on clicking would lead to the exploitation of the vulnerability allowing attackers to escape the sandbox and run malicious code remotely to exploit heap corruption [2]..
The vulnerability has been reported to be weaponised by the NSO group, an Israeli cyber-intelligence firm notoriously known for its proprietary spyware Pegasus and sells these exploits primarily to Nation State Governments.
CVSS score: 8.8
Affected Version(s): Chromium < 120.0.6099.129
CVE-2023-23397
Microsoft Outlook Elevation of Privilege Vulnerability
Outlook has been exploited a lot in the past and more vulnerabilities keep getting discovered. This year, threat actors exploited CVE-2023-23397 using Messaging Application Programming Interface (MAPI) property to trigger a Net-NTLMv2 hash leak to their controlled servers.
Exploitation begins when an attacker initializes PidLidReminderFileParameter in a malicious calendar invite in .msg format supported by Outlook, containing a Universal Naming Convention (UNC) path pointing to an attacker controlled server (SMB over TCP 445). If Outlook is running in background then without any user interaction, the invite will trigger the bug using API endpoint PlayReminderSound and while connecting to the attacker’s remote SMB server, the user sends the negotiation message with Net-NTLMv2 hash. This hash can be used by an attacker to extract the password of the user’s account or use it as a relay message for NTLMv2 authentication against other systems [3].
The initial reports of the exploitation attempts were limited to threat actors based in Russia targeting Ukrainian infrastructure since the conflict started between both the countries. But soon these threat actors started targeting other governments, military and energy sectors too with the latest exploitation in Dec 2023. As Outlook is used globally by the governments, organizations, industries, etc., the risk of an increasing number of attacks remains persistent since this vulnerability affects all the versions of Outlook available for Windows.
Known IP address list associated with this vulnerability is available here [IOC-2]:
CVSS score: 9.8
Affected Version(s):
- Microsoft Outlook 2013, 2016.
- Microsoft Office 2019, LTSC 2021.
- Microsoft 365 Apps.
CVE-2023-34362
Progress MOVEit Transfer SQL Injection Vulnerability
MOVEit Transfer is a commercial secure managed file transfer software solution that enables secure transfer of files between organizations and their customers using SFTP, SCP and HTTP-based uploads. In May 2023, a security advisory was released by the Progress stating the presence of critical SQL injection vulnerability in MOVEit Transfer and Cloud Software web application, which could lead to unauthorized administrative access, remote code execution and data exfiltration [4].
Exploitation takes place due to a bug in MOVEitISAPI.dll file. This dll file incorrectly extracts the HTTP headers sent through a POST request leading to the generation of a Cross Site Request Forgery (CSRF) token. This CSRF token is then used to create a session and trigger a SQL injection at guestaccess.aspx. Session_vars headers (inside POST request) containing injected value are treated as a list of email addresses and MOVEit application then splits the list with commas as delimiters before passing it to SQL engine. Then we can create a JSON web token that helps in obtaining sysadmin API access token and use it to abuse a deserialization call thereby performing a remote code execution on the target machine [IOC-3].
Microsoft [11] and Mandiant [12],, both attributed the CLOP ransomware gang to having used this vulnerability as a Zero-day attack. Mandiant, a subsidiary of Google, tracked some of the activities and came to a conclusion that “a lot of opportunistics attacks can be done against a wide range of industries based in India, Canada, Germany, Italy. etc.”
CVSS score: 9.8
Affected Version(s): MOVEit Versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)
CVE-2023-38831
RARLAB WinRAR Code Execution Vulnerability
WinRAR is a widely used compression utility around the world today. In August 2023, WinRAR fixed a vulnerability which was reported to have been exploited in the wild since April, 2023. Threat actors crafted RAR archives that serve as carriers for various malware families. In one such real life attack scenario against traders, as soon as the maliciously crafted rar is extracted and a benign file in it is executed, the malware gets triggered and allows threat actors to withdraw money from broker accounts [5] .
Consider this following rar archive structure:
Fig. 1: Archive structure
When a user double-clicks on a benign “poc.jpg_” (underscore represents a space character) from WinRAR’s user interface, it will execute the malicious payload (“poc.jpg_.cmd”).
WinRar creates a temp directory and iterates through all the files and directories that exist in the SFX(self-extracting) archive. However, due to the way the matching is made, if a directory is found with the same name, both the selected file and the files inside a matched directory are extracted to the root of a random temporary directory. Windows doesn’t allow files with trailing spaces so while writing contents of the files, WinRAR performs a path normalization technique to remove appended spaces.
Non-normalized path i.e., “%TEMP%\{random_directory}\poc.png_” having a trailing space selected by the user is executed by the ShellExecuteExW() function. This function fails to identify the file extensions using the “shell32!PathFindExtension” function. So, ShellExecute calls upon “shell32!ApplyDefaultExts” to look for the files having default extension like .cmd, .exe, .bat, etc., and executes the first matched file
Note: Space in any position in the file extension is sufficient to trigger the bug.
WinRar vulnerability was reported to be heavily used by threat actors attributed to Russian Armed Forces against Ukraine e.g.,FROZENBARENTS impersonates Ukrainian drone training school to deliver Rhadamanthys infostealer, FROZENLAKE spear-phishing campaign targeting Ukrainian government organizations hosted on API endpoint testing services, FROZENLAKE using IRONJAW with reverse SSH shell. Recently, there were reports of Chinese government backed groups attacking Papua New Guinea with ISLANDDREAMS delivering BOXRAT in campaign.
Exploit samples for this vulnerability are available in the public domain [IOC-4]:
CVSS score: 7.8
Affected Version(s): Winrar < 6.23
CVE-2023-21674
Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
An advanced local procedure call (ALPC) is an interprocess communication facility for high-speed message exchange in Windows systems.
To exploit this sandbox escape vulnerability, an attacker would need access to a machine’s browser either by tricking the user to open a malicious link or gaining physical access to the machine. Then the attacker can try to escape the browser’s sandbox by corrupting the kernel’s memory inside the environment which leads to gaining SYSTEM privileges in vulnerable systems, allowing them to install software, modify data, and perform other malicious activities [6].
CVSS score: 8.8
Affected Version(s):
- Windows 8.1, 10, 11.
- Windows Server 2008, 2012, 2016, 2019, 2022.
- Windows RT
CVE-2023-23376
Windows Common Log File System Driver Elevation of Privilege Vulnerability
The CLFS driver has multiple CVEs to its name. We already mentioned one earlier and this is one other vulnerability that rises to the top. In this case, the improper handling of objects in memory allows an attacker to execute arbitrary code in kernel mode.
Using this vulnerability, an attacker could take control of the affected system and execute code with elevated privileges. This permission can allow the attacker to perform malicious activities on the victim’s machine compromising the confidentiality, integrity, and availability of the system and its data [7].
CVSS score: 7.8
Affected Version(s):
- Windows 10, 11.
- Windows Server 2008, 2012, 2016, 2019, 2022.
CVE-2023-32434
Apple Multiple Products Integer Overflow Vulnerability
A critical vulnerability has been uncovered in the iOS, iPadOS, and macOS kernel components, resulting from unspecified processing of an unknown input, resulting in an integer overflow vulnerability in which the product performs a calculation assuming the logic that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. Due to this issue, an app may be able to execute arbitrary code with kernel privileges [8].
Apple is aware of a report that this issue may have been actively exploited against versions across multiple Apple products.
CVSS score: 7.8
Affected Version(s):
- Apple Safari macOS Ventura, macOS Big Sur, macOS Monterey, iOS and iPad OS
- iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8 and later, iPad Pro (all models), iPad Air 2, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini (4th generation), iPad mini 5th generation and later, iPod touch (7th generation)
CVE-2023-41763
Skype for Business Elevation of Privilege Vulnerability
Skype for Business is an enterprise software application for instant messaging and video telephony developed by Microsoft and offered as part of Office.
When an attacker crafts a malicious link with an ‘HTTP request’ embedded in it, and persuades a victim who is present in an enterprise network to open the malicious link, it could potentially result in revealing internal IP addresses and/or port number. These IP addresses can then be used to launch further attacks [9].
CVSS score: 5.3
Affected Version(s): Skype for Business_server 2015 CU13, Skype for Business_server 2019 CU7
CVE-2023-36033
Windows DWM Core Library Elevation of Privilege Vulnerability
According to wikipedia [13]:
“ The Desktop Window Manager is a compositing window manager, meaning that each program has a buffer that it writes data to; DWM then composites each program’s buffer into a final image. It enables the use of hardware acceleration to render the graphical user interface of Windows.”
The vulnerability is present inside dwmcore.dll library file of Desktop Window Manager app. The method named CKeyframeAnimation::SampleStartingValue is used to trigger the bug. After the dereferencing data pointer process using Microsoft::WRL::ComPtr<CPatjData>::operator= function call, the attacker is able to leak heap address and execute shell code to gain SYSTEM access confirming the presence of privilege escalation vulnerability [10].
PoC for this vulnerability are available in public domain [IOC-5].:
CVSS score: 7.8
Affected Version(s):
- Windows 10, 11.
- Windows Server 2019, 2022.
We recommend all our users to keep their OS and application up-to-date by installing the latest patch. Use a trusted product such as K7 Total Security to protect against malicious attacks. K7 products have vulnerability scanners which can identify and flag vulnerable components installed on your machine.
IoCs
IOC – 1 : CVE-2023-28252 |
9aa5ede2ea03c876775407f0098c013dfd3c503cc4ebb1ee7306284def339699 |
IOC – 2 : CVE-2023-23397 |
101.255.119[.]42213.32.252[.]221168.205.200[.]55185.132.17[.]16069.162.253[.]21113.160.234[.]229181.209.99[.]20482.196.113[.]10285.195.206[.]761.14.68[.]33 |
IOC – 3 : CVE-2023-34362 |
5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1 Full detailed lists mentioned here.Paths:D:\MOVEitDMZ\wwwroot\human2.aspxE:\MOVEitTransfer\wwwroot\human2.aspxC:\Windows\Temp\erymbsqv\erymbsqv.dll |
IOC – 4 : CVE-2023-38831 |
7d8ba10944b62812ed349a57712a6f753b88a34ad2220943fe56743546e516e6 |
IOC – 5 : CVE-2023-36033 |
3a3feea7ededb728efce89a6d74a823d700e2fe9994bc8791e132bf548473e93 |
References
[1]. vulnerability/cve-2023-28252
[2]. stable-channel-update-for-desktop_20.html
[3]. guidance-for-investigating-attacks-using-cve-2023-23397/
[4]. cve-2023-34362-moveit-transfer-exploitation-analysis/
[5]. labs.k7computing.com/index.php/when-rar-roared/
[7]. vulnerability/cve-2023-23376
[8]. support.apple.com/en-gb/ht201222
[10]. cve-2023-36033.html
[11]. msftSecIntel/status/1665537730946670595