Dear Valued Clients,
We have received an update from our server technicians indicating that ACCUHyperV-New York server requires the installation of Critical Windows updates. This maintenance schedule will involve approximately 30 to 60 minutes of downtime.
This maintenance will affect your VPS if your VPS name starts with CYNYE01, CYNYE02, CYNYS01 and CYNYS02.
Purpose of Work:
March's patch Tuesday has arrived, and the bugs are just as ready for spring as the rest of us! There are 74 windows patches released during this month's cycle, compared to 71 in March 2022 and 89 in 2021, which shows an average workload on the patching team for this time of year... but it's quality over quantity, this month.
2 of the reported vulnerabilities are under active exploitation, with one of the two also being publicly disclosed. Of those under active exploitation, both impact end-user applications, with one being an outlook vulnerability that essentially allows a remote attacker to steal your login information, just by sending you an email that you don't even have to open. We'll lead with that, in the highlights.
Preliminary reports from early adopters indicate no apparent widespread issues, and the test environment has shown no major trouble, post-update. Most known issues from previous patch cycles appear to be resolved, per https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016 and the other subpages accessible through the sidebar at that page. A few situational issues linger, but nothing that should impact a standard configuration.
With all that established, here are the vulnerability highlights:
First up, we have a vulnerability that Microsoft is characterizing as 'elevation of privilege', affecting all supported versions of Microsoft Outlook ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 ). This is the first vulnerability on our list that is currently 'in the wild'. If you noticed the skeptical tone, it's because this is a bit more complicated: my reading of the vulnerability is that an attacker leveraging it is able to send a malicious email to any affected Outlook client, and then, without any interaction from the user whatsoever, steal their NTLM hash.
This opens the user up to both man-in-the-middle spoofing attacks, and accelerated offline bruteforce attacks via cracking their password hash on an attacker-controlled system. It's severe enough as a vulnerability that Microsoft has given it a 9.8 CVSS base score, and if your environment allows NTLM authentication, it's probably time to read up on the hardening and impact auditing literature.
Second on the list is a security feature bypass affecting Windows 2016 / Windows 10 and up, respectively ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880 ). This one is both detected as actively exploited, and also publicly disclosed, meaning the scope of exploits leveraging it will only grow. It primarily impacts the Windows SmartScreen / Mark of the Web features that stop your operating system from running executables from potentially untrustworthy sources (such as a browser or email client), which is a relatively important piece of the whole of windows end-user security. That said, it's not quite as alarming as the previous vulnerability, so it gets a base CVSS score of 5.4.
Third up, we have a remote code execution vulnerability leveraging the 'raw socket' feature of the Windows Networking stack, and impacting all supported versions of windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415 ). This is a remote-vectored, low complexity, zero-authentication attack that somehow leverages... ICMP, to deliver its payload. While this is technically wormable, the good news is that the scope is limited to hosts that have running applications bound to a raw socket ( https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2 ), such as a packet sniffer. That said, the uncertainty of just how many applications out there could be using one means this more or less deserves its base CVSS of 9.8 in my view, especially if it turns out there are fewer constraints to the vulnerability than currently seem to be.
Fourth in line, we have another RCE vulnerability leveraging the HTTP stack on Windows 11 21H2 / Windows Server 2022 and up, respectively ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392 ). This seems to only affect servers with a specific configuration, with a webserver binding having HTTP/3 enabled and the server using buffered I/O. This is not a totally uncommon configuration, but it does sound like it's at least non-default. That said, this is another wormable vulnerability, so it's got the same 9.8 CVSS as the previous one.
Fifth, we have yet ANOTHER wormable RCE vulnerability, this one leveraging the Remote Procedure Call Runtime, and impacting all supported versions of windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708 ). Microsoft's suggested mitigation for this one is essentially "block port 135"... so this one seems like the 5 alarm fire in the making that the others could have been, since the scope is wider. That said, it is (luckily) neither detected as actively exploited or publicly disclosed, so everyone has some time to roll this one out instead of dealing with a zero-day event.
Sixth, we have an arbitrary code execution vulnerability leveraging the Windows Cryptographic Services, and impacting Windows 10 / Windows Server 2012 and up, respectively ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708 ). This one is not wormable, for a change this month. To sum this one up, if an attacker is able to get you or a process to import a malicious certificate on your host, they can execute code as SYSTEM. Some possible vectors include malicious scripts run by users, or even compromised websites. It does not have to be imported to any particular certificate store.
Number 7, we have a vulnerability Microsoft has characterized as 'elevation of privilege', which leverages an unnamed 3rd party driver in conjunction with Hyper-V, and impacts Server 2016 / Windows 10 and up, respectively ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1017 ). I say characterize, because it seems to be something of a sandbox escape as well, allowing hyper-v guests to write to the root partition of the hypervisor (and potentially degrade performance / cause system instability, or even upload malicious code as a scheduled task, if they wish).
As usual, there's more where that came from. The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.
Maintenance Date / Time:
CVNY01 : March 24, 2023 - Friday - 11:30 PM MST
CVNY02 : March 25, 2023 - Saturday - 12:00 AM MST
Maintenance Impact & ETA of Outage:
During the update process, your VPS will be inaccessible.
We thank you for your co-operation.