Microsoft Zero-Days Allow Defender Bypass, Privilege Escalation

We Keep you Connected

Microsoft Zero-Days Allow Defender Bypass, Privilege Escalation

Microsoft released fixes for a total of 63 bugs in its November 2023 update, including three that threat actors are actively exploiting already and two that were disclosed previously but have not been exploited yet.
From a raw numbers standpoint, Microsoft’s November update is considerably smaller than the one in October, which contained fixes for a hefty 112 CVEs. This month’s update also included fewer critical vulnerabilities — three — compared with recent months. Microsoft has assessed all but four of the remaining CVEs in its November updates as being of either moderate or important severity.
As always, the manner in which organizations prioritize their patching of the latest set of bugs will depend on a variety of factors. These include the prevalence of the vulnerabilities in their specific environments, the affected assets, accessibility of those assets, ease of exploitability, and other considerations.
But as with every Microsoft monthly update, there are several bugs in the latest batch that security experts agreed merit greater attention than others. The three actively exploited zero-day bugs fit that category.
One of them is CVE-2023-36036, a privilege escalation vulnerability in Microsoft’s Windows Cloud Files Mini Filter Driver that gives attackers a way to acquire system-level privileges. Microsoft has assessed the vulnerability as being a moderate — or important — severity threat but has provided relatively few other details about the issue. Satnam Narang, senior staff research engineer at Tenable, identified the bug as something that is likely going to be of interest to threat actors from a post-compromise activity standpoint. An attacker requires local access to an affected system to exploit the bug. The exploitation involves little complexity, user interaction, or special privileges.
Windows Cloud Files Mini Filter Driver is a component that is essential to the functioning of cloud-stored files on Windows systems, says Saeed Abbasi, manager of vulnerability and threat research at Qualys. “The widespread presence of this driver in almost all Windows versions amplifies the risk, providing a broad attack surface. It is currently under active attack and poses a significant risk, especially when paired with a code execution bug,” Abbasi says.
The other zero-day bug in Microsoft’s November update is CVE-2023-36033, a privilege escalation vulnerability in the Windows DWM Core Library component. This vulnerability also enables access to system-level privileges on affected systems and is relatively easy to exploit. “This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” Mike Walters, president and co-founder of Action1, wrote in a blog post. The bug is something that would be useful to an attacker who has already obtained initial access to a system, Walters noted.
“Currently, this vulnerability is under active attack, indicating a real-world application by malicious actors,” Abbasi says. “Although the comprehensive scope of these cyberattacks is yet to be fully ascertained, historical patterns indicate that they often commence with minor incidents and progressively escalate in scale.”
The third zero-day bug, CVE-2023-36025, is a security bypass flaw which gives attackers a way to bypass Windows Defender SmartScreen checks warning about malicious websites and risky or unrecognized files and apps.
This is the third Windows SmartScreen zero-day vulnerability exploited in the wild in 2023 and the fourth in the last two years, according to Tenable’s Narang.
A remote attacker can exploit the vulnerability over the network with little complexity and no user interaction, Walters wrote in the blog post. With a CVSS score of 8.8 out of a maximum 10, CVE-2023-36025 is something organizations need t be pay attention to, Walters added. “Given its high CVSS rating and the fact that it is being actively exploited, this makes CVE-2023-36025 one of the vulnerabilities that should be prioritized for patching.”
Two bugs — CVE-2023-36038, a denial-of-service vulnerability affecting ASP.NET Core, and CVE-2023-36413, a security feature bypass flaw in Microsoft Office were publicly disclosed before November’s Patch Tuesday but remain unexploited.
The three vulnerabilities in the November update that Microsoft assessed as being of critical severity are: CVE-2023-36397, a remote code execution (RCE) in Windows Pragmatic General Multicast protocol for transporting multicast data; CVE-2023-36400, an elevation of privilege bug in the Windows HMAC Key Derivation feature; and CVE-2023-36052, an information disclosure flaw in an Azure component.
Of the three critical bugs, CVE-2023-36052 is probably the issue that organizations need to prioritize, says John Gallagher, vice president of Viakoo Labs at Viakoo. The bug allows an attacker to use common command line interface commands to gain access to plaintext credentials: usernames and passwords. “These credentials are likely usable in other environments than Azure DevOps or GitHub, and therefore creates an urgent security risk,” Gallagher says.
In a SANS Internet Storm Center blog post, Johannes Ullrich, the dean of research for SANS Technology Institute, pointed to the issue in the Pragmatic General Multicast as an issue to watch. “CVE-2023-36397, a remote code execution vulnerability in the Windows Pragmatic General Multicast (PGM) protocol, is noteworthy as we had patches for this in prior months,” Ullrich wrote. “But exploitation should be difficult. It will require local network access and is not typically enabled.”
Jason Kitka, CISO of Automox, also pointed to one medium severity elevation of privilege vulnerability (CVE-2023-36422) as a bug that security teams shouldn’t ignore. Though Microsoft has classified the bug as an “Important” issue, the threat ir presents is critical because an attacker can gain system privileges by exploiting the vulnerability, Kitka wrote in a blog post. “The most effective mitigation strategy against such a threat is applying the available patches promptly and ensuring they are up-to-date,” he wrote.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.