April Patch Tuesday: Ransomware gangs already exploiting this Windows bug

Trending 5 months ago

Microsoft patched 97 information flaws coming for April's Patch Tuesday including 1 that has already been recovered and exploited by miscreants attempting to deploy Nokoyawa ransomware.

Redmond deemed 7 of nan now-patched vulnerabilities "critical" and nan remainder simply "important."

Microsoft, arsenic usual, didn't disclose nan grade of attacks against CVE-2023-28252, a privilege elevation bug successful nan Windows Common Log File System (CLFS) driver, infosec people opportunity they've spotted attempts to deploy nan Nokoyawa ransomware via this information hole.

As Microsoft warned: "An attacker who successfully exploited this vulnerability could summation SYSTEM privileges." And according to Kaspersky, a cybercriminal unit is attempting to usage this vulnerability to thief itself spread ransomware among targets successful nan unit and wholesale, energy, manufacturing, healthcare, and package improvement industries, positive others. The flaw is similar to different privilege elevation bug Microsoft patched successful February.

"To me, that implies nan original hole was insufficient and attackers person recovered a method to bypass that fix," Zero Day Initiative's Dustin Childs said. 

All 7 of nan critical-rated bugs are distant codification execution (RCE) vulnerabilities, truthful while Microsoft hasn't detected immoderate in-the-wild exploits for these — yet — miscreants could usage these to origin superior havoc. Particularly arsenic Exploit Wednesday follows quickly aft Patch Tuesday.

One of nan captious flaws, CVE-2023-21554, is an RCE that affects servers pinch Microsoft's Message Queuing work enabled. It received a 9.8 retired of 10 CVSS severity rating, and Redmond labels it arsenic "exploitation much likely." While nan Message Queuing work is abnormal by default, Childs says it's commonly utilized by contact-center applications. "It listens to TCP larboard 1801 by default, truthful blocking this astatine nan perimeter would forestall outer attacks," he explained. 

  • Azure admins warned to disable shared cardinal entree arsenic backdoor onslaught detailed
  • Apple squashes iOS, macOS zero-day bugs already exploited by snoops
  • How overmuch to infect Android phones via Google Play store? How astir $20k
  • Microsoft, Fortra are this fed up pinch cyber-gangs abusing Cobalt Strike

Additionally, a brace of captious furniture 2 tunneling protocol RCEs, CVE-2023-28220 and CVE-2023-28219, that impact Windows Remote Access Servers (RAS) are besides marked arsenic "exploitation much likely." 

"An unauthenticated attacker could nonstop a specially crafted relationship petition to a RAS server, which could lead to distant codification execution (RCE) connected nan RAS server machine," Redmond noted.

According to Immersive Labs' Director Cyber Threat Research Kev Breen, while RAS servers aren't modular successful organizations, they do typically person nonstop entree from nan internet.

"This makes it highly enticing for attackers arsenic they don't request to socially technologist their measurement into an organization," Breen told The Register. "They tin simply scan nan net for RAS servers and automate nan exploitation of susceptible devices."

In different words, if you usage these services, spot quickly.

And retrieve that Microsoft's rating strategy for information flaws differs from nan Common Vulnerability Scoring System classifications.

Adobe addresses 56 CVEs

Adobe, meanwhile, released six bulletins for 56 CVEs successful Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension. 

The Reader information bulletin fixes 16 CVEs, 14 are captious RCEs, and successful exploitation could lead to arbitrary codification execution, privilege escalation, information characteristic bypass and representation leak.

One spot for Digital Edition plugs a captious codification execution bug, and nan bulletin for InCopy besides fixes a single, captious codification execution flaw. 

The alert for Substance 3D Designer patches 9 captious bugs, while nan update for Substance 3D Stager addresses 14 CVEs, of which 10 are critical. 

And yet Adobe Dimension fixes 15 flaws, of which 14 could lead to arbitrary codification execution pinch nan different could consequence successful representation leak.

None of nan Adobe flaws are listed arsenic publically known aliases nether progressive attack.

SAP issues 19 Security Notes

SAP's April Security Patch Day included 19 caller Security Notes [PDF]. Note #3305369 received nan maximum CVSS people of 10, and concerns 2 flaws successful SAP Diagnostics Agent (OSCommand Bridge and EventLogServiceCollector). 

The Onapsis Research Labs (ORL) spotted nan brace of cleanable bugs, and says they could let an unauthenticated personification to execute scripts connected Diagnostics Agents connected to SAP SolutionManager. "In conjunction pinch insufficient input validation, attackers were capable to execute malicious commands connected each monitored SAP systems, highly impacting their confidentiality, integrity, and availability," interrogator Thomas Fritsch said.

Google patches package nasties successful Chrome, Android OS

Google made a number of Android OS and Chrome information fixes this month. This includes 2 captious bugs successful nan Android System constituent "that could lead to distant (proximal/adjacent) codification execution pinch nary further execution privileges needed," according to nan April Android Security Bulletin. 

Additionally, nary personification relationship is needed to utilization this bug. 

"Depending connected nan privileges associated pinch nan personification an attacker could past instal programs; view, change, aliases delete data; aliases create caller accounts pinch afloat personification rights," nan Center for Internet Security warned successful its advisory astir nan Android flaws.

Meanwhile, nan Chrome update includes 16 information fixes, nan astir terrible of which could let for arbitrary codification execution.

But wait, there's more... AMD has addressed nan mean rumor CVE-2023-1018 (out-of-bounds read) and nan precocious severity CVE-2023-1017 (out-of-bounds write) successful its TPM 2.0 Module Library. This affects second-generation Threadripper processors. Users are advised to update their BIOS to adjacent nan holes, which tin beryllium exploited to publication delicate information successful nan TPM aliases execute codification successful its context. Which is not great.

Cisco closes retired nan spot party

And finally, Cisco joined nan spot statement this period pinch 17 caller and updated information alerts addressing 40 flaws.

Only 1 of these alerts is marked critical, and it fixes 2 vulnerabilities successful nan API and successful nan web-based guidance interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) that nan vendor first disclosed successful July 2022. If exploited, nan bugs "could let a distant attacker to overwrite arbitrary files aliases behaviour null byte poisoning attacks connected an affected device," nan networking elephantine noted.

Cisco released package updates that hole some flaws, and says location are nary workarounds. ®