Head Nerds
Gestione delle patch
Sicurezza

Patch Tuesday April 2023: Microsoft Local Administrator Password Solution and M365 Apps Manual Updates   

April showers bring May flowers, and Patch Tuesdays bring new vulnerabilities that need to be weeded out of our gardens. Microsoft is giving sysadmins plenty to add to their spring cleaning chores with a selection of remote code execution vulnerabilities for Microsoft Office and Microsoft 365 Apps (CVE-2023-28285CVE-2023-28295CVE-2023-28287, and CVE-2023-28311). Even though these vulnerabilities aren’t under active exploitation yet, they should still be a priority because of their large deployment base. Adding a little challenge here, sysadmins should review how they apply updates as they may be missing out on the use of Microsoft’s Click-to-Run functionality to keep M365 Apps properly updated.

Microsoft Vulnerabilities

Of the 103 vulnerabilities receiving fixes this month, five are updates to previous fixes. CVE-2022-43552, CVE-2022-26923, CVE-2013-3900, CVE-2022-34716, and CVE-2022-38023 all received updates with CVE-2022-38023 needing some additional attention from sysadmins and domain admins concerning Netlogon protocol changes. There is also a new zero-day vulnerability: CVE-2023-28252. This is under active exploitation, but it should be easy to deal with as it is addressed in Monthly Rollup, Security Updates or CUs.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Microsoft 365 Vulnerability Fixes and Click-to-Run

Microsoft Office and M365 apps also received fixes for multiple vulnerabilities (CVE-2023-28285CVE-2023-28295CVE-2023-28287, and CVE-2023-28311), but depending on how you apply updates and patches the fixes may not be included in your regular patching routine. Make sure you review your patching tools and processes to ensure M365 Apps have a defined update process in place. We have an automation item available in the Automation Cookbook for N‑sight and N‑central partners to use to update and check Microsoft 365 versions that leverages Microsoft’s Click-to-Run executable included in all installs of M365 apps:

Also, as a reminder March’s Microsoft Patch Tuesday made updates to how DCOM servers handle authentication. If you deferred last month’s updates until this month and you’re seeing any network communication problems with legacy applications, it could be tied to KB5004442 now forcing DCOM servers to use more robust authentication with no option to revert to less secure options.

Microsoft adds new Windows LAPS

A new integrated version of LAPS (Local Administrator Password Solution) was also part of this month’s Microsoft Patch Tuesday release. LAPS allows you to secure the local administrator accounts on Windows domains and Azure AD joined devices. This is a valuable tool for any MSP that needs to secure local administrator accounts with rotating passwords managed by AD. If you’re reading this and you don’t know how your organization and clients secure local administrator accounts then you have some additional reading to do on LAPS. You can find out how it can significantly improve the resiliency of environments against the use of compromised credentials and session replays to make lateral movements within an environment, by reading this blog Microsoft has written to help understand LAPS.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available 

CVE

Description

Severity

Status

CVE-2023-28252

Windows Common Log File System Driver Elevation of Privilege Vulnerability

I

ED

CVE-2013-3900

WinVerifyTrust Signature Validation Vulnerability

I

ED

CVE-2023-28291

Raw Image Extension Remote Code Execution Vulnerability

C

ELL

CVE-2023-28250

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

C

ELL

CVE-2023-28232

Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability

C

ELL

CVE-2023-28274

Windows Win32k Elevation of Privilege Vulnerability

I

EML

CVE-2023-28266

Windows Common Log File System Driver Information Disclosure Vulnerability

I

EML

CVE-2023-28231

DHCP Server Service Remote Code Execution Vulnerability

C

EML

CVE-2023-28227

Windows Bluetooth Driver Remote Code Execution Vulnerability

I

EML

CVE-2023-28220

Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

C

EML

CVE-2023-28219

Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

C

EML

CVE-2023-28218

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

I

EML

CVE-2023-24912

Windows Graphics Component Elevation of Privilege Vulnerability

I

EML

CVE-2023-21554

Microsoft Message Queuing Remote Code Execution Vulnerability

C

EML

CVE-2022-38023

Netlogon RPC Elevation of Privilege Vulnerability

I

EML

CVE-2022-26923

Active Directory Domain Services Elevation of Privilege Vulnerability

C

EML

CVE-2022-43552

Open Source Curl Remote Code Execution Vulnerability

I

N/A

 

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.

Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.

N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.