Microsoft's monthly Patch Tuesday carries seven critical vulnerabilities and one zero-day already being exploited.
The bug already exploited, CVE-2023-28252, is an escalation of privilege in the Windows common log file system driver, and has a CVSS score of 7.4, according to Microsoft’s advisory.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added this bug to its Known Exploited Vulnerability Catalog.
Microsoft credits discovery of the bug to Genwei Jiang of Mandiant and Quan Jin of DBAPPSecurity WeBin Lab.
Elsewhere, CVE-2023-21554 is a critical (CVSS 9.8) remote code execution (RCE) Microsoft message queuing.
Microsoft said an attacker could send “a specially crafted malicious MSMQ packet to a MSMQ server” to execute code on the server.
It was discovered by Wayne Low of Fortinet's FortiGuard Lab and Haifei Li of Check Point Research.
CVE-2023-28231 is a critical RCE in Microsoft’s DHCP server service, only available to an authenticated attacker, who could send a crafted RPC call to the service; and is credited to YanZiShuang@BigCJTeam.
Microsoft’s Layer 2 Tunneling Protocol has two critical RCEs, CVE-2023-28219 and CVE-2023-28220.
Both vulnerabilities are exploited by sending “a specially crafted connection request to a RAS server”, which grants RCE if the attacker wins the resulting race condition. They are attributed to Yuki Chen of Cyber KunLun.
CVE-2023-28291, an arbitrary code execution bug in Microsoft’s raw image extension, requires the attacker to be logged into a system, and to convince the victim to open a malicous file. Successful exploitation gives the attacker RCE capabilities.
In addition, CVE-2023-28250 is an RCE in Windows pragmatic general multicast.
This vulnerability requires the Windows message queuing service to be enabled. This allows an attacker to send a crafted file to achieve RCE and trigger malicious code on the target system.
Admins can check if message queuing is running and TCP port 1801 is listening, and if so, the bug can be mitigated by disabling the service.
