IT and security teams should prioritize CVE-2023-21674, an important and actively exploited zero-day vulnerability in Windows Advanced Local Procedure Call (ALPC) that allows for elevation to full system privileges when exploited. SharePoint Server admins will also want to quickly fix a critical security feature bypass that allows an unauthenticated attacker to connect to vulnerable SharePoint servers anonymously. Though there’s no evidence of exploitation yet, Microsoft notes this vulnerability is likely to be targeted.
CVE-2023-21552 and CVE-2023-21532 are also vulnerabilities that administrators should remediate quickly, both of which are important and more likely to be exploited. The vulnerabilities allow for elevation to SYSTEM privileges due to a weakness in Windows GDI. Most versions of Windows 10, 11, and Server 2008-2022 are vulnerable so we expect nearly all organizations using Windows to be impacted.
There’s also an important and publicly disclosed elevation of privilege vulnerability in the Windows Workstation Service. Though CVE-2023-21549 is publicly disclosed, it’s less likely to be exploited as only Windows installations with less than 3.5 GB of RAM or versions older than Windows 10 version 1703 are vulnerable.
And finally, if you still use Windows 7 Pro or Enterprise (along with 8.1), Extended Security Updates (ESU) end today. We’d strongly recommend decommissioning these operating systems if you haven’t already as they’ll no longer see critical and important vulnerabilities patched by Microsoft moving forward.
2023 has kicked-off with another Windows Advanced Local Procedure Call (ALPC) elevation vulnerability, CVE-2023-21674, from Microsoft. With a local attack vector, with both low attack complexity and low privileges required, this APLC vulnerability requires no user interaction to be exploited. This elevation of privilege vulnerability exists when Windows improperly handles calls to ALPC which enables the elevation of an attacker's privileges from sandboxed execution inside Chromium to kernel execution and full system privileges.
To exploit this vulnerability, an attacker would first have to log on to the system, run a specially crafted application, and then take control of the affected system. A successful attacker could then run arbitrary code in the security context of the local system and install programs enabling them to view, change, or delete data, or, worse case, create new accounts with full user rights.
With an official fix for the zero-day released from Microsoft for Windows 11, Windows 10, and Windows 8.1 as well as Windows Server 2022, 2019, 2016, and 2012 R2.
CVE-2023-21743 is a critical vulnerability which affects Microsoft SharePoint Server. The attacker can bypass the protection in SharePoint, blocking the HTTP request based on the IP range. If an attacker successfully exploits this vulnerability, they can validate the presence or absence of an HTTP endpoint within the blocked IP range. Additionally, the vulnerability requires the attacker to have read access to the target SharePoint site.
CVE-2023-21549 is an important CVSSv3.1 8.8/10 elevation of privilege vulnerability in the Windows Workstation Service. The vulnerability affects most versions of Windows 7, 8.1, 10, 11 and Server 2012-2022. The vulnerability has been publicly disclosed, though it is less likely to be exploited.
Windows installations with less than 3.5 GB of memory or versions older than Windows 10 1703 are vulnerable to attack.
Elevation of privilege, also referred to as privilege escalation, is a vulnerability that allows an adversary to gain unauthorized access by elevating the access and execution permissions to carry out attacks on the system. At the same time, this vulnerability does not allow for remote code execution and requires the attacker to have device access and user permissions to execute code on the target system.
The vulnerability affects the Graphics Device Interface (GDI). GDI is the original graphics interface for the Windows operating system. Patching can mitigate the vulnerability.