<div dir="ltr"><div><div>The below was released by our GRIT. Don't know if it adds anything but if you get one thing out of it to reduce risk then it was worth it.</div><div><br></div><div><br></div><div>GuidePoint Research and Intelligence Team (GRIT) released a threat bullin on this week's patches so including it here.</div><div><font face="arial, sans-serif"><br></font></div><div><b>Summary</b><br>On March 14th, 2023, Microsoft published security updates for 83 vulnerabilities, including nine identified as “Critical” severity. Two vulnerabilities, one “Critical” and one “Moderate” severity, have been observed under active exploitation in the wild. CVE-2023-23397, the Critical severity zero-day vulnerability, enables a Threat Actor to elevate privileges by exploiting vulnerable Microsoft Outlook instances. The Moderate severity zero-day vulnerability, CVE-2023-24880, enables a bypass of the Windows SmartScreen security feature on vulnerable Windows devices. Based on GRIT’s review of the vulnerability documentation, the following five vulnerabilities are of particular interest, based on exploitability and available information. However, administrators should review and patch all systems based on Microsoft’s recommendation.<p style="color:rgb(4,30,66);font-family:"IBM Plex Sans",sans-serif;margin:0in;font-size:12pt"><span style="font-family:arial,sans-serif;font-size:small;color:rgb(47,84,150)">Notable CVE Breakdown</span><br></p><table border="1" cellpadding="0" cellspacing="0" width="654" style="color:rgb(4,30,66);border-collapse:collapse;border:none"><tbody><tr><td valign="top" width="12.844036697247706%" style="width:62.75pt;border-top:1pt solid rgb(68,114,196);border-bottom:1pt solid rgb(68,114,196);border-left:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">CVE</font></span></strong></p></td><td valign="top" width="11.926605504587156%" style="width:58.5pt;border-top:1pt solid rgb(68,114,196);border-left:none;border-bottom:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Severity</font></span></strong></p></td><td valign="top" width="9.174311926605505%" style="width:45pt;border-top:1pt solid rgb(68,114,196);border-left:none;border-bottom:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">CVSS</font></span></strong></p></td><td valign="top" width="11.009174311926605%" style="width:0.75in;border-top:1pt solid rgb(68,114,196);border-left:none;border-bottom:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Attack</font></span></strong></p><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Vector</font></span></strong></p></td><td valign="top" width="13.761467889908257%" style="width:67.5pt;border-top:1pt solid rgb(68,114,196);border-left:none;border-bottom:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Attack</font></span></strong></p><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Complexity</font></span></strong></p></td><td valign="top" width="12.691131498470948%" style="width:62.3pt;border-top:1pt solid rgb(68,114,196);border-left:none;border-bottom:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Privileges</font></span></strong></p><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Required</font></span></strong></p></td><td valign="top" width="12.996941896024465%" style="width:63.75pt;border-top:1pt solid rgb(68,114,196);border-left:none;border-bottom:1pt solid rgb(68,114,196);border-right:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">User</font></span></strong></p><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Interaction</font></span></strong></p></td><td valign="top" width="15.596330275229358%" style="width:76.45pt;border-top:1pt solid rgb(68,114,196);border-right:1pt solid rgb(68,114,196);border-bottom:1pt solid rgb(68,114,196);border-left:none;background:rgb(68,114,196);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:white"><font face="arial, sans-serif">Exploitability</font></span></strong></p></td></tr><tr><td valign="top" width="12.844036697247706%" style="width:62.75pt;border-right:1pt solid rgb(142,170,219);border-bottom:1pt solid rgb(142,170,219);border-left:1pt solid rgb(142,170,219);border-top:none;background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:black"><a href="http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=f383676f-d339-4a3b-9791-33246f613ae4&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088" target="_blank"><span style="font-weight:normal"><font face="arial, sans-serif">CVE-2023-23392</font></span></a></span></strong></p></td><td valign="top" width="11.926605504587156%" style="width:58.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Critical</font></span></p></td><td valign="top" width="9.174311926605505%" style="width:45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">9.8</font></span></p></td><td valign="top" width="11.009174311926605%" style="width:0.75in;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Network</font></span></p></td><td valign="top" width="13.761467889908257%" style="width:67.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Low</font></span></p></td><td valign="top" width="12.691131498470948%" style="width:62.3pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">None</font></span></p></td><td valign="top" width="12.996941896024465%" style="width:63.75pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">None</font></span></p></td><td valign="top" width="15.596330275229358%" style="width:76.45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">More Likely</font></span></p></td></tr><tr><td valign="top" width="12.844036697247706%" style="width:62.75pt;border-right:1pt solid rgb(142,170,219);border-bottom:1pt solid rgb(142,170,219);border-left:1pt solid rgb(142,170,219);border-top:none;padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><a href="http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=68a797a1-f9d1-47b4-acbf-d7f727615817&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088" target="_blank"><span style="font-weight:normal"><font face="arial, sans-serif">CVE-2023-23397</font></span></a></strong></p></td><td valign="top" width="11.926605504587156%" style="width:58.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Critical</font></p></td><td valign="top" width="9.174311926605505%" style="width:45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">9.8</font></p></td><td valign="top" width="11.009174311926605%" style="width:0.75in;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Network</font></p></td><td valign="top" width="13.761467889908257%" style="width:67.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Low</font></p></td><td valign="top" width="12.691131498470948%" style="width:62.3pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">None</font></p></td><td valign="top" width="12.996941896024465%" style="width:63.75pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">None</font></p></td><td valign="top" width="15.596330275229358%" style="width:76.45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Exploited</font></p></td></tr><tr><td valign="top" width="12.844036697247706%" style="width:62.75pt;border-right:1pt solid rgb(142,170,219);border-bottom:1pt solid rgb(142,170,219);border-left:1pt solid rgb(142,170,219);border-top:none;background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:black"><a href="http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=3bce9b41-3b76-4347-8bc5-3fa14d52931a&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088" target="_blank"><span style="font-weight:normal"><font face="arial, sans-serif">CVE-2023-23415</font></span></a></span></strong></p></td><td valign="top" width="11.926605504587156%" style="width:58.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Critical</font></span></p></td><td valign="top" width="9.174311926605505%" style="width:45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">9.8</font></span></p></td><td valign="top" width="11.009174311926605%" style="width:0.75in;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Network</font></span></p></td><td valign="top" width="13.761467889908257%" style="width:67.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Low</font></span></p></td><td valign="top" width="12.691131498470948%" style="width:62.3pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">None</font></span></p></td><td valign="top" width="12.996941896024465%" style="width:63.75pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">None</font></span></p></td><td valign="top" width="15.596330275229358%" style="width:76.45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">More Likely</font></span></p></td></tr><tr><td valign="top" width="12.844036697247706%" style="width:62.75pt;border-right:1pt solid rgb(142,170,219);border-bottom:1pt solid rgb(142,170,219);border-left:1pt solid rgb(142,170,219);border-top:none;padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><a href="http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=6608632a-8fad-4b01-bf05-c31b2487febb&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088" target="_blank"><span style="font-weight:normal"><font face="arial, sans-serif">CVE-2023-23416</font></span></a></strong></p></td><td valign="top" width="11.926605504587156%" style="width:58.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Critical</font></p></td><td valign="top" width="9.174311926605505%" style="width:45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">8.4</font></p></td><td valign="top" width="11.009174311926605%" style="width:0.75in;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Local</font></p></td><td valign="top" width="13.761467889908257%" style="width:67.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">Low</font></p></td><td valign="top" width="12.691131498470948%" style="width:62.3pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">None</font></p></td><td valign="top" width="12.996941896024465%" style="width:63.75pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">None</font></p></td><td valign="top" width="15.596330275229358%" style="width:76.45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><font face="arial, sans-serif">More Likely</font></p></td></tr><tr><td valign="top" width="12.844036697247706%" style="width:62.75pt;border-right:1pt solid rgb(142,170,219);border-bottom:1pt solid rgb(142,170,219);border-left:1pt solid rgb(142,170,219);border-top:none;background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><strong><span style="color:black"><a href="http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=8239dbaa-8149-4a97-a1e0-2805a68f6de1&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088" target="_blank"><span style="font-weight:normal"><font face="arial, sans-serif">CVE-2023-24880</font></span></a></span></strong></p></td><td valign="top" width="11.926605504587156%" style="width:58.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Moderate</font></span></p></td><td valign="top" width="9.174311926605505%" style="width:45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">5.4</font></span></p></td><td valign="top" width="11.009174311926605%" style="width:0.75in;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Network</font></span></p></td><td valign="top" width="13.761467889908257%" style="width:67.5pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Low</font></span></p></td><td valign="top" width="12.691131498470948%" style="width:62.3pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">None</font></span></p></td><td valign="top" width="12.996941896024465%" style="width:63.75pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Required</font></span></p></td><td valign="top" width="15.596330275229358%" style="width:76.45pt;border-top:none;border-left:none;border-bottom:1pt solid rgb(142,170,219);border-right:1pt solid rgb(142,170,219);background:rgb(217,226,243);padding:0in 5.4pt;vertical-align:top"><p style="margin:0in;text-align:center"><span style="color:black"><font face="arial, sans-serif">Exploited</font></span></p></td></tr></tbody></table><p style="color:rgb(4,30,66);margin:0in"><font face="arial, sans-serif">See <a href="http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=30099507&l=41605bd6-28f7-44ed-a1d8-30dc337f3a9c&r=49ca4258-1e70-4fb1-bbb2-b226bd9ab088" target="_blank">Microsoft’s Exploitability Index </a> for additional information about how Microsoft assesses the exploitability of each vulnerability.</font></p><div><br></div><b>HTTP Protocol Stack - Remote Code Execution (CVE-2023-23392)</b><br>CVE-2023-23392 is a “Critical” (CVSS: 9.8) vulnerability in Microsoft’s HTTP Protocol stack for Windows 11 and Windows Server 2022. The vulnerability requires that the binding has HTTP/3 enabled on a host using buffered input/output. As HTTP/3 is disabled by default, and support for this service only exists in Windows Server 2022 and Windows 11, the prevalence of this vulnerability is likely to be low. However, based on the low attack complexity, lack of privileges required, and lack of user interaction needed to exploit this vulnerability, Microsoft considers exploitation “More Likely.” Exploitation of this vulnerability could also be chained with CVE-2023-23410 to elevate privileges to SYSTEM on a vulnerable host, providing a successful attacker access to system files and the ability to attempt to further victimize the internal network.<br><br>Recommendations<br>Where patching Windows 11 and Windows Server 2022 machines is not an option, consider disabling HTTP/3 support by removing the registry keys referenced in this Microsoft Networking Blog post.<br><br><b>Microsoft Outlook - Elevation of Privilege (CVE-2023-23397)</b></div><div>CVE-2023-23397 is a “Critical” (CVSS: 9.8) elevation of privilege vulnerability affecting Outlook, Microsoft Office, and Microsoft 365 Apps on Windows hosts. This vulnerability was observed under active exploitation, including by Russia-based threat actors targeting critical infrastructure in Europe, according to the Microsoft Threat Intelligence team. This vulnerability is triggered when an attacker sends a specially crafted message which, if opened using an out of date version of Outlook, triggers a “Reminder” dialog box and an outgoing NTLM authentication to an attacker-controlled server. Using details gained from this forced authentication attempt it is trivial for a potential threat actor to authenticate as the user who opened the email against any system which accepts NTLM authentication. As this vulnerability impacts Outlook apps installed locally, Microsoft 365 online services, including Outlook Web App (OWA), are not impacted. This vulnerability is particularly concerning due to the ease of exploitation and potential impact, with plenty of users one email away from potential compromise. Since several proof of concepts for this vulnerability are already available, GRIT assesses that it is only a matter of time before threat actors begin using it in widespread and targeted phishing campaigns.<br><br>Recommendations<br>Microsoft strongly recommends patching this vulnerability immediately, as exploitation has already been observed. In addition to patching, administrators should add Domain Admins or other important users to the Protected Users Security Group to prevent NTLM authentication. Additionally, perimeter firewalls, VPNs, and local firewalls should be set to block SMB traffic from exiting the network. This prevents any users from sending the NTLM authentication messaged used by threat actors to elevate privileges to other services. Microsoft has released a Powershell script that defenders can use to audit their Exchange environments (on-premises or Exchange Online) for emails which attempt to exploit this vulnerability.<br><br><b>Windows ICMP – Remote Code Execution (CVE-2023-23415)</b><br>CVE-2023-23415 is a “Critical” (CVSS: 9.8) remote code execution vulnerability impacting the Internet Control Message Protocol (ICMP) on Windows Server 2008+ and Windows 10+. Exploitation of this vulnerability involves sending a specially crafted ICMP message to a target machine with an application bound to a raw socket. Exploitation of this vulnerability is considered “More Likely.”<br><br>Recommendations<br>While this vulnerability is considered “More Likely” by Microsoft, exploitation is limited to applications bound to a raw socket. Since Windows XP with Service Pack 2, the ability to send traffic over raw sockets has been restricted. Administrators should patch all vulnerable systems and review their environment for any applications designed to use raw sockets. Maintaining an inventory of applications and services utilizing these non-standard configurations can mitigate future security risks.<br><br><b>Windows Cryptographic Services – Remote Code Execution (CVE-2023-23416)</b><br>CVE-2023-23416 is a “Critical” (CVSS: 8.4) remote code execution vulnerability impacting the Windows Cryptographic Services in Windows Server 2012+ and Windows 10+. Exploitation requires that a target system import a malicious certificate. This could be conducted through social engineering, Search Engine Optimization (SEO), or by uploading the certificate to a service that import certificates for the target organization. Exploitation of this vulnerability is considered “More Likely.”<br><br>Recommendations<br>Administrators should patch immediately, as attackers are prone to conduct social engineering campaigns and abuse SEO to gain access to target networks regularly. Users should also be briefed on the risks of accepting and importing certificates from unknown entities without consulting with IT staff.<br><br><b>Windows SmartScreen – Security Feature Bypass (CVE-2023-24880)</b><br>CVE-2023-24880 is a “Moderate” (CVSS: 5.4) security feature bypass vulnerability impacting Windows Server 2016+ and Windows 10+ systems. This vulnerability was observed under active exploitation, which allows attackers to bypass the Windows Mark of the Web (MotW) warnings by crafting a malicious file and making the file available to a user on a vulnerable system. This MotW is used to enforce Protected View in Office applications.<br><br>Recommendations<br>In addition to patching vulnerable systems, users should be reminded to exercise caution while interacting with files found on the web or shared by unknown senders, as they may be part of social engineering efforts to target the users’ systems.</div></div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table border="0"><tbody><tr><td valign="left"><br><br><b>Tom Casey,</b> <span style="color:rgb(105,105,105);white-space:nowrap">Account Executive</span><br><strong>GuidePoint Security LLC</strong> | <font color="#808080">Your Mission. Secured.</font><br><strong>w</strong> (804) 767-2412 <strong>m</strong> (703) 989-0833<br><strong>e</strong> <a href="mailto:tom.casey@guidepointsecurity.com" target="_blank">tom.casey@guidepointsecurity.com</a></td></tr><tr><td valign="center" colspan="2"> Follow us! <a href="http://www.linkedin.com/company/guidepoint-security" target="_blank">LinkedIn</a> | <a href="https://twitter.com/GuidePointSec" target="_blank">Twitter</a> | <a href="https://www.facebook.com/GuidePointSec" target="_blank">Facebook</a> | <a href="https://www.youtube.com/channel/UCkajuS7JqEN3UGy6SXVhnfg" target="_blank">YouTube</a> | <a href="https://www.businesswire.com/news/home/20200506005063/en/GuidePoint-Security-Named-Magazine%E2%80%99s-Workplaces-2020" target="_blank"><img src="https://s3.amazonaws.com/gps_public/bptw_logo.png" style="width:63px;height:64px;vertical-align:middle"></a></td></tr></tbody></table><table border="0" width="100%"><tbody><tr><td><em><font color="#696969"><br></font></em><a href="https://www.guidepointsecurity.com/upcoming-webinars/" target="_blank"><font size="2">Join GuidePoint Security for our Wednesday Webinar Series! Click here to register!</font></a><em><font color="#696969"><br><br></font></em><font color="#696969"></font></td></tr><tr><td align="left"><span style="font-family:Arial;font-size:10px;color:gray;background-image:initial;background-position:initial;background-repeat:initial">Confidentiality Notice: This communication constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. Section 2510, and its disclosure is strictly limited to the recipient intended by the sender of this message. This transmission, and any attachments, may contain confidential information and work product(s). If you are not the intended recipient, any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. Please contact us immediately by return e-mail or call <a href="tel:(877)%2520889-0132" style="color:rgb(17,85,204)" target="_blank">(877) 889-0132</a> <span style="color:rgb(46,117,181);background-image:initial;background-position:initial;background-repeat:initial">option 5</span>, and destroy the original transmission and its attachments without reading or saving in any manner.<br><br></span></td></tr></tbody></table></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 17, 2023 at 2:45 PM Weeks, Thomas "Tweeks" <<a href="mailto:t.weeks@vt.edu">t.weeks@vt.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-3928118135050916280">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Anyone been hit by the new MS Outlook super critical vulnerability/exploit? - <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__cve.mitre.org_cgi-2Dbin_cvename.cgi-3Fname-3D2023-2D23397&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=qWlJ8ivi7pWB6yGID3HgtcKtyWK9p1xKtZDs8TNM20M&e=" title="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-23397" id="m_-3928118135050916280LPlnk850888" target="_blank">CVE-2023-23397 [cve.mitre.org]</a><br>
Info - <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__securityboulevard.com_2023_03_detecting-2Dcve-2D2023-2D23397-2Dhow-2Dto-2Didentify-2Dexploitation-2Dof-2Dthe-2Dlatest-2Dmicrosoft-2Doutlook-2Dvulnerability_&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=YvfDs-1uo2MqjT1M2zeSZbaNxzJVTtt6kCxRu7tiums&e=" id="m_-3928118135050916280LPNoLPOWALinkPreview" target="_blank">https://securityboulevard.com/2023/03/detecting-cve-2023-23397-how-to-identify-exploitation-of-the-latest-microsoft-outlook-vulnerability/ [securityboulevard.com]</a>
<div></div>
<br>
What's it looked like for your org?<br>
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">One not-often discussed work around is that of setting up your Windows clients to block outbound port 445 traffic (scoped for only their LAN) using the Windows Advanced Firewall.
<br>
Here's an example of looking outbound ports: </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DfdqMWN2LPzc&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=shVZw9cM1NqE4DEkalzH26KRD6Javv7o6dSa5_KjTZ8&e=" rel="noopener noreferrer" style="font-size:14px;font-family:"Noto Sans",Arial,sans-serif" target="_blank">https://www.youtube.com/watch?v=fdqMWN2LPzc [youtube.com]</a><span style="font-family:"Noto Sans",Arial,sans-serif;font-size:14px;color:rgb(28,28,28);background-color:rgb(255,255,255);display:inline"> </span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="font-family:"Noto Sans",Arial,sans-serif;font-size:14px;color:rgb(28,28,28);background-color:rgb(255,255,255);display:inline">(allow outbound 445, but use the "Scope" function to only allow your
LAN outbound network range access.. blocking everything else).</span></div>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
That will stop the exploit from completing.<br>
<br>
What are you all seeing in the wild?<br>
(I only use Exchange via OWA via Linux.. so I'm good ;)<br>
<br>
</div>
<div id="m_-3928118135050916280Signature">
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
</div>
<div></div>
<div></div>
<div></div>
<div name="divtagdefaultwrapper">
<span style="font-family:Consolas,Courier,monospace">-- </span></div>
<div name="divtagdefaultwrapper">
<b><span style="font-family:Consolas,Courier,monospace">T.Weeks</span><br>
</b></div>
<div name="divtagdefaultwrapper">
<b><span style="font-family:Consolas,Courier,monospace">Thomas "Tweeks" Weeks</span><br>
</b></div>
<div name="divtagdefaultwrapper">
<b><span style="font-family:Consolas,Courier,monospace;color:black">Director, Technology Futures and Community Advocacy</span></b></div>
<div name="divtagdefaultwrapper" style="margin:0px"><b><span style="color:black"><font face="Consolas, Courier, monospace"></font></span><span style="font-family:Consolas,Courier,monospace;color:black">Division of Information Technology,</span><font color="#000000" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:inherit;font-style:inherit;font-variant-ligatures:inherit;font-variant-caps:inherit"><span style="font-family:Consolas,Courier,monospace"> Virginia
Tech</span><br>
</font></b></div>
<div name="divtagdefaultwrapper" style="margin:0px"><b><font color="#000000" style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:inherit;font-style:inherit;font-variant-ligatures:inherit;font-variant-caps:inherit"></font><span style="font-family:Consolas,Courier,monospace"><b style="font-size:14px;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="margin:0px;color:black"><font face="Consolas, Courier, monospace">Cyber
Range Engineer, <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.virginiacyberrange.org_&d=DwMFAw&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=dYrY8E9HpVc9Dk7sH6A91FsNNQpv7tymyOwIsbY1mHc&e=" style="margin:0px" target="_blank">VirginiaCyberRange.org [virginiacyberrange.org]</a> <br>
</font></span></b></span></b></div>
<div name="divtagdefaultwrapper" style="margin:0px"><b><span style="font-family:Calibri,Arial,Helvetica,sans-serif"><br>
</span></b></div>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Security-Discuss mailing list<br>
Security-Discuss@lists.rbtc.tech<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.rbtc.tech_mailman_listinfo_security-2Ddiscuss&d=DwIGaQ&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=pWp0kz-11EBE-yV1msMqolIcoq0qU8FDx5M8xFRuCYI&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.rbtc.tech_mailman_listinfo_security-2Ddiscuss&d=DwIGaQ&c=cehHn3YFTvbeqmBOizlVwndgdnPducYBouAyYX7fXYg&r=Kf5RBswNMWU0qgnhv-jum_IwioCzbHpyt-zOC4z_r4yBHb_cYw_XdWTbgZTnSI1i&m=A56ju51q9M-pgvaZiyw3O-ZDPJcYgeFgPRv7w8Pxl9wk4tUwGP3T3YegABnd_mVT&s=pWp0kz-11EBE-yV1msMqolIcoq0qU8FDx5M8xFRuCYI&e=</a> <br>
</div></blockquote></div>