Friday, June 30, 2023

Micropatches Released For DHCP Server Service Remote Code Execution (CVE-2023-28231)

 


April 2023 Windows Updates brought a fix for CVE-2023-28231, a remote code execution vulnerability in DHCP Server service. The vulnerability was reported to Microsoft by security researcher YanZiShuang.

Subsequently, Numen Cyber published a POC and DarkRelay Security Labs published their analysis, both of which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft.

The vulnerability only affects Windows servers with DHCP Server installed, and resides in the way DHCP Server processes relay-forwarded messages, whereby a message claiming to have been forwarded by more than 32 intermediate DHCP servers breaks the code's assumptions and causes memory corruption.

While still-supported Windows servers have already received an official vendor fix for this vulnerability, Windows Server 2008 R2 isn't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatch for this vulnerability, which is available through the 0patch service.

Our patch is logically identical to Microsoft's.


Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows Server 2008 R2

 

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center

We'd like to thank Numen Cyber for sharing their POC, and DarkRelay Security Labs for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

 




Micropatches Released For Windows Task Scheduler Elevation of Privilege (CVE-2023-21541)

 


January 2023 Windows Updates brought a fix for CVE-2023-21541, a local privilege elevation in Task Scheduler. The vulnerability was reported to Microsoft by Ben Lincoln of Bishop Fox.

In April, Ben published a detailed analysis of this issue, which allowed us to reproduce the issue and create a micropatch for Windows computers that haven't received an official fix from Microsoft.

The vulnerability is easy to understand: if a scheduled task contains an environment variable in its executable path, expansion of this variable may result in double quotes around the path being lost, which could then lead to the "unquoted path" vulnerability.

On the other hand, the issue is not so easy to exploit, assuming that the local attacker does not have administrative privileges (why would they need a local privilege elevation vulnerability if they did?). The first condition is that a scheduled task must already exist on the system whose path to the executable contains an environment variable, and the second condition is that the attacker is able to create a malicious executable called program.exe in the root of C: drive. The latter is, by default, only allowed for administrators and system, so the computer would have to be in some custom configuration.

Nevertheless, we decided to patch this, since at least a couple of our users may have both these conditions fulfilled. While still-supported Windows systems have already received the official vendor fix for this vulnerability, there are Windows systems out there that aren't receiving security fixes from Microsoft anymore. In order to protect these systems, we have created our own micropatches for this vulnerability, which are available through the 0patch service.

Our patch is functionally similar to Microsoft's, but in our case applying the patch doesn't require a restart of the Task Scheduler service (while Microsoft's does).


Micropatch Availability

The micropatch was written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 10 v2004
  2. Windows 10 v1909
  3. Windows 10 v1809
  4. Windows 10 v1803
Windows 7 and Server 2008 R2 are not affected by this issue.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). 

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center

We'd like to thank Ben Lincoln of Bishop Fox for sharing their analysis, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.

 



Wednesday, June 21, 2023

New 0patch Central, New Security Features

 


 

Dear 0patch friends,

We're happy to share with you that four new highly asked-for features have been added to 0patch Central:


Multi-factor Authentication

You can now protect your 0patch account with multi-factor authentication (MFA). Use any authenticator app to configure MFA in your user profile and store recovery codes in a safe place in case you lose access to the app. This feature is available in Free, Pro, and Enterprise accounts.

Authentication Options

Select which authentication methods can be used for logging in to 0patch Central; choose between "Email and Password" and "Single sign-on", and specify whether multi-factor authentication ("MFA") is required for all users in the account. Find this feature under Account -> Security in Enterprise accounts.

Password Policy

Set the password policy for users in your account; users will be forced to change their password upon next login if needed. Find this feature under Account -> Security in Enterprise accounts..

IP Address Restrictions

Specify a set of IP addresses or subnets from which your 0patch Central account can be accessed. This setting does not affect 0patch Agents - they can always sync from anywhere. Find this feature under Account -> Security in Enterprise accounts..



Upcoming Security-Adoption of Windows Server 2012 

In the spirit of supporting legacy Windows versions and Microsoft products, we're happy to announce an upcoming adoption of Windows Server 2012, which goes out of official support in October 2023. If you're using Windows Server 2012 and would like to keep doing so securely, contact us at sales@0patch.com.
 

Are your friends or peers operating Windows systems? Do them a favor and tell them about 0patch.


Thank you!

Your 0patch Team


Tuesday, June 13, 2023

0patch Security-Adopts Windows 10 v20H2 to Keep it Running Securely

 

 

 

Last month brought the last security updates for Windows 10 version 20H2. What if your organization is still using it and doesn't want to - or can't - upgrade it yet?

Don't worry, we have previously security-adopted Windows 10 v1803 and v1809, Windows 10 v2004 and v1909, and Windows 10 v21H1.

Now we're security-adopting version 20H2.

If you're running Windows 10 v20H2 in your organization, all you need to do is install 0patch Agent on these computers and register it to an account with PRO or Enterprise subscription, and you'll start receiving critical security patches as soon as we issue them.

These micropatches will be included in 0patch PRO and Enterprise licenses along with all other micropatches we're issuing - which means that users protecting their Windows 10 v20H2 with 0patch will also receive our micropatches for "0day" vulnerabilities in various products.

In order to have our micropatches applied, Windows 10 v20H2 will have to have May 2023 Windows Updates (the last official updates for this version) installed.

We welcome all interested organizations to contact sales@0patch.com for information about pricing, deployment, or setting up a trial.

P.S.: We're getting close to Windows Server 2012 end of official support by Microsoft in October 2023. You guessed it, we're going to security-adopt this server as well, in case you're already getting nervous about that. This is a good time for you to start a free 0patch trial, so send an email to sales@0patch.com.

To learn more about 0patch, please visit our Help Center.

Monday, June 5, 2023

Micropatches Released For Remote Code Execution in Windows OLE (CVE-2023-29325)

 

 

May 2023 Windows Updates brought a fix for CVE-2023-29325, a remote code execution vulnerability in Microsoft OLE (Object Linking and Embedding). The vulnerability was reported to Microsoft by Will Dormann with Vul Labs.

Will found that two of the many COM objects installed on every Windows system by default merely have to be referenced by their respective CLSIDs in a rich text email for Outlook to experience an access violation exception.

There is almost no public information on what these two COM objects were intended to do on a Windows system, but since Microsoft's fix was to block them, they probably aren't essential to any important operation. While Microsoft appears to have blocked these offensive/vulnerable COM objects via COM activation filter, they provided no remedy for unsupported Windows versions such as Windows 7 or older Windows 10. Furthermore, still-supported Office versions were also patched to prevent usage of these two COM objects, but older versions like 2010 or 2013 weren't.

For our users of older Office versions on older Windows systems we therefore had to create a patch of our own.

Our patch does effectively the same as Microsoft's does on still-supported Office versions: if a COM object is referenced with one of the "offending" CLSIDs, object activation is prevented and instead of instantiating such object, Office just writes out the CLSID and the associated DLL name.

Let's see our micropatch in action. With 0patch disabled, opening a POC email immediately crashes Outlook. With 0patch enabled, Outlook displays an email with CLSID printed out in the body, but doesn't crash.




Micropatch Availability

Our micropatch was written for the following security-adopted versions of Office with all available updates installed:

  1. Office 2010
  2. Office 2013 
This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that). No restart was needed, and Office got patched without relaunching even if it was running at the time.

Vulnerabilities like this one get discovered on a regular basis, and attackers know about them. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center

We'd like to thank Will Dormann for sharing vulnerability details, which allowed us to create a micropatch and protect our users against this attack. We also encourage all security researchers to privately share their analyses with us for micropatching.