[CDP-development] TLP:GREEN - (UPDATED Vulnerability Alert Notification) - Multiple Microsoft Known Exploited Vulnerabilities

Wed Nov 22 10:00:11 PST 2023

Good morning,

The previous alert has been updated. Updated information has been added in red.

The SOC Services team is reporting on the vulnerability: CVE-2023-36033: Microsoft Windows Desktop Window Manager (DWM) Core Library Privilege Escalation, CVE-2023-36025: Microsoft Windows SmartScreen Security Feature Bypass Vulnerability, and CVE-2023-36036: Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On November 14, 2023, CISA added three (CVE-2023-36033, CVE-2023-36025, and CVE-2023-36036) Microsoft vulnerabilities to the Known Exploited Vulnerabilities Catalog. All of the vulnerabilities were fixed in the November 2023 patch Tuesday.

Microsoft has provided the following security advisories:
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36036
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36025

Intelligence: As of November 14, 2023, the vulnerabilities have been confirmed as being exploited in the wild. As of November 22, 2023, the APT Group TA544 has been confirmed as abusing the CVE-2023-36025 vulnerability.

Workarounds: There are no workarounds at this time.

How it works:

CVE-2023-36036: Microsoft has not released information as to how the vulnerability has been exploited.
CVE-2023-36033: Microsoft has not released information as to how the vulnerability has been exploited.
CVE-2023-36025: Microsoft has provided the following statement, "The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.".  TA544 have been observed exploiting CVE-2023-36025 in a campaign involving the Remcos remote access trojan. The group has created a webpage with links to a .URL file containing a path to a virtual hard disk (.vhd) or .zip file. Exploiting CVE-2023-36025 allows attackers to automatically mount the VHD by opening the .URL.

Post-Exploit:

CVE-2023-36036: Upon successful exploitation of the vulnerability, a threat actor could gain SYSTEM privileges.
CVE-2023-36033: Upon successful exploitation of the vulnerability, a threat actor could gain SYSTEM privileges.
CVE-2023-36025: The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.

As of November 22, 2023, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
185593<https://www.tenable.com/plugins/nessus/185593>
KB5032248: Windows Server 2008 Security Update (November 2023)
Critical
185589<https://www.tenable.com/plugins/nessus/185589>
KB5032247: Windows Server 2012 Security Update (November 2023)
Critical
185588<https://www.tenable.com/plugins/nessus/185588>
KB5032198: Windows 2022 / Azure Stack HCI 22H2 Security Update (November 2023)
Critical
185587<https://www.tenable.com/plugins/nessus/185587>
KB5032250: Windows Server 2008 R2 Security Update (November 2023)
Critical
185585<https://www.tenable.com/plugins/nessus/185585>
KB5032189: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (November 2023)
Critical
185583<https://www.tenable.com/plugins/nessus/185583>
KB5032192: Windows 11 version 21H2 Security Update (November 2023)
Critical
185582<https://www.tenable.com/plugins/nessus/185582>
KB5032190: Windows 11 version 22H2 Security Update (November 2023)
Critical
185580<https://www.tenable.com/plugins/nessus/185580>
KB5032199: Windows 10 LTS 1507 Security Update (November 2023)
Critical
185579<https://www.tenable.com/plugins/nessus/185579>
KB5032196: Windows 10 version 1809 / Windows Server 2019 Security Update (November 2023)
Critical
185577<https://www.tenable.com/plugins/nessus/185577>
KB5032249: Windows Server 2012 R2 Security Update (November 2023)
Critical
185576<https://www.tenable.com/plugins/nessus/185576>
KB5032197: Windows 10 Version 1607 and Windows Server 2016 Security Update (November 2023)
Critical

Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DA1D26.F0145CC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231122/3e3b659e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231122/3e3b659e/attachment-0001.png>