Among the 97 vulnerabilities patched by Microsoft this Patch Tuesday, two vulnerabilities caught our attention. Learn how to detect and mitigate CVE-2023-28252, an elevation of privilege (EoP) vulnerability in CLFS exploited in the wild, and CVE-2023-21554, a critical remote code execution (RCE) vulnerability in MSMQ.
What is CVE-2023-21554?
Researchers published CVE-2023-21554, a critical RCE vulnerability in “Microsoft Message Queuing” service, also known as MSMQ. The vulnerability allows unauthenticated attackers to execute arbitrary code in the context of the Windows service process, `mqsvc.exe`. It was patched on April 11 as part of April Patch Tuesday, and dubbed QueueJumper.
MSMQ is a messaging platform and development framework that enables the creation of distributed messaging applications for the Windows operating system. As a middleware service, MSMQ is relied upon by various popular software. Once the user installs the software, the MSMQ service is automatically enabled on Windows without the user's explicit knowledge.
MSMQ is not enabled by default in Windows, but since many applications rely on it to function (such as Microsoft Exchange Server), it is often enabled during installation of these applications.
CVE-2023-21554 allows an unauthenticated attacker to potentially execute code remotely by reaching TCP port 1801. An attacker could gain control of the process by sending a single specially crafted packet to this port containing an exploit, thereby triggering the vulnerability.
What is CVE-2023-28252?
CVE-2023-28252 is an elevation of privilege (EoP) vulnerability in Windows Common Log File System (CLFS), actively exploited in the wild by cybercriminals to escalate privileges and deploy the Nokoyawa ransomware payload. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
CLFS is a log file subsystem in Windows implemented in the clfs.sys driver. This file system can be used by any application, and an API is provided for it by Microsoft. Logs are created using the CreateLogFile function – a log is made up of a base log file (.blf file name extension) that is a master file containing metadata, and a number of containers that hold the actual data. CVE-2023-28252 is an out-of-bounds write vulnerability that can be exploited when the system attempts to extend the metadata block.
Wiz Research data: what’s the risk to cloud environments?
Within two days of Patch Tuesday, 84% of cloud environments have yet to update to the latest KB, meaning that only 16% of cloud customers are protected against these two vulnerabilities.
What sort of exploitation has been identified in the wild?
Researchers have uncovered a series of attempted elevation-of-privilege exploits for CVE-2023-28252 on Microsoft Windows servers utilized on small and medium-sized businesses in various regions including the Middle East, North America, and Asia. Among these was a previously unknown zero-day exploit, CVE-2023-28252, capable of supporting various builds and versions of Windows, which was used to deploy Nokoyawa ransomware.
Further investigation revealed that the threat actor behind this activity, the Nokoyawa ransomware gang, has been using other exploits targeting CLFS since June 2022, with varying yet identifiable features, all of which were attributed to a single exploit developer.
The Nokoyawa ransomware itself first emerged in February 2022 and can target 64-bit Windows systems, utilizing a double extortion technique whereby sensitive files stolen from compromised networks are threatened to be leaked online unless the victim pays a ransom.
Indicators of compromise (IoCs)
| IoC | Description |
|---|---|
| C:\Users\Public.container_ | Exploit artifacts |
| C:\Users\Public\MyLog_.blf | Exploit artifacts |
| C:\Users\Public\p_* | Exploit artifacts |
| 46168ed7dbe33ffc4179974f8bf401aa | CVE-2023-28252 exploit MD5 |
| 1e4dd35b16ddc59c1ecf240c22b8a4c4 | CobaltStrike loaders MD5 |
| f23be19024fcc7c8f885dfa16634e6e7 | CobaltStrike loaders MD5 |
| a2313d7fdb2f8f5e5c1962e22b504a17 | CobaltStrike loaders MD5 |
| vnssinc[.]com | CobaltStrike C2 server |
| qooqle[.]top | CobaltStrike C2 server |
| vsexec[.]com | CobaltStrike C2 server |
| devsetgroup[.]com | CobaltStrike C2 server |
| 8800e6f1501f69a0a04ce709e9fa251c | Nokoyawa ransomware SHA1 |
Which products are affected?
All Windows releases up to the KBs released in April Patch Tuesday.
Which actions should security teams take?
It is recommended to update your Microsoft product to the KB released in April Patch Tuesday.
For CVE-2023-21554, It is possible to disable MSMQ through the Control Panel to protect against exploitation. However, the service might be required to be enabled by various software, so it is still recommended to update to the patched version. If you are unable to apply the patch, it is also possible to block inbound connections for port 1801 from untrusted sources.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment:
References
