Microsoft released its monthly round of security updates and patches today, continuing its trend of fixing zero-day vulnerabilities on Patch Tuesday.

April's security update includes one vulnerability that’s actively being exploited in the wild. There are also eight critical vulnerabilities and the remaining 90 are considered “important.”

CVE-2023-28252, an elevation of privilege vulnerability in the Windows Common Log File System Driver, is actively being exploited in the wild, according to Microsoft, though proof of concept code is not currently available. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The U.S. Cybersecurity and Infrastructure Security Agency already added the vulnerability to its list of know exploited issues and urged federal agencies to patch it as soon as possible.

Microsoft disclosed a similar zero-day issue in September that could also lead to the same privileges: CVE-2022-37969. April is the third month in a row in which at least one of the vulnerabilities Microsoft released in a Patch Tuesday had been exploited in the wild prior to disclosure.

Two of the critical vulnerabilities Microsoft also patched are in the Layer 2 Tunneling Protocol: CVE-2023-28219 and CVE-2023-28220. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution on the RAS server machine. These vulnerabilities do not require any user interaction to be exploited, but the adversary would need to win a race condition to be successful.

One of the most severe issues is CVE-2023-21554, a remote code execution vulnerability in the Microsoft Message queuing system. Microsoft considers exploitation of this vulnerability to be “more likely,” and it received a CVSS severity score of 9.8 out of 10. Users who want to check to see if they’re being targeted by the exploitation of this vulnerability can run a check to see if there’s a service named “Message Queuing” on their machine, and if TCP port 1801 is listening on the machine.

CVE-2023-28231, a remote code execution vulnerability on the DHCP server service, is also considered “more likely” to be exploited. An attacker could exploit this vulnerability by sending a specially crafted RCP call to the targeted DHCP server. However, the adversary first must gain access to the restricted network.

There are four other critical vulnerabilities, though Microsoft considers them “less likely” to be exploited:

  • CVE-2023-28232: Windows Point-to-Point Tunneling Protocol remote code execution vulnerability
  • CVE-2023-28240: Windows Network Load Balancing remote code execution vulnerability  
    CVE-2023-28250: Windows Pragmatic General Multicast (PGM) remote code execution vulnerability
  • CVE-2023-28291: Raw Image Extension remote code execution vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61606, 61607 and 61613 - 61620. There are also Snort 3 rules 300496, 300499 and 300500.