Patch Tuesday – February 2023

Last updated at Wed, 15 Feb 2023 00:41:59 GMT

It’s Patch Tuesday again. Microsoft is addressing fewer individual vulnerabilities this month than last, but there’s still plenty to keep admins and defenders occupied.

Three zero-day vulnerabilities are vying for your attention today: a lone Microsoft Publisher vulnerability as well as a couple affecting Windows itself. None is marked as publicly disclosed, but Microsoft has already observed in-the-wild exploitation of all three.

One zero-day vulnerability is a Security Features Bypass vulnerability in Microsoft Publisher. Successful exploitation of CVE-2023-21715 allows an attacker to bypass Office macro defenses using a specially-crafted document and run code which would otherwise be blocked by policy. Only Publisher installations delivered as part of Microsoft 365 Apps for Enterprise are listed as affected.

CVE-2023-23376 describes a vulnerability in the Windows Common Log File System Driver which allows Local Privilege Escalation (LPE) to SYSTEM. Although Microsoft isn’t necessarily aware of mature exploit code at time of publication, this is worth patching at the first opportunity, since it affects essentially all current Windows hosts.

CVE-2023-21823 is described as a Remote Code Execution (RCE) vulnerability in Windows Graphics Component, but has Attack Vector listed as Local. This apparent inconsistency is often accompanied with a clarification like: “The word Remote in the title refers to the location of the attacker. [...] The attack itself is carried out locally.” No such clarification is available in this case, but this is likely applicable here also. Microsoft also notes the existence of mature exploit code.

Microsoft is also releasing patches for nine critical RCE vulnerabilities. A more varied selection than last month, February 2023 includes critical RCE in an SQL Server ODBC driver, the iSCSI Discovery Service, .NET/Visual Studio, three in network authentication framework PEAP, one in Word, and two in Visual Studio only. Microsoft has not observed in-the-wild exploitation for any of these vulnerabilities, nor is any of them marked as publicly disclosed. Microsoft predicts that most of these are less likely to be exploited, with the exception of the PEAP vulnerabilities.

Microsoft’s recent announcement about the potential inclusion of CBL-Mariner CVEs in the Security Update Guide is now reflected in the list of covered products, but there aren’t any CBL-Mariner vulnerabilities this Patch Tuesday.

SharePoint Server makes another appearance today with CVE-2023-21717, which allows an authenticated user with the Manage List permission to achieve RCE. Admins responsible for a SharePoint Server 2013 instance may be interested in the FAQ, which includes what Microsoft optimistically describes as a clarification of the existing servicing model for SharePoint Server 2013.

This is the first Patch Tuesday after the end of Extended Security Updates (ESU) for Windows 8.1. Admins responsible for Windows Server 2008 instances should note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack. Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above.

Summary charts

A bar chart showing vulnerability count by severity for Microsoft Patch Tuesday February 2023. Most are rated Important, with some Critical and a very few Low and Moderate.

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday February 2023. Most are categorized as Remote Code Execution, with some Elevation of Privilege, Denial of Service, and a few other options.

A bar chart showing vulnerability frequency by CVSSv3 Base Score for Microsoft Patch Tuesday February 2023. Most vulnerabilities are scored in the 5.0-9.0 range, with a few outliers.

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday February 2023. Windows Protected EAP, Microsoft Dynamics, and SQL Server are the most frequent components.

Summary tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23378	Print 3D Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-23377	3D Builder Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-23390	3D Builder Remote Code Execution Vulnerability	No	No	7.8

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21777	Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability	No	No	8.7
CVE-2023-21564	Azure DevOps Server Cross-Site Scripting Vulnerability	No	No	7.1
CVE-2023-23382	Azure Machine Learning Compute Instance Information Disclosure Vulnerability	No	No	6.5
CVE-2023-21703	Azure Data Box Gateway Remote Code Execution Vulnerability	No	No	6.5

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23374	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	8.3
CVE-2023-21720	Microsoft Edge (Chromium-based) Tampering Vulnerability	No	No	5.3
CVE-2023-21794	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	4.3

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21815	Visual Studio Remote Code Execution Vulnerability	No	No	8.4
CVE-2023-23381	Visual Studio Remote Code Execution Vulnerability	No	No	8.4
CVE-2023-21808	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	8.4
CVE-2023-21566	Visual Studio Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-21553	Azure DevOps Server Remote Code Execution Vulnerability	No	No	7.5
CVE-2023-21567	Visual Studio Denial of Service Vulnerability	No	No	5.6
CVE-2023-21722	.NET Framework Denial of Service Vulnerability	No	No	4.4

Device vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2019-15126	MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device	No	No	N/A

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21800	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8

ESU Microsoft Office Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21823	Windows Graphics Component Remote Code Execution Vulnerability	Yes	No	7.8

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21803	Windows iSCSI Discovery Service Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-21689	Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-21690	Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-21692	Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-21799	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21685	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21686	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21684	Microsoft PostScript Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21797	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21798	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21802	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-21805	Windows MSHTML Platform Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-21817	Windows Kerberos Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-21822	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-21812	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23376	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2023-21688	NT OS Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-21801	Microsoft PostScript Printer Driver Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-21811	Windows iSCSI Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-21702	Windows iSCSI Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-21700	Windows iSCSI Discovery Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-21813	Windows Secure Channel Denial of Service Vulnerability	No	No	7.5
CVE-2023-21818	Windows Secure Channel Denial of Service Vulnerability	No	No	7.5
CVE-2023-21816	Windows Active Directory Domain Services API Denial of Service Vulnerability	No	No	7.5
CVE-2023-21695	Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability	No	No	7.5
CVE-2023-21691	Microsoft Protected Extensible Authentication Protocol (PEAP) Information Disclosure Vulnerability	No	No	7.5
CVE-2023-21701	Microsoft Protected Extensible Authentication Protocol (PEAP) Denial of Service Vulnerability	No	No	7.5
CVE-2023-21820	Windows Distributed File System (DFS) Remote Code Execution Vulnerability	No	No	7.4
CVE-2023-21694	Windows Fax Service Remote Code Execution Vulnerability	No	No	6.8
CVE-2023-21697	Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability	No	No	6.2
CVE-2023-21693	Microsoft PostScript Printer Driver Information Disclosure Vulnerability	No	No	5.7
CVE-2023-21699	Windows Internet Storage Name Service (iSNS) Server Information Disclosure Vulnerability	No	No	5.3

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21706	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21707	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21529	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21710	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	7.2

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21778	Microsoft Dynamics Unified Service Desk Remote Code Execution Vulnerability	No	No	8.3
CVE-2023-21572	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	6.5
CVE-2023-21807	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.8
CVE-2023-21570	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4
CVE-2023-21571	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4
CVE-2023-21573	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21716	Microsoft Word Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-21717	Microsoft SharePoint Server Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-21715	Microsoft Publisher Security Features Bypass Vulnerability	Yes	No	7.3
CVE-2023-21721	Microsoft OneNote Spoofing Vulnerability	No	No	6.5
CVE-2023-21714	Microsoft Office Information Disclosure Vulnerability	No	No	5.5

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21705	Microsoft SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21713	Microsoft SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-21806	Power BI Report Server Spoofing Vulnerability	No	No	8.2
CVE-2023-21528	Microsoft SQL Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-21718	Microsoft SQL ODBC Driver Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-21704	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-21568	Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability	No	No	7.3

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21809	Microsoft Defender for Endpoint Security Feature Bypass Vulnerability	No	No	7.8
CVE-2023-23379	Microsoft Defender for IoT Elevation of Privilege Vulnerability	No	No	6.4

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21804	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-21819	Windows Secure Channel Denial of Service Vulnerability	No	No	7.5
CVE-2023-21687	HTTP.sys Information Disclosure Vulnerability	No	No	5.5

Patch Tuesday - February 2023

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Device vulnerabilities

ESU vulnerabilities

ESU Microsoft Office Windows vulnerabilities

ESU Windows vulnerabilities

Exchange Server vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

SQL Server vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

POST TAGS

SHARING IS CARING

AUTHOR

Topics

Popular Tags

Related Posts

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.

Patch Tuesday - February 2023

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Device vulnerabilities

ESU vulnerabilities

ESU Microsoft Office Windows vulnerabilities

ESU Windows vulnerabilities

Exchange Server vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

SQL Server vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

POST TAGS

SHARING IS CARING

AUTHOR

Topics

Popular Tags

Related Posts

Related Posts

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.

Never miss a blog