UPDATED: May Patch Tuesday Marks 11 Straight Months of Zero-days

UPDATED (5/12/2023) We've built a Windows-Security-Mitigate Black Lotus Worklet for CVE-2023-24932. Visit the Trying to figure out how to fix it? section below to get the Worklet and save your weekend.

(05/09/2023) May’s Patch Tuesday release from Microsoft appears to be on the lighter side with only 48 vulnerabilities. However, two more zero-day vulnerabilities have been patched, which marks 11 straight months of zero-days since June of 2022.

The first zero-day is an important elevation of privilege weakness in Win32k, a core component of Windows operating systems that provides an interface for graphical user interface (GUI) functions at the kernel-level. The vulnerability affects some versions of Windows 10 and Server 2008-2016.

The second zero-day patched this month is an important vulnerability that allows an attacker with physical access to an endpoint or admin credentials to bypass Secure Boot. Unfortunately, updating Secure Boot is not straightforward and errors can result in unrecoverable media, so be careful when applying the fix.

Another vulnerability to prioritize this month is a critical remote code execution weakness in Windows Network File System (NFS). The vulnerability affects Windows Server 2012-2022 and can be exploited over the network, so we recommend patching within 72 hours with a priority on internet-facing endpoints or those with sensitive data.

You should also patch an important elevation of privilege vulnerability affecting the Windows Kernel in most versions of Windows 10, 11, and Server 2019-2022. Attackers with non-privileged credentials obtained through social engineering or other means can execute a relatively simple attack and elevate to SYSTEM privileges, effectively granting them system control to possibly install malicious software, exfiltrate data, or move laterally to other endpoints.

Win32k Elevation of Privilege Vulnerability [IMPORTANT ZERO-DAY]

CVE-2023-29336 is an important and actively exploited zero-day vulnerability in Win32k that scores a CVSS 7.8. When exploited successfully, the vulnerability allows for the elevation of privileges to SYSTEM. Win32k is a core component of Windows operating systems that provides an interface for graphical user interface (GUI) functions at the kernel-level. Win32k runs in a privileged context, which means that vulnerabilities affecting it could result in malicious actors gaining control over the system. 

As a result, Win32k vulnerabilities are usually popular targets for attackers. Since the vulnerability is already being exploited in the wild, we recommend patching within 24 hours on Windows 10 (and version 1607) and Server 2008-2016. - Gina Geisel

Secure Boot Security Feature Bypass Vulnerability [IMPORTANT ZERO-DAY]

This vulnerability is an important, actively exploited zero-day that allows an attacker with physical access or administrative rights to a target device to install an affected boot policy and potentially bypass secure boot. The vulnerability scores a CVSS 6.7/10 and affects most versions of Windows 10, 11, and Server 2008-2022. To remediate, you'll need to update the Windows Boot Manager and follow the steps outlined here. If done incorrectly, endpoints may not be able to start or be recovered from media. - Peter Pflaster

We’ve written a script to help administrators automatically find the vulnerability and ensure that the May 2023 updates from Microsoft have been applied prior to remediation. If the device meets that criteria, then we’ll remediate it. All that’s left for the administrators is to reboot the device after the script has run successfully or grab a worklet to reboot the endpoints you ran the script on at scale.

If you’re an Automox customer, or in the middle of your free trial, grab the script directly from the Worklet Catalog. 

IMPORTANT: If you plan to use the Worklet or script provided below, we strongly recommend testing a subset of impacted devices and following any required change control processes prior to applying the script at scale in your organization. 

Remember - for the above scripts to take effect, you’ll need to reboot all of the endpoints where remediation was applied. You can do that manually via the device page if you’re an Automox customer, or run at scale with a reboot script. If you reboot from a script, but sure to target only the group of endpoints where remediation was applied so you don’t interrupt other users or systems.

Windows Network File System Remote Code Execution Vulnerability [CRITICAL]

This critical network vulnerability has returned and is exploited by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). With low attack complexity and no privileges or user interaction required, we recommend patching within 72 hours on Windows Server 2012, 2016, 2019, and 2022. If you are unable to patch, an option is applying a temporary fix from Microsoft - they also note that this fix should only be applied if you have already applied security updates from May 2022 (last year’s). Again, temporary mitigation is an option though Automox recommends patching the vulnerability as the best practice. - Preetham Gurram

Windows Kernel Elevation of Privilege Vulnerability [IMPORTANT]

Elevation of privilege, also referred to as privilege escalation, is a vulnerability that allows an adversary to gain unauthorized access by elevating the access and execution permissions to carry out attacks on the system. Elevation of privilege vulnerabilities are considered highly dangerous and are often targeted by attackers because they provide a way to perform a wide range of malicious activities, including stealing sensitive data, installing malware, and taking over the system.

The vulnerability is identified in the Windows kernel, a core part of the operating system that manages system resources and provides low-level access to hardware. This vulnerability affects Windows Server versions 2019, 2022, Windows 10, and Windows 11 (Including Arm-based, x64 versions). Patching can mitigate the vulnerability. Automox recommends patching this vulnerability within 72 hours to minimize exposure to unnecessary cyber risks. - Gina Geisel