March 14, 2023 CISA KEV Breakdown | Microsoft, Fortinet

Ryan Cribelar
March 14, 2023
CISA KEV

March 14 – 3 New Vulns | CVE-2023-23397, CVE-2023-24880, CVE-2022-41328

In this CISA KEV Breakdown, two actively exploited Microsoft vulnerabilities from March 2023 Patch Tuesday, and one path traversal Fortinet vulnerability from 2022 were added to the KEV. As of writing this post, Microsoft has released security guides for both CVE-2023-23397 and CVE-2023-24880 and users are encouraged to stay up to date with the latest mitigation recommendations from Microsoft.

Notable Vulnerability Additions

CVE-2023-23397 | Microsoft Office Outlook Escalation of Privilege

A vulnerability exists in Microsoft Outlook that can allow for an attacker to retrieve a user’s NTLM hash. This can later be used by the attacker to authenticate against other services on the network using the hash obtained through the vulnerability. It is important to note that the exploitation of the vulnerability requires no user interaction, in that the exploitation is triggered by the Outlook client receiving the email from the attacker, rather than being presented in the preview pane. At time of writing, only Microsoft Outlook for Windows is affected, however it is all supported versions of Outlook for Windows. No public exploit code appears to be available at this time.

Vulnerabilities in which an attacker can leverage exploitation of an open-facing service as well as circumvent any user interaction are usually seen with greater risk. Organizations should apply the latest Patch Tuesday release or apply Mitigations stated by Microsoft in their security guide.

  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group. Please see Protected Users Security Group for more information.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.

Security Advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

CVE-2023-24880 | Microsoft Windows SmartScreen Bypass

A bypass vulnerability in the Windows SmartScreen security feature exists due to a previously patched vulnerability in SmartScreen, CVE-2022-44698, still allowing attackers to circumvent security warnings shown to users when malicious files are downloaded. The vulnerability exists due to the fact that an attacker can deliver an MSI file with a specially crafted but invalid Authenticode signature. This signature causes SmartScreen to return an error, bypassing the security prompt that warns users of a maliciously downloaded file. Recently patched by Microsoft in March 2023 Patch Tuesday, CVE-2023-24880 has already been reported by TAG to have been used to deliver Magniber ransomware. As TAG details, the patch applied to CVE-2022-44698 was inadequate and allowed for attackers to further exploit SmartScreen.

It is critical for organizations and technology vendors to apply appropriate root cause analysis when disclosure of vulnerabilities occur. So long as a patch is applied without the root cause issue being addressed, attackers will continue to use similar techniques to discover new variants of the same vulnerability.

Security Advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880

CVE-2022-41328 | Fortinet FortiOS Path Traversal

A path traversal vulnerability exists in FortiOS 7.2.3 and earlier that can allow an attacker to execute code via an improper limitation of a pathname to a restricted directory. Fortinet published an advisory on March 9 indicating activity surrounding CVE-2022-41328 in the wild. At time of writing, exploitation code does not appear publicly available. A BleepingComputer post reporting Fortinet’s response indicated the attackers leveraging this exploit contained advanced knowledge of FortiOS firmware and software and likely leveraged this with specific government entities.

Security Advisory:

https://www.fortiguard.com/psirt/FG-IR-22-369, https://docs.fortinet.com/document/fortiproxy/7.0.9/release-notes/534553/resolved-issues

Be sure to check out Nucleus Security’s KEV Enrichment Dashboard where we overlay vulnerabilities that are added to the catalog with intelligence from GreyNoise, exploit-prediction scoring from EPSS and lastly CVSS. You can use the data yourself and use further metrics to influence decision-making when determining risk of vulnerabilities added to the KEV.

← March 10, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet
Ryan Cribelar

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.