Virtual Administrator’s April 2023 Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 97 vulnerabilities with 7 rated “Critical” in severity.

All patches will be approved in our patch policy.

More patches this month with a few known issues.

The top priority is an Elevation of Privilege affecting the Windows Common Log File System Driver (CVE-2023-28252). This is being actively exploited and an attacker could exploit this vulnerability to gain SYSTEM privileges.

The update with the highest CVSS score (9.8) is CVE-2023-21554. This is a remote code execution vulnerability in the Microsoft Message queuing system (MSMQ). If you are running the MSMQ service and have 1801 port open to the internet, you are at risk.

Two other critical vulnerabilities in the Layer 2 Tunneling Protocol (CVE-2023-28219 and CVE-2023-28220) affects Windows Remote Access Servers (RAS).

The remote code execution vulnerability the DHCP server service (CVE-2023-28231) requires access to the restricted network before running an attack.

One known issue with SharePoint Server search service.

Heads Up! Exchange Server 2013 Reaches End of Support on April 11, 2023

Exchange 2013 end of support roadmap

Applies to both Microsoft 365 Enterprise and Office 365 Enterprise.

https://learn.microsoft.com/en-us/microsoft-365/enterprise/exchange-2013-end-of-support?view=o365-worldwide

Disclosed: None

Exploited: CVE-2023-28252

FYI After this March 21, 2023, release there are no more optional, non-security preview releases for the supported editions of Windows 10, version 20H2 and Windows 10, version 21H2. Only cumulative monthly security updates (known as the “B” or Update Tuesday release) will continue for these versions. Windows 10, version 22H2 will continue to receive security and optional releases.

https://support.microsoft.com/en-us/topic/march-21-2023-kb5023773-os-builds-19042-2788-19044-2788-and-19045-2788-preview-5850ac11-dd43-4550-89ec-9e63353fef23

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

Microsoft Security Advisories

None

Known Issues

Only one new reported issue with SharePoint Server search service.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

“The search service is not able to connect to the machine that hosts the administration component.”

Description of the security update for SharePoint Server Subscription Edition: April 11, 2023 (KB5002375)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-sharepoint-server-subscription-edition-april-11-2023-kb5002375-1bbdc497-d120-4f43-a0d2-e9392d62dd1f

Affects: SharePoint Server Subscription Edition

Symptom: Search service applications cannot be successfully created starting with the March 14, 2023 security update for SharePoint Server Subscription Edition (KB 5002355). The Search Service Application: Search Administration page in Central Administration will show the administrative status of newly created Search service applications as “The search service is not able to connect to the machine that hosts the administration component.” Search service applications created before the March 14, 2023 security update is installed are unaffected and will continue to function normally.

Status: This issue will be fixed in a future update for SharePoint Server Subscription Edition.

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

  • KB5025279 – Windows Server 2008 R2 (ESU)
  • KB5025285 – Windows Server 2012 R2
  • KB5025287 – Windows Server 2012
  • KB5025271 – Windows Server 2008 (ESU)

Security Only Update

  • KB5025277 – Windows Server 2008 R2 (ESU)
  • KB5025288 – Windows Server 2012 R2
  • KB5025272 – Windows Server 2012
  • KB5025273 – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

  • KB5025234 – Original release version 1507 (OS Build 10240)
  • KB5025228 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5025229 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5025221 – Version 20H2 “October 2020 Update” (OS Build 19042)
  • KB5025221 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5025221 – Version 22H2 “November 2022 Update” (OS Build 19045)

(Versions 1511,1703,1709,1803,1903,2004 are no longer under support)

Windows 11

  • KB5025224 – 21H2 (OS Build 22000) Original release
  • KB5025239 – 22H2 (OS Build 22621)

Windows Server

  • KB5025228 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5025229 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5025230 – Server 2022 (OS Build 20348)

April 2023 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/april-2023-updates-for-microsoft-office-107b1ed4-1cec-45a2-bace-c065e7434840

Notable CVEs

CVE-2023-21554 | Microsoft Message Queuing Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21554

“To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.”

CVE-2023-28219 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28219

“An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.”

CVE-2023-28220 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28220

“An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.”

CVE-2023-28231 | DHCP Server Service Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28231

“Successful exploitation of this vulnerability requires that an attacker will need to first gain access to the restricted network before running an attack.”

CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28250

“When the Windows Message Queuing service is enabled, an attacker who successfully exploited this vulnerability could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.”

CVE-2023-28252 | Windows Common Log File System Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-28252

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”