Rewterz Threat Alert – AsyncRAT – Active IOCs

January 17, 2023

Rewterz Threat Alert – Ekipa RAT – Active IOCs

January 18, 2023

Rewterz Threat Advisory – Multiple Microsoft Windows Vulnerabilities

January 18, 2023

Severity

High

Analysis Summary

CVE-2023-21563 CVSS:6.8

Microsoft Windows could allow a physical attacker to bypass security restrictions, cause by a flaw in BitLocker component. An attacker could exploit this vulnerability to bypass security feature to cause impact on confidentiality, integrity and availability.

CVE-2023-21536 CVSS:4.7

Microsoft Windows could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the Event Tracing for Windows component. By executing a specially-crafted program, an attacker could exploit this vulnerability to obtain sensitive information from Kernel memory and then use this information to launch further attacks against the affected system.

CVE-2023-21547 CVSS:7.5

Microsoft Windows is vulnerable to a denial of service, caused by a flaw in the Internet Key Exchange (IKE) Protocol. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2023-21724 CVSS:7.8

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the DWM Core Library component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

CVE-2023-21537 CVSS:7.8

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Message Queuing (MSMQ) component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

CVE-2023-21732 CVSS:8.8

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the ODBC Driver. By persuading a victim to open a specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-21681 CVSS:8.8

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the WDAC OLE DB provider for SQL Server. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-21725 CVSS:6.3

Microsoft Windows Defender could allow a local authenticated attacker to gain elevated privileges on the system. By winning a race condition, an authenticated attacker could exploit this vulnerability to gain SYSTEM privileges.

CVE-2023-21779 CVSS:7.3

Microsoft Visual Studio Code could allow a remote authenticated attacker to execute arbitrary code on the system. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-21768 CVSS:7.8

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Ancillary Function Driver for WinSock component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

CVE-2023-21525 CVSS:5.3

Microsoft Windows is vulnerable to a denial of service, caused by a flaw in the Remote Procedure Call Runtime. A remote attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2023-21752 CVSS:7.1

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Backup Service component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

CVE-2022-41114 CVSS:7

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Bind Filter Driver component. By winning a race condition, an authenticated attacker could exploit this vulnerability to gain administrative privileges.

CVE-2023-21739 CVSS:7

Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the Bluetooth Driver component. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges.

CVE-2023-21560 CVSS:6.6

Microsoft Windows could allow a physical authenticated attacker to bypass security restrictions, cause by a flaw in Boot Manager component. An attacker could exploit this vulnerability to bypass the BitLocker Device Encryption feature.

Impact

Code Execution
Privilege Escalation
Denial of Service
Security Bypass

Indicators Of Compromise

CVE

CVE-2023-21563
CVE-2023-21536
CVE-2023-21547
CVE-2023-21724
CVE-2023-21537
CVE-2023-21732
CVE-2023-21681
CVE-2023-21725
CVE-2023-21779
CVE-2023-21768
CVE-2023-21525
CVE-2023-21752
CVE-2022-41114
CVE-2023-21739
CVE-2023-21560

Affected Vendors

Microsoft

Affected Products

Microsoft Windows 7 SP1 x32
Microsoft Windows 7 SP1 x64
Microsoft Windows Server 2012
Microsoft Windows 8.1 x32
Microsoft Windows 8.1 x64
Microsoft Windows Server 2012 R2
Microsoft Windows RT 8.1
Microsoft Windows 10 x32
Microsoft Windows 10 x64
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Microsoft Windows 10 1809 for 32-bit Systems
Microsoft Windows 10 1809 for x64-based Systems
Microsoft Windows 10 1809 for ARM64-based Systems
Microsoft Windows 10 1607 for 32-bit Systems
Microsoft Windows 10 1607 for x64-based Systems
Microsoft Windows 10 20H2 for 32-bit Systems
Microsoft Windows 10 20H2 for ARM64-based Systems
Microsoft Windows 10 20H2 for x64-based Systems
Microsoft Windows Server (Server Core installation) 2019
Microsoft Windows Server (Server Core installation) 2016
Microsoft Windows Server (Server Core installation) 2012 R2
Microsoft Windows Server (Server Core installation) 2012
Microsoft Windows Server for X64-based systems 2008 R2 SP1
Microsoft Windows Server for X64-based systems (Server Core installation) 2008 SP2
Microsoft Windows Server for 32-bit systems (Server Core installation) 2008 SP2
Microsoft Windows Server for 32-bit systems 2008 SP2
Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2 SP1
Microsoft Windows Server 2022Microsoft Windows Server (Server Core installation) 2022
Microsoft Windows Server for X64-based systems 2008 SP2
Microsoft Windows 10 21H2 for 32-bit Systems
Microsoft Windows 10 21H2 for ARM64-based Systems
Microsoft Windows 10 21H2 for x64-based Systems
Microsoft Windows 11 22H2 for ARM64-based Systems
Microsoft Windows 11 22H2 for x64-based Systems
Microsoft Windows 10 22H2 for 32-bit Systems
Microsoft Windows 10 22H2 for ARM64-based Systems
Microsoft Windows 10 22H2 for x64-based Systems
Microsoft Windows Server 2022 Datacenter: Azure Edition
Microsoft Windows 11 21H2 for ARM64-based Systems
Microsoft Windows 11 21H2 for x64-based Systems
Microsoft Windows 10 21H1 for 32-bit Systems
Microsoft Windows 10 21H1 for ARM64-based Systems
Microsoft Windows 10 21H1 for x64-based Systems
Microsoft Windows 11 x64Microsoft Windows 11 ARM64
Microsoft Windows Server 2022 Azure Edition Core Hotpatch
Microsoft Windows Server (Server Core installation) 22H2
Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2
Microsoft Malware Protection EngineMicrosoft Visual Studio Code

Remediation

Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.