Vulnerabilities include 2 remote code execution failures, 1 privilege escalation, and 1 Secure Boot bypass. Under ideal conditions, hackers can combine 4 vulnerabilities to form a perfect attack chain.
Microsoft fixed these bugs in the May patch (Patch Tuesday). Users need to update immediately to avoid a large-scale attack.
The first vulnerability (identifier CVE-2023-29325) is a remote code execution bug in OLE (Object Linking & Embedding) technology on Windows, affecting Outlook. To exploit, the hacker sends a malicious phishing email to the user. As long as the victim opens the email with Outlook software or the Outlook application displays a preview of the email, the attacker can execute the code remotely and take full control of the device
The second vulnerability, CVE-2023-29336, is a privilege escalation bug in the operating system’s Win32k kernel driver. Exploited successfully, an attacker can escalate from the user to SYSTEM privilege (the highest privilege in the operating system), thereby planting malicious code on the target device and maintaining access. The vulnerability is now being exploited in actual attacks.
The third vulnerability, CVE-2023-24932, allows hackers to bypass the Secure Boot feature. To exploit, hackers find a way to “lose” or gain administrative rights on the target device, thereby installing bootkit malicious code on the system firmware (firmware). This bootkit allows hackers to take control of the device boot process, stay in the area longer, and avoid detection by security solutions.
The most dangerous is the remote code execution vulnerability CVE-2023-24941 (CVSS severity score 9.8/10), which can be a springboard for hackers to attack deeply into other systems. The vulnerability exists in the file-sharing protocol in the Windows NFS (Network File System) network. An unauthenticated attacker can send a specially crafted command to the NFS service, thereby gaining control of Windows servers. CVE-2023-24941 affects Windows Server 2012, 2016, 2019, and 2022 and specifically requires no user interaction.
According to a Bkav expert, under ideal conditions, hackers can combine the above 4 vulnerabilities to form an attack chain: First, trick victims into clicking on fake emails to exploit CVE-2023-29325, thereby hijacking remote code execution on the target device. Next, privilege escalation from user to system privilege via CVE-2023-29336, then infect the malware and maintain access on the device. Once located on the device, hackers can exploit the Secure Boot security feature with CVE-2023-24932, install malware and maintain a presence on the victim system. Finally, take advantage of CVE-2023-24941 to dig deep into Windows servers.
Mr. Nguyen Van Cuong, Cybersecurity Director of Bkav, commented: “Successfully performing the attack steps, the hacker can control the entire system, steal sensitive information… Especially, the vulnerability CVE-2023-29325 puts users at risk of becoming the victim of phishing campaigns. This attack is easy, low-cost, and can be done on a large scale. wide, so the impact will be huge.”
Bkav recommends users immediately update the Windows operating system to the latest version. At the same time, users should not open strange emails of unknown origin, if an abnormality is detected in the system, they should contact a professional team to review and handle
