Microsoft, Fortinet, HashiCorp and Other Vendors’ April Patches Address Critical and High-Level Vulnerabilities

Multiple big-name technology vendors, including Microsoft, Fortinet and HashiCorp, have announced patches to address a variety of vulnerabilities. Here’s what you need to know.

What is the situation?

Microsoft

Microsoft has released its April 2023 Patch Tuesday security updates, addressing a total of 97 vulnerabilities. This includes one actively exploited zero-day vulnerability, seven vulnerabilities classified as “Critical” for allowing remote code execution (RCE), and the rest are rated “Important.”

The actively exploited zero-day vulnerability is CVE-2023-28252, a Windows Common Log File System Driver elevation of privilege vulnerability. Microsoft has remedied a vulnerability in the Windows CLFS driver that elevates privileges to SYSTEM, the highest user privilege level in Windows. According to Microsoft, an attacker who successfully exploits this vulnerability could gain SYSTEM privileges.

The number of vulnerabilities in each category is listed below. The count does not include 17 Microsoft Edge vulnerabilities that were addressed on April 6, 2023.

• 20 Elevation of Privilege Vulnerabilities
• 8 Security Feature Bypass Vulnerabilities
• 45 Remote Code Execution Vulnerabilities
• 10 Information Disclosure Vulnerabilities
• 9 Denial of Service Vulnerabilities
• 6 Spoofing Vulnerabilities

A complete list of resolved vulnerabilities in this month’s patch updates can be found in the latest Microsoft Security Update Guide.

Fortinet

Fortinet released its April Vulnerability Advisory yesterday, addressing multiple vulnerabilities across different Fortinet technologies, including FortiOS, FortiGate, FortiClient, FortiNAC, FortiSOAR, FortiDDoS, FortiProxy, FortiWeb, FortiADC, FortiAnalyzer, FortiPresence and FortiManager.

In total, they have released patches for 1 critical, 9 high-level vulnerabilities, 5 medium and 1 low-level vulnerability.

The critically rated vulnerability is a missing authentication affecting only on-premises servers using FortiPresence. Fortinet states that the number of on-premises instances are minimal and that cloud instances are not impacted.

Nuspire will coordinate with clients for firmware upgrades of any affected managed device. Clients who manage their own devices are recommended to upgrade firmware or apply mitigations in accordance with Fortinet’s recommendations.

HashiCorp Vault

Additionally announced today was a new vulnerability being tracked as CVE-2023-0620 in the HashiCorp Vault project, an “identity-based secrets and encryption management system” that controls API encryption keys, passwords and certificates.

This vulnerability can allow an attacker to execute a SQL injection attack performing RCE. The vulnerability affects versions up to 1.13.0 and has been patched in versions 1.13.1, 1.12.5 and 1.11.9.

Additional Vendors

Additional vendors that released updates in April 2023 are listed below:

Apple released security updates to fix two actively exploited zero-days in iOS and macOS.

Cisco released security updates for multiple products.

Google released the Android April 2023 and Google Chrome security updates.

SAP released its April 2023 Patch Day updates.

What is Nuspire doing?

Nuspire applies patches when released in accordance with vendor recommendations. Nuspire will coordinate firmware upgrades with any client using an affected managed device.

What should I do?

Organizations should review this threat brief and identify any technologies that are used within your environment, then prioritize patching by criticality. If Nuspire manages a device for a client and it is on an affected version, Nuspire will coordinate and schedule a firmware upgrade.