Summary
Every second Tuesday of the month, Microsoft releases many security fixes to several of its software solutions. This is known as “Patch Tuesday.” This time, several critical vulnerabilities and zero-days have been remediated. A total of five zero-day vulnerabilities, three critical vulnerabilities, and more than 50 other vulnerabilities of varying severity were addressed. This report covers only the most critical and notable vulnerabilities.
Impact Assessment
Three Actively Exploited Zero Days
- CVE-2023-36036 – (CVSS 3.1 – 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability, evidence of active exploitation, an attacker who has successfully exploited this vulnerable could gain access to SYSTEM level privileges.
- CVE-2023-36033 – (CVSS 3.1 – 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability, evidence of active exploitation, an attacker who has successfully exploited this vulnerable could gain access to SYSTEM level privileges.
- CVE-2023-36025 – (CVSS 3.1 – 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability, evidence of active exploitation, an attacker who has successfully exploited this vulnerability would be able to bypass Windows Defender SmartScreen checks and their associated prompts. A user would have to click on a specifically crafted internet shortcut or a hyperlink pointing to an internet shortcut file to be compromised.
Two Not Actively Exploited Zero Days
- CVE-2023-36413 – (CVSS 3.1 – 6.5) – Microsoft Office Security Feature Bypass Vulnerability, no evidence of exploitation, but exploitation more likely according to Microsoft. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. To exploit this vulnerability an attacker must send the user a malicious file and convince them to open it.
- CVE-2023-36038 – (CVSS 3.1 – 8.2) – ASP.NET Core Denial of Service Vulnerability, no evidence of exploitation and exploitation is less likely according to Microsoft. To exploit this vulnerability http requests to .NET 8 RC 1 running on IIS InProcess hosting model must be cancelled. This would result in an increase in thread counts where an OutOfMemoryException would be possible. If an attacker were to exploit this vulnerability an attack could result in a total loss of availability to the exploited device.
Three Critical-Severity Vulnerabilities
- CVE-2023-36052 – (CVSS 3.1 – 8.6) – Azure CLI REST Command Information Disclosure Vulnerability, an attacker that successfully exploits this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions. Information about this vulnerability is available at this article.
- CVE-2023-36397 – (CVSS 3.1 – 9.8) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability, to exploit this vulnerability Windows message queuing service must be running in a PGM Server environment. From here an attacker could send a specially crafted file over the network to achieve remote code execution to trigger malicious code.
- CVE-2023-36400 – (CVSS 3.1 – 8.8) – Windows HMAC Key Derivation Elevation of Privilege Vulnerability, to exploit this vulnerability, an attacker would first have to log onto a system. From here the attacker could then run a specifically crafted application that could exploit this vulnerability to take control of the affected system. It was noted that this attack could be performed from a low privilege Hyper-V guest allowing the attacker to traverse the security boundary to execute code on the Hyper-V host execution environment.
Affected Products
.NET Framework, ASP.NET, Azure DevOps, Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Dynamics 365 Sales, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Remote Registry Service, Microsoft WDAC OLE DB provider for SQL, Microsoft Windows Search Component, Microsoft Windows Speech, Windows Compressed Folder, Windows Defender, Windows Deployment Services, Windows DHCP Server, Windows Distributed File System (DFS), Windows DWM Core Library, Windows HMAC Key Derivation, Windows Hyper-V, Windows Installer, Windows Internet Connection Sharing (ICS), Windows Kernel, Windows NTFS, Windows Protected EAP (PEAP), Windows Scripting, Windows SmartScreen, and Windows Storage.
What it means for you
If you are a regular user of Windows, simply checking your operating system for updates and restarting will be all that must be done. However, if you are part of an organization reviewing the affected products list above for any affected products and reviewing and planning to apply the updates to the environment must be done. Not all updates/fixes to the above products are applied through an OS update, but most are.
Remediation
Checking for updates and restarting endpoints for Microsoft Windows devices. Microsoft server devices is different, see the article here on how to upgrade Microsoft server instances.
Most remediations will require a restart of the device after updates are found. For more information about what products are affected and have updates for each vulnerability please refer to the MSRC links and KB articles from Microsoft. Use the following link to search for potential affected products and their associated KB articles. Ensure to select date range and select “Update Tuesday” to search for all relevant KBs and updates.
Business Implications
Microsoft patch Tuesday patches hundreds of vulnerabilities every year and sheds light on actively exploited vulnerabilities. It is important that these zero-day vulnerabilities are prioritized in an emergency fashion as exploitation of any of these vulnerabilities could be devastating. Many affect almost all Microsoft devices in an organization’s environment.
Access Point Technology Recommends
Patch: Patch the Operating Systems of all affected devices and review the affected products list for any other products which could possibly be vulnerable. If so, refer to the MSRC update guide for specific information on patching the vulnerabilities.
Ensure proper cadence: These vulnerabilities should be patched promptly as there are three actively exploited zero days.
Test: It is paramount to test these patches before launching to all users if you are within an organization. Operating System changes can cause great impact on day-to-day operation.
Rollback: Have a rollback plan in place to ensure that an update will not break the production environment.
Associated Bulletins
https://msrc.microsoft.com/update-guide/
.webp)
.png)
