CyberWatch

Microsoft November 2023 Patch Tuesday: Multiple Zero-day Fixes

By

By

Access Point Consulting

Summary

Every second Tuesday of the month, Microsoft releases many security fixes to several of its software solutions. This is known as “Patch Tuesday.” This time, several critical vulnerabilities and zero-days have been remediated. A total of five zero-day vulnerabilities, three critical vulnerabilities, and more than 50 other vulnerabilities of varying severity were addressed. This report covers only the most critical and notable vulnerabilities.

Impact Assessment

Three Actively Exploited Zero Days

  1. CVE-2023-36036 – (CVSS 3.1 – 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability, evidence of active exploitation, an attacker who has successfully exploited this vulnerable could gain access to SYSTEM level privileges.
  2. CVE-2023-36033 – (CVSS 3.1 – 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability, evidence of active exploitation, an attacker who has successfully exploited this vulnerable could gain access to SYSTEM level privileges.
  3. CVE-2023-36025 – (CVSS 3.1 – 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability, evidence of active exploitation, an attacker who has successfully exploited this vulnerability would be able to bypass Windows Defender SmartScreen checks and their associated prompts. A user would have to click on a specifically crafted internet shortcut or a hyperlink pointing to an internet shortcut file to be compromised.

Two Not Actively Exploited Zero Days

  1. CVE-2023-36413 – (CVSS 3.1 – 6.5) – Microsoft Office Security Feature Bypass Vulnerability, no evidence of exploitation, but exploitation more likely according to Microsoft. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. To exploit this vulnerability an attacker must send the user a malicious file and convince them to open it.
  2. CVE-2023-36038 – (CVSS 3.1 – 8.2) – ASP.NET Core Denial of Service Vulnerability, no evidence of exploitation and exploitation is less likely according to Microsoft. To exploit this vulnerability http requests to .NET 8 RC 1 running on IIS InProcess hosting model must be cancelled. This would result in an increase in thread counts where an OutOfMemoryException would be possible. If an attacker were to exploit this vulnerability an attack could result in a total loss of availability to the exploited device.

Three Critical-Severity Vulnerabilities

  1. CVE-2023-36052 – (CVSS 3.1 – 8.6) – Azure CLI REST Command Information Disclosure Vulnerability, an attacker that successfully exploits this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions. Information about this vulnerability is available at this article.
  2. CVE-2023-36397 – (CVSS 3.1 – 9.8) – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability, to exploit this vulnerability Windows message queuing service must be running in a PGM Server environment. From here an attacker could send a specially crafted file over the network to achieve remote code execution to trigger malicious code.
  3. CVE-2023-36400 – (CVSS 3.1 – 8.8) – Windows HMAC Key Derivation Elevation of Privilege Vulnerability, to exploit this vulnerability, an attacker would first have to log onto a system. From here the attacker could then run a specifically crafted application that could exploit this vulnerability to take control of the affected system. It was noted that this attack could be performed from a low privilege Hyper-V guest allowing the attacker to traverse the security boundary to execute code on the Hyper-V host execution environment.

Affected Products

.NET Framework, ASP.NET, Azure DevOps, Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Dynamics 365 Sales, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Remote Registry Service, Microsoft WDAC OLE DB provider for SQL, Microsoft Windows Search Component, Microsoft Windows Speech, Windows Compressed Folder, Windows Defender, Windows Deployment Services, Windows DHCP Server, Windows Distributed File System (DFS), Windows DWM Core Library, Windows HMAC Key Derivation, Windows Hyper-V, Windows Installer, Windows Internet Connection Sharing (ICS), Windows Kernel, Windows NTFS, Windows Protected EAP (PEAP), Windows Scripting, Windows SmartScreen, and Windows Storage.

What it means for you

If you are a regular user of Windows, simply checking your operating system for updates and restarting will be all that must be done. However, if you are part of an organization reviewing the affected products list above for any affected products and reviewing and planning to apply the updates to the environment must be done. Not all updates/fixes to the above products are applied through an OS update, but most are.

Remediation

Checking for updates and restarting endpoints for Microsoft Windows devices. Microsoft server devices is different, see the article here on how to upgrade Microsoft server instances.

Most remediations will require a restart of the device after updates are found. For more information about what products are affected and have updates for each vulnerability please refer to the MSRC links and KB articles from Microsoft. Use the following link to search for potential affected products and their associated KB articles. Ensure to select date range and select “Update Tuesday” to search for all relevant KBs and updates.

Business Implications

Microsoft patch Tuesday patches hundreds of vulnerabilities every year and sheds light on actively exploited vulnerabilities. It is important that these zero-day vulnerabilities are prioritized in an emergency fashion as exploitation of any of these vulnerabilities could be devastating. Many affect almost all Microsoft devices in an organization’s environment.

Access Point Technology Recommends

Patch: Patch the Operating Systems of all affected devices and review the affected products list for any other products which could possibly be vulnerable. If so, refer to the MSRC update guide for specific information on patching the vulnerabilities.

Ensure proper cadence: These vulnerabilities should be patched promptly as there are three actively exploited zero days.

Test: It is paramount to test these patches before launching to all users if you are within an organization. Operating System changes can cause great impact on day-to-day operation.

Rollback: Have a rollback plan in place to ensure that an update will not break the production environment.

Associated Bulletins

https://msrc.microsoft.com/update-guide/

Resources

Trending Articles & Security Reports

Resources

CyberWatch

November 22, 2024

Patch Updates, New Malware Threats, and the Ongoing Supply Chain Battle

On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.

Find out more
October 25, 2024

Ransomware, Supply Chain Attacks, and Nation-State Threats

CyberWatch, by Access Point Consulting, is your weekly source for emerging cybersecurity news, regulatory updates, and threat intelligence. Backed by experts in security consulting, regulatory compliance, and security operations, Access Point enables you to manage cyber risks, respond to incidents, and drive innovation in your company. Read here or on our website; listen on Spotify or Apple Podcasts; or watch on YouTube.website; listen on Spotify or Apple Podcasts; or watch on YouTube. .

Find out more
October 7, 2024

VINs and Losses: How Hackers Take Kias for a Ride

In the age of smart cars and connected devices, convenience often comes with hidden risks. A recently discovered critical vulnerability in Kia vehicles serves as a stark reminder of how our increasingly digital world is making cars new targets for cyberattacks. This vulnerability allowed hackers to remotely control various vehicle functions—using nothing more than a car's license plate number. It highlights the growing threat of cyberattacks on connected cars and the importance of cybersecurity in the automotive industry.

Find out more