Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/04/09/patch-tuesday-april-2024/

Microsoft is addressing 149 vulnerabilities this April 2024 Patch Tuesday, which is significantly more than usual. For the second month in a row, Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing.

Despite the large number of vulnerabilities published today, Microsoft has ranked only three as critical under its proprietary severity scale. Five browser vulnerabilities were published separately this month, and are not included in the total.

Microsoft is now including two additional data points on advisories: Common Weakness Enumeration (CWE) and Vector String Source assessments.

Defender for IoT: three critical RCEs

Microsoft Defender for IoT receives patches for three critical remote code execution (RCE) vulnerabilities. Microsoft describes Defender for IoT as an Azure-deployable agentless monitoring solution for Internet of Things (IoT) and Operational Technology (OT) devices.

The advisory for CVE-2024-21322 is light on detail, but notes that exploitation requires the attacker to have existing administrative access to the Defender for IoT web application; this limits the attacker value in isolation, although the potential for insider threat or use as part of an exploit chain remains.

CVE-2024-21323 describes an update-based attack and requires prior authentication; an attacker with the ability to control how a Defender for IoT sensor receives updates could cause the sensor device to apply a malicious update package, overwriting arbitrary files on the sensor filesystem via a path traversal weakness.

Exploitation of CVE-2024-29053 allows arbitrary file upload for any authenticated user, also via a path traversal weakness, although the advisory does not specify what the target is other than “the server”.

The Defender for IoT 24.1.3 release notes do not call out these security fixes and describe only improvements to clock drift detection and unspecified stability improvements; this omission highlights the evergreen value of timely patching.

SharePoint: XSS spoofing

SharePoint receives a patch for CVE-2024-26251, a spoofing vulnerability which abuses cross-site scripting (XSS) and affects SharePoint Server 2016, 2019, and Subscription Edition. Exploitation requires multiple conditions to be met, including but not limited to a reliance on user actions, token impersonation, and specific application configuration. On that basis, although Microsoft is in possession of mature exploit code, exploitation is rated less likely.

Excel: arbitrary file execution

Microsoft is patching a single Office vulnerability today. CVE-2024-26257 describes a RCE vulnerability in Excel; exploitation requires that the attacker convinces the user to open a specially-crafted malicious file.

Patches for Windows-based click-to-run (C2R) Office deployments and Microsoft 365 Apps for Enterprise are available immediately. Not for the first time, a patch for Office for Mac is unavailable at time of writing, and will follow at some unspecified point in the future.

SQL Server OLE DB driver: dozens of RCE

The Microsoft OLE DB Driver for SQL Server receives patches for no fewer than 38 separate RCE vulnerabilities today, which might be a record for a single component. The common theme here is that an attacker could trick a user into connecting to a malicious SQL server to achieve code execution in the context of the client.

All quiet on the Exchange front

There are no security patches for Exchange this month.

Microsoft advisory metadata: CWE and Vector String Source

The addition of CWE assessments to Microsoft security advisories helps pinpoint the generic root cause of a vulnerability; e.g., CVE-2024-21322 is assigned “CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’).” By embracing CWE taxonomy, Microsoft is moving away from its own proprietary system to describe root cause. The CWE program has recently updated its guidance on mapping CVEs to a CWE Root Cause.

Analysis of CWE trends can help developers reduce future occurrences through improved Software Development Life Cycle (SDLC) workflows and testing, as well as helping defenders understand where to direct defense-in-depth and deployment-hardening efforts for best return on investment. At time of writing, the addition of CWE assessments does not appear to be retroactive.

The Common Vulnerability Scoring System (CVSS) is a widely-used standard for evaluation of vulnerability severity, and Microsoft has helpfully provided CVSS data for each vulnerability for a long time. The CVSS vector describes the variables which comprise the overall CVSS severity score for a vulnerability. The addition of Vector String Source — typically, the entity providing the CVSS assessment on a Microsoft vulnerability will be Microsoft — provides further welcome clarity, at least for vulnerabilities where Microsoft is the CVE Numbering Authority (CNA). It may not be a coincidence that Microsoft is choosing to start explicitly describing the source of the CVSS vector during the ongoing uncertainty around the future of the NVD program.

Lifecycle update

Several Microsoft products move past the end of mainstream support after today:

• Azure DevOps Server 2019.
• System Center 2019.
• Visual Studio 2019.

Additionally, some older products move past the end of extended support, including:

• Microsoft Deployment Agent 2013.
• Microsoft Diagnostics and Recovery Toolset 8.1.
• Visual Studio 2013.

Summary Charts

Summary Tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-29990	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability	No	No	9
CVE-2024-29993	Azure CycleCloud Elevation of Privilege Vulnerability	No	No	8.8
CVE-2024-29989	Azure Monitor Agent Elevation of Privilege Vulnerability	No	No	8.4
CVE-2024-29063	Azure AI Search Information Disclosure Vulnerability	No	No	7.3
CVE-2024-21424	Azure Compute Gallery Elevation of Privilege Vulnerability	No	No	6.5
CVE-2024-26193	Azure Migrate Remote Code Execution Vulnerability	No	No	6.4
CVE-2024-28917	Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability	No	No	6.2
CVE-2024-20685	Azure Private 5G Core Denial of Service Vulnerability	No	No	5.9
CVE-2024-29992	Azure Identity Library for .NET Information Disclosure Vulnerability	No	No	5.5

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-29981	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	4.3
CVE-2024-29049	Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability	No	No	4.1
CVE-2024-3159	Chromium: CVE-2024-3159 Out of bounds memory access in V8	No	No	N/A
CVE-2024-3158	Chromium: CVE-2024-3158 Use after free in Bookmarks	No	No	N/A
CVE-2024-3156	Chromium: CVE-2024-3156 Inappropriate implementation in V8	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21409	.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability	No	No	7.3

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20688	Secure Boot Security Feature Bypass Vulnerability	No	No	7.1
CVE-2024-20689	Secure Boot Security Feature Bypass Vulnerability	No	No	7.1

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26257	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-26251	Microsoft SharePoint Server Spoofing Vulnerability	No	No	6.8

Other vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20670	Outlook for Windows Spoofing Vulnerability	No	No	8.1

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-28906	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28908	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28909	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28910	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28911	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28912	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28913	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28914	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28915	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28939	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28942	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28945	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29047	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28926	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28927	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28940	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28944	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29044	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29046	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29048	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29982	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29983	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29984	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29985	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29043	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28941	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28943	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29045	Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability	No	No	7.5

SQL Server Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-28929	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28931	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28932	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28936	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28930	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28933	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28934	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28935	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28937	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-28938	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	8.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21323	Microsoft Defender for IoT Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29053	Microsoft Defender for IoT Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21322	Microsoft Defender for IoT Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-21324	Microsoft Defender for IoT Elevation of Privilege Vulnerability	No	No	7.2
CVE-2024-29055	Microsoft Defender for IoT Elevation of Privilege Vulnerability	No	No	7.2
CVE-2024-29054	Microsoft Defender for IoT Elevation of Privilege Vulnerability	No	No	7.2

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-29988	SmartScreen Prompt Security Feature Bypass Vulnerability	No	No	8.8
CVE-2024-26256	libarchive Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-26235	Windows Update Stack Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-29052	Windows Storage Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26245	Windows SMB Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20693	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26218	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26237	Windows Defender Credential Guard Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21447	Windows Authentication Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-28920	Secure Boot Security Feature Bypass Vulnerability	No	No	7.8
CVE-2024-28905	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-28904	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-28907	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-23593	Lenovo: CVE-2024-23593 Zero Out Boot Manager and drop to UEFI Shell	No	No	7.8
CVE-2024-26254	Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability	No	No	7.5
CVE-2024-26219	HTTP.sys Denial of Service Vulnerability	No	No	7.5
CVE-2024-26221	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26222	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26223	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26224	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26227	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26231	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26233	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26236	Windows Update Stack Elevation of Privilege Vulnerability	No	No	7
CVE-2024-26243	Windows USB Print Driver Elevation of Privilege Vulnerability	No	No	7
CVE-2024-26213	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7
CVE-2024-23594	Lenovo: CVE-2024-23594 Stack Buffer Overflow in LenovoBT.efi	No	No	6.4
CVE-2024-29064	Windows Hyper-V Denial of Service Vulnerability	No	No	6.2
CVE-2024-26255	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26172	Windows DWM Core Library Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26220	Windows Mobile Hotspot Information Disclosure Vulnerability	No	No	5

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26179	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26200	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26205	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-20678	Remote Procedure Call Runtime Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26214	Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26210	Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26244	Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-29050	Windows Cryptographic Services Remote Code Execution Vulnerability	No	No	8.4
CVE-2024-26180	Secure Boot Security Feature Bypass Vulnerability	No	No	8
CVE-2024-26189	Secure Boot Security Feature Bypass Vulnerability	No	No	8
CVE-2024-26240	Secure Boot Security Feature Bypass Vulnerability	No	No	8
CVE-2024-28925	Secure Boot Security Feature Bypass Vulnerability	No	No	8
CVE-2024-26230	Windows Telephony Server Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26239	Windows Telephony Server Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26211	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26228	Windows Cryptographic Services Security Feature Bypass Vulnerability	No	No	7.8
CVE-2024-26229	Windows CSC Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26241	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26175	Secure Boot Security Feature Bypass Vulnerability	No	No	7.8
CVE-2024-29061	Secure Boot Security Feature Bypass Vulnerability	No	No	7.8
CVE-2024-26158	Microsoft Install Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26248	Windows Kerberos Elevation of Privilege Vulnerability	No	No	7.5
CVE-2024-28896	Secure Boot Security Feature Bypass Vulnerability	No	No	7.5
CVE-2024-26212	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2024-26215	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2024-26194	Secure Boot Security Feature Bypass Vulnerability	No	No	7.4
CVE-2024-26216	Windows File Server Resource Management Service Elevation of Privilege Vulnerability	No	No	7.3
CVE-2024-26232	Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability	No	No	7.3
CVE-2024-29066	Windows Distributed File System (DFS) Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26208	Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26195	DHCP Server Service Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-26202	DHCP Server Service Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-29062	Secure Boot Security Feature Bypass Vulnerability	No	No	7.1
CVE-2024-26242	Windows Telephony Server Elevation of Privilege Vulnerability	No	No	7
CVE-2024-26252	Windows rndismp6.sys Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-26253	Windows rndismp6.sys Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-26168	Secure Boot Security Feature Bypass Vulnerability	No	No	6.8
CVE-2024-28897	Secure Boot Security Feature Bypass Vulnerability	No	No	6.8
CVE-2024-20669	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-26250	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-28921	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-28919	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-28903	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-26171	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-28924	Secure Boot Security Feature Bypass Vulnerability	No	No	6.7
CVE-2024-26234	Proxy Driver Spoofing Vulnerability	No	No	6.7
CVE-2024-26183	Windows Kerberos Denial of Service Vulnerability	No	No	6.5
CVE-2024-26226	Windows Distributed File System (DFS) Information Disclosure Vulnerability	No	No	6.5
CVE-2024-28923	Secure Boot Security Feature Bypass Vulnerability	No	No	6.4
CVE-2024-28898	Secure Boot Security Feature Bypass Vulnerability	No	No	6.3
CVE-2024-20665	BitLocker Security Feature Bypass Vulnerability	No	No	6.1
CVE-2024-28901	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-28902	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26207	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26217	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-28900	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26209	Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability	No	No	5.5
CVE-2024-2201	Intel: CVE-2024-2201 Branch History Injection	No	No	4.7
CVE-2024-29056	Windows Authentication Elevation of Privilege Vulnerability	No	No	4.3
CVE-2024-28922	Secure Boot Security Feature Bypass Vulnerability	No	No	4.1

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/03/12/patch-tuesday-march-2024/

Microsoft is addressing 60 vulnerabilities this March 2024 Patch Tuesday. Microsoft indicated that they aren’t aware of prior public disclosure or exploitation in the wild for any of the vulnerabilities patched today, which means no new additions to CISA KEV at time of writing. Microsoft is patching a single critical remote code execution (RCE) in Windows, which could allow virtual machine escape from a Hyper-V guest. Four browser vulnerabilities were published separately this month, and are not included in the total.

Windows Hyper-V: critical RCE VM escape

Attackers hoping to escape from a Hyper-V guest virtual machine (VM) and achieve RCE on the Hyper-V host will be interested in CVE-2024-21407. Microsoft describes attack complexity as high: an attacker must first gather information specific to the environment and carry out unspecified preparatory work. Exploitation is via specially crafted file operation requests on the VM to hardware resources on the VM. Every supported version of Windows receives a patch. The advisory describes that no privileges are required for exploitation of the Hyper-V host, although an attacker will presumably need an existing foothold on a guest VM.

Exchange: RCE

A single Exchange vulnerability receives a patch this month. Microsoft describes CVE-2024-26198 as a RCE vulnerability for Exchange, where an attacker places a specially-crafted DLL file into a network share or other file-sharing resource, and convinces the user to open it. Although the FAQ on the advisory asks: “What is the target context of the remote code execution?”, the answer boils down to ”[exploitation] results in loading a malicious DLL”. Since the context of the user opening the malicious file is not specified — an Exchange admin? a user running a mail client connecting to Exchange? something else altogether? — it remains unclear what an attacker might be able to achieve.

It remains vitally important to patch any on-premises instances of Exchange, a perennial attacker favourite. Exchange 2016 admins who were dismayed by the lack of patch for last month’s CVE-2024-21410 may feel somewhat reassured that Microsoft has issued a patch which claims to fully remediate this month’s CVE-2024-26198, but in the absence of any explicit advice to the contrary, a fully-patched Exchange 2016 remains unprotected against CVE-2024-21410 unless the guidance on that advisory is followed.

SharePoint: arbitrary code execution

SharePoint receives a patch for CVE-2024-21426, which Microsoft describes as RCE via the attacker convincing a user to open a malicious file. Although the context of code execution isn’t stated in the advisory, exploitation is local to the user, and could lead to a total loss of confidentiality, integrity, and availability, including downtime for the affected environment.

Azure Kubernetes Service Confidential Containers: confidentiality impact

Azure Kubernetes admins should take note of CVE-2024-21400, which allows an unauthenticated attacker to take over confidential guests and containers, with other outcomes including credential theft and resource impact beyond the scope managed by the Azure Kubernetes Service Confidential Containers (AKSCC). Microsoft describes AKSCC as providing a set of features and capabilities to further secure standard container workloads when working with sensitive data such as PII. The advisory describes additional steps for remediation beyond merely patching AKSCC, including upgrading to the latest version of the az confcom Azure CLI confidential computing extension and Kata Image.

Windows 11: compressed folder tampering

Defenders responsible for Windows 11 assets can protect assets against exploitation of CVE-2024-26185, which Microsoft describes as a compressed folder tampering vulnerability. The advisory is sparse on detail, so while we know that an attacker must convince the user to open a specially crafted file, it’s not clear what the outcome of successful exploitation might be. Since the only impact appears to be to integrity, it’s possible that an attacker could modify a compressed folder but not necessarily read from it. Microsoft expects that exploitation is more likely.

Windows Print Spooler: elevation to SYSTEM

Another site of “exploitation more likely” vulnerabilities this month: the Windows Print Spooler service. A local attacker who successfully exploits CVE-2024-21433 via winning a race condition could elevate themselves to SYSTEM privileges.

Exploitation in the wild: status updates

In the days following February 2024 Patch Tuesday, Microsoft announced several updates where the known exploited status of more than one vulnerability changed, as noted by Rapid7. It remains to be seen if those changes were exceptional or the start of a pattern.

Microsoft products lifecycle review

There are no significant changes to the lifecycle phase of Microsoft products this month.

Summary Charts

Summary Tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21411	Skype for Consumer Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26204	Outlook for Android Information Disclosure Vulnerability	No	No	7.5
CVE-2024-21390	Microsoft Authenticator Elevation of Privilege Vulnerability	No	No	7.1
CVE-2024-26201	Microsoft Intune Linux Agent Elevation of Privilege Vulnerability	No	No	6.6

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21400	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability	No	No	9
CVE-2024-21418	Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21421	Azure SDK Spoofing Vulnerability	No	No	7.5
CVE-2024-26203	Azure Data Studio Elevation of Privilege Vulnerability	No	No	7.3

Azure System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21334	Open Management Infrastructure (OMI) Remote Code Execution Vulnerability	No	No	9.8
CVE-2024-21330	Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability	No	No	7.8

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26167	Microsoft Edge for Android Spoofing Vulnerability	No	No	4.3
CVE-2024-2176	Chromium: CVE-2024-2176 Use after free in FedCM	No	No	N/A
CVE-2024-2174	Chromium: CVE-2024-2174 Inappropriate implementation in V8	No	No	N/A
CVE-2024-2173	Chromium: CVE-2024-2173 Out of bounds memory access in V8	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26165	Visual Studio Code Elevation of Privilege Vulnerability	No	No	8.8
CVE-2024-21392	.NET and Visual Studio Denial of Service Vulnerability	No	No	7.5

Developer Tools Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26190	Microsoft QUIC Denial of Service Vulnerability	No	No	7.5

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21441	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21444	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21450	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26161	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26166	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21451	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26159	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21440	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-26162	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21407	Windows Hyper-V Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-26173	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26176	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26178	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21436	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21437	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26169	Windows Error Reporting Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21446	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21427	Windows Kerberos Security Feature Bypass Vulnerability	No	No	7.5
CVE-2024-21432	Windows Update Stack Elevation of Privilege Vulnerability	No	No	7
CVE-2024-21439	Windows Telephony Server Elevation of Privilege Vulnerability	No	No	7
CVE-2024-21433	Windows Print Spooler Elevation of Privilege Vulnerability	No	No	7
CVE-2024-21429	Windows USB Hub Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-26197	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	6.5
CVE-2024-21430	Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability	No	No	5.7
CVE-2024-26174	Windows Kernel Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26177	Windows Kernel Information Disclosure Vulnerability	No	No	5.5
CVE-2024-26181	Windows Kernel Denial of Service Vulnerability	No	No	5.5
CVE-2023-28746	Intel: CVE-2023-28746 Register File Data Sampling (RFDS)	No	No	N/A

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26198	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8.8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21419	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21426	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-26199	Microsoft Office Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21448	Microsoft Teams for Android Information Disclosure Vulnerability	No	No	5

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-26164	Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability	No	No	8.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20671	Microsoft Defender Security Feature Bypass Vulnerability	No	No	5.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21435	Windows OLE Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21442	Windows USB Print Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26182	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-26170	Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21434	Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21431	Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability	No	No	7.8
CVE-2024-21438	Microsoft AllJoyn API Denial of Service Vulnerability	No	No	7.5
CVE-2024-21443	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.3
CVE-2024-21445	Windows USB Print Driver Elevation of Privilege Vulnerability	No	No	7
CVE-2024-26185	Windows Compressed Folder Tampering Vulnerability	No	No	6.5
CVE-2024-21408	Windows Hyper-V Denial of Service Vulnerability	No	No	5.5
CVE-2024-26160	Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability	No	No	5.5

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/02/13/patch-tuesday-february-2024/

Microsoft is addressing 73 vulnerabilities this February 2024 Patch Tuesday, including two zero-day/exploited-in-the-wild vulnerabilities, both of which are already included on the CISA KEV list. Today also brings patches for two critical remote code execution (RCE) vulnerabilities, and a critical elevation of privilege vulnerability in Exchange. Six browser vulnerabilities were published separately this month, and are not included in the total.

Windows SmartScreen: exploited-in-the-wild critical security bypass

CVE-2024-21351 describes a security feature bypass vulnerability in Windows SmartScreen. Microsoft has already seen evidence of exploitation in the wild. Successful exploitation requires that the attacker convince the user to open a malicious file. Successful exploitation bypasses the SmartScreen user experience and potentially allows code injection into SmartScreen to achieve remote code execution. Of interest: other critical SmartScreen bypass vulnerabilities from the past couple of years (e.g. CVE-2023-36025 from November 2023) have not included language describing code injection into SmartScreen itself, focusing instead on the security feature bypass only. Microsoft’s own researchers reported both CVE-2024-21351 and CVE-2023-36025.

Internet Shortcut files: exploited-in-the-wild security bypass

If further evidence were ever needed that clicking Internet Shortcut files from unknown sources is typically a bad idea, CVE-2024-21412 provides it. An attacker who convinces a user to open a malicious Internet Shortcut file can bypass the typical dialog which warns that “files from the internet can potentially harm your computer”. Microsoft notes that it has seen exploitation in the wild, although the requirement for user interaction helps keep the severity rating below critical, both for CVSS and Microsoft’s proprietary ranking system.

Microsoft Office: critical RCE

Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources. CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file. The Outlook Preview Pane is listed as an attack vector, and no user interaction is required. Microsoft assesses this vulnerability as a critical CVSSv3 base score of 9.8, as well as critical under their own proprietary severity ranking scale. Administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note that the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update KB articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.

Windows PGM: critical RCE

Microsoft is patching CVE-2024-21357, a flaw in Windows Pragmatic General Multicast (PGM).  Although the CVSSv3 base score is a relatively mild 7.5 thanks to the high attack complexity and the same-subnet limitation of the attack, Microsoft rates this vulnerability as critical under its own proprietary severity scale. A discrepancy between the two severity ranking systems is always worth noting. A further clue that Microsoft considers this vulnerability particularly serious:  patches are available for Windows Server 2008, which is now completely end of life. The advisory is light on detail when it comes to exploitation methods; other recent critical RCE vulnerabilities in Windows PGM have involved Microsoft Message Queuing Service.

Exchange: critical elevation of privilege

Exchange admins may have enjoyed a rare two-month break from patching, but this month sees the publication of CVE-2024-21410, a critical elevation of privilege vulnerability in Exchange. Microsoft explains that an attacker could use NTLM credentials previously acquired via another means to act as the victim on the Exchange server using an NTLM relay attack. One possible avenue for that credential acquisition: an NTLM credential-leaking vulnerability in Outlook such as CVE-2023-36761, which Rapid7 wrote about back in September 2023. Compounding the concern for defenders: Exchange 2016 is listed as affected, but no patch is yet listed on the CVE-2024-21410 advisory. Exchange 2019 patches are available for CU13 and the newly minted CU14 series. According to Microsoft, Exchange installations where Extended Protection for Authentication (EPA) is already enabled are protected, although Microsoft strongly recommends installing the latest Cumulative Update. Further resources are provided on the advisory, including Microsoft’s generic guidance on mitigating Pass the Hash-style attacks, as well as Microsoft’s Exchange Server Health Checker script, which includes an overview of EPA status. The Exchange 2019 CU14 update series enables EPA by default.

Lifecycle update

There are no significant end-of-lifecycle changes for Microsoft products this month.

Summary Charts

Summary Tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21401	Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability	No	No	9.8
CVE-2024-21364	Microsoft Azure Site Recovery Elevation of Privilege Vulnerability	No	No	9.3
CVE-2024-21376	Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability	No	No	9
CVE-2024-21403	Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability	No	No	9
CVE-2024-21329	Azure Connected Machine Agent Elevation of Privilege Vulnerability	No	No	7.3
CVE-2024-21381	Microsoft Azure Active Directory B2C Spoofing Vulnerability	No	No	6.8
CVE-2024-20679	Azure Stack Hub Spoofing Vulnerability	No	No	6.5
CVE-2024-21397	Microsoft Azure File Sync Elevation of Privilege Vulnerability	No	No	5.3

Azure Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20667	Azure DevOps Server Remote Code Execution Vulnerability	No	No	7.5

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21399	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	8.3
CVE-2024-1284	Chromium: CVE-2024-1284 Use after free in Mojo	No	No	N/A
CVE-2024-1283	Chromium: CVE-2024-1283 Heap buffer overflow in Skia	No	No	N/A
CVE-2024-1077	Chromium: CVE-2024-1077 Use after free in Network	No	No	N/A
CVE-2024-1060	Chromium: CVE-2024-1060 Use after free in Canvas	No	No	N/A
CVE-2024-1059	Chromium: CVE-2024-1059 Use after free in WebRTC	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21386	.NET Denial of Service Vulnerability	No	No	7.5
CVE-2024-21404	.NET Denial of Service Vulnerability	No	No	7.5

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21372	Windows OLE Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21350	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21352	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21358	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21360	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21361	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21366	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21369	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21375	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21420	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21359	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21365	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21367	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21368	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21370	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21391	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21349	Microsoft ActiveX Data Objects Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21363	Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-21354	Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21406	Windows Printing Service Spoofing Vulnerability	No	No	7.5
CVE-2024-21357	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-21347	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-21348	Internet Connection Sharing (ICS) Denial of Service Vulnerability	No	No	7.5
CVE-2024-21377	Windows DNS Information Disclosure Vulnerability	No	No	7.1
CVE-2024-21371	Windows Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2024-21355	Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability	No	No	7
CVE-2024-21405	Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability	No	No	7
CVE-2024-21356	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	6.5
CVE-2024-21343	Windows Network Address Translation (NAT) Denial of Service Vulnerability	No	No	5.9
CVE-2024-21344	Windows Network Address Translation (NAT) Denial of Service Vulnerability	No	No	5.9
CVE-2024-21340	Windows Kernel Information Disclosure Vulnerability	No	No	4.6
CVE-2023-50387	MITRE: CVE-2023-50387 DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers	No	No	N/A

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21410	Microsoft Exchange Server Elevation of Privilege Vulnerability	No	No	9.8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21395	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	8.2
CVE-2024-21380	Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability	No	No	8
CVE-2024-21327	Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability	No	No	7.6
CVE-2024-21389	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2024-21393	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2024-21396	Dynamics 365 Sales Spoofing Vulnerability	No	No	7.6
CVE-2024-21328	Dynamics 365 Sales Spoofing Vulnerability	No	No	7.6
CVE-2024-21394	Dynamics 365 Field Service Spoofing Vulnerability	No	No	7.6

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21413	Microsoft Outlook Remote Code Execution Vulnerability	No	No	9.8
CVE-2024-21378	Microsoft Outlook Remote Code Execution Vulnerability	No	No	8
CVE-2024-21379	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-20673	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-21384	Microsoft Office OneNote Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-21402	Microsoft Outlook Elevation of Privilege Vulnerability	No	No	7.1
CVE-2024-20695	Skype for Business Information Disclosure Vulnerability	No	No	5.7
CVE-2024-21374	Microsoft Teams for Android Information Disclosure	No	No	5

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21315	Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability	No	No	7.8

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21345	Windows Kernel Elevation of Privilege Vulnerability	No	No	8.8
CVE-2024-21353	Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-21412	Internet Shortcut Files Security Feature Bypass Vulnerability	Yes	No	8.1
CVE-2024-21338	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21346	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21351	Windows SmartScreen Security Feature Bypass Vulnerability	Yes	No	7.6
CVE-2024-21342	Windows DNS Client Denial of Service Vulnerability	No	No	7.5
CVE-2024-21341	Windows Kernel Remote Code Execution Vulnerability	No	No	6.8
CVE-2024-20684	Windows Hyper-V Denial of Service Vulnerability	No	No	6.5
CVE-2024-21339	Windows USB Generic Parent Driver Remote Code Execution Vulnerability	No	No	6.4
CVE-2024-21362	Windows Kernel Security Feature Bypass Vulnerability	No	No	5.5
CVE-2024-21304	Trusted Compute Base Elevation of Privilege Vulnerability	No	No	4.1

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/01/09/patch-tuesday-january-2024/

Microsoft is addressing 49 vulnerabilities this January 2024 Patch Tuesday, including a single critical remote code execution vulnerability. Four browser vulnerabilities were published separately this month, and are not included in the total. No zero-day vulnerabilities are published or patched today.

Hyper-V: critical remote code execution

CVE-2024-20700 describes a remote code execution vulnerability in the Windows Hyper-V hardware virtualization service. Microsoft ranks this vulnerability as critical under its own proprietary severity scale. However, the CVSS 3.1 base score of 7.5 equates only to high severity, reflecting the high attack complexity — attackers must win a race condition — and the requirement for the attack to be launched from the restricted network. The advisory is light on detail, so it isn’t clear exactly where the attacker must be located — the LAN on which the hypervisor resides, or a virtual network created and managed by the hypervisor — or in what context the remote code execution would occur. However, since Microsoft ranks the vulnerability as more severe than the CVSS score would suggest, defenders should assume that exploitation is possible from the same subnet as the hypervisor, and that code execution will occur in a SYSTEM context on the Hyper-V host.

FBX 3D models in Office: arbitrary code execution

A patch for Microsoft Office disables the ability to insert 3D models from FBX (Filmbox) files into Office documents to guard against exploitation of CVE-2024-20677, which Microsoft describes as an arbitrary code execution. Exploitation would involve an Office user interacting with a malicious FBX file, and could lead to information disclosure or downtime. Models already present in documents will continue to function as before, unless the “Link to File” option was chosen upon insertion. In a related blog post, Microsoft recommends avoiding FBX and instead making use of the GLB 3D file format from now on. The blog post also provides instructions on a registry modification which re-enables the ability to insert FBX files into Office documents, although Microsoft strongly recommends against this. Silver lining: the Preview Pane is not a vector for CVE-2024-20677. Both the Windows and Mac editions of Office are vulnerable until patched.

SharePoint: remote code execution

SharePoint admins should take note of CVE-2024-21318. Successful exploitation allows an attacker with existing Site Owner permissions to execute code in the context of the SharePoint Server. Many SharePoint RCE vulnerabilities require only Site Member privileges, so the requirement for Site Owner here does provide some small comfort, but the potential remains that CVE-2024-21318 could be abused either by a malicious insider or as part of an exploit chain. The advisory does mention that exploitation requires that an attacker must already be authenticated as “at least a Site Owner,” although it’s not clear what level of privilege above Site Owner is implicated here; a user with SharePoint Administrator or Microsoft 365 Global Administrator role could certainly assign themselves the Site Owner role.

Windows Kerberos: MitM security feature bypass

All current versions of Windows receive a patch for CVE-2024-20674, which describes a flaw in the Windows implementation of Kerberos. By establishing a machine-in-the-middle (MitM), an attacker could trick a client into thinking it is communicating directly with the Kerberos authentication server, and subsequently bypass authentication and impersonate the client user on the network. Although exploitation requires an existing foothold on the local network, both the CVSS 3.1 base score of 9.1 and Microsoft’s proprietary severity ranking of critical reflect that there is no requirement for user interaction or prior authentication. Microsoft also notes that it considers exploitation of this vulnerability more likely.

Exchange: no security patches two months in a row

Exchange admins bracing themselves for extra security patches this month after the lack of Exchange security patches last month are once again given a reprieve: there are no security patches for Exchange released today.

Microsoft products lifecycle update

A number of Microsoft products transition from mainstream support to extended support as of today: Exchange Server 2019, Hyper-V Server 2019, SharePoint Server 2019, Skype for Business 2019 (both client and server), as well as various facets of Windows 10: Enterprise LTSC 2019, IoT Core LTSC, IoT Enterprise LTSC 2019, IoT LTSC 2019 Core, Windows Server 2019, Windows Server IoT 2019, and Windows Server IoT 2019 for Storage. Also moving to extended support: Dynamics SL 2018 and Project Server 2019. During the extended support lifecycle phase, Microsoft continues to provide security updates, but does not typically release new features. Extended support is not available for Microsoft consumer products.

Today marks the end of the road for Microsoft Dynamics CRM 2013, which moves past the end of extended support. No ESU program is available, so admins must move to a newer version of Dynamics CRM to continue receiving security updates.

Summary Charts

Summary Tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20676	Azure Storage Mover Remote Code Execution Vulnerability	No	No	8

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-0225	Chromium: CVE-2024-0225 Use after free in WebGPU	No	No	N/A
CVE-2024-0224	Chromium: CVE-2024-0224 Use after free in WebAudio	No	No	N/A
CVE-2024-0223	Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE	No	No	N/A
CVE-2024-0222	Chromium: CVE-2024-0222 Use after free in ANGLE	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-0057	NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability	No	No	9.1
CVE-2024-20656	Visual Studio Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21312	.NET Framework Denial of Service Vulnerability	No	No	7.5
CVE-2024-20672	.NET Core and Visual Studio Denial of Service Vulnerability	No	No	7.5

Developer Tools Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21319	Microsoft Identity Denial of service vulnerability	No	No	6.8

Developer Tools SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-0056	Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability	No	No	8.7

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20674	Windows Kerberos Security Feature Bypass Vulnerability	No	No	9
CVE-2024-20654	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8
CVE-2024-20682	Windows Cryptographic Services Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-20683	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20658	Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20653	Microsoft Common Log File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20652	Windows HTML Platforms Security Feature Bypass Vulnerability	No	No	7.5
CVE-2024-21307	Remote Desktop Client Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-20661	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2024-20657	Windows Group Policy Elevation of Privilege Vulnerability	No	No	7
CVE-2024-20655	Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability	No	No	6.6
CVE-2024-21320	Windows Themes Spoofing Vulnerability	No	No	6.5
CVE-2024-20680	Windows Message Queuing Client (MSMQC) Information Disclosure	No	No	6.5
CVE-2024-20663	Windows Message Queuing Client (MSMQC) Information Disclosure	No	No	6.5
CVE-2024-20660	Microsoft Message Queuing Information Disclosure Vulnerability	No	No	6.5
CVE-2024-20664	Microsoft Message Queuing Information Disclosure Vulnerability	No	No	6.5
CVE-2024-21314	Microsoft Message Queuing Information Disclosure Vulnerability	No	No	6.5
CVE-2024-20692	Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability	No	No	5.7
CVE-2024-21311	Windows Cryptographic Services Information Disclosure Vulnerability	No	No	5.5
CVE-2024-21313	Windows TCP/IP Information Disclosure Vulnerability	No	No	5.3
CVE-2024-20662	Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability	No	No	4.9
CVE-2024-20691	Windows Themes Information Disclosure Vulnerability	No	No	4.7

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-21318	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-20677	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-20681	Windows Subsystem for Linux Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21309	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20698	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-21310	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20686	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-20700	Windows Hyper-V Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-20687	Microsoft AllJoyn API Denial of Service Vulnerability	No	No	7.5
CVE-2024-20696	Windows Libarchive Remote Code Execution Vulnerability	No	No	7.3
CVE-2024-20697	Windows Libarchive Remote Code Execution Vulnerability	No	No	7.3
CVE-2024-20666	BitLocker Security Feature Bypass Vulnerability	No	No	6.6
CVE-2024-20690	Windows Nearby Sharing Spoofing Vulnerability	No	No	6.5
CVE-2024-21316	Windows Server Key Distribution Service Security Feature Bypass	No	No	6.1
CVE-2024-21306	Microsoft Bluetooth Driver Spoofing Vulnerability	No	No	5.7
CVE-2024-20699	Windows Hyper-V Denial of Service Vulnerability	No	No	5.5
CVE-2024-20694	Windows CoreMessaging Information Disclosure Vulnerability	No	No	5.5
CVE-2024-21305	Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability	No	No	4.4
CVE-2024-21325	Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability	No	No	N/A

Windows Mariner vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2022-35737	MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow	No	No	N/A

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/12/12/patch-tuesday-december-2023/

Microsoft is addressing 34 vulnerabilities this December Patch Tuesday, including a single zero-day vulnerability and three critical remote code execution (RCE) vulnerabilities. December Patch Tuesday has historically seen fewer patches than a typical month, and this trend continues in 2023. This total does not include eight browser vulnerabilities published earlier this month. At time of writing, none of the vulnerabilities patched today are yet added to the CISA KEV list.

Certain AMD processors: zero-day information disclosure

This month’s lone zero-day vulnerability is CVE-2023-20588, which describes a potential information disclosure due to a flaw in certain AMD processor models as listed on the AMD advisory. AMD states that a divide-by-zero on these processor models could potentially return speculative data. AMD believes the potential impact of the vulnerability is low since local access is required; however, Microsoft ranks severity as important under its own proprietary severity scale. The vulnerability is patched at the OS level in all supported versions of Windows, even as far back as Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update (ESU) program.

Outlook: no-interaction critical RCE

CVE-2023-35628 describes a critical RCE vulnerability in the MSHTML proprietary browser engine still used by Outlook, among others, to render HTML content. Of particular note: the most concerning exploitation scenario leads to exploitation as soon as Outlook retrieves and processes the specially crafted malicious email. This means that exploitation could occur before the user interacts with the email in any way; not even the Preview Pane is required in this scenario. Other attack vectors exist: the user could also click a malicious link received via email, instant message, or other medium. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11.

Internet Connection Sharing: critical RCE

This month also brings patches for a pair of critical RCE vulnerabilities in Internet Connection Sharing. CVE-2023-35630 and CVE-2023-35641 share a number of similarities: a base CVSS v3.1 score of 8.8, Microsoft critical severity ranking, low attack complexity, and presumably execution in SYSTEM context on the target machine, although the advisories do not specify execution context. Description of the exploitation method does differ between the two, however. CVE-2023-35630 requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. Exploitation of CVE-2023-35641 is also via a maliciously crafted DHCP message to an ICS server, but the advisory gives no further clues. A broadly similar ICS vulnerability in September 2023 led to RCE in a SYSTEM context on the ICS server. In all three cases, a mitigating factor is the requirement for the attack to be launched from the same network segment as the ICS server. It seems improbable that either of this month’s ICS vulnerabilities are exploitable against a target on which ICS is not running, although Microsoft does not explicitly deny the possibility.

Holiday season update

Notable by their absence this month: no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server. There are also no lifecycle transitions for Microsoft products this month, although a number of Windows Server 2019 editions and Office components will transition out of mainstream support and into extended support from January 2024.

Summary Charts

Summary Tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35624	Azure Connected Machine Agent Elevation of Privilege Vulnerability	No	No	7.3
CVE-2023-35625	Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability	No	No	4.7

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35618	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	No	No	9.6
CVE-2023-36880	Microsoft Edge (Chromium-based) Information Disclosure Vulnerability	No	No	4.8
CVE-2023-38174	Microsoft Edge (Chromium-based) Information Disclosure Vulnerability	No	No	4.3
CVE-2023-6512	Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI	No	No	N/A
CVE-2023-6511	Chromium: CVE-2023-6511 Inappropriate implementation in Autofill	No	No	N/A
CVE-2023-6510	Chromium: CVE-2023-6510 Use after free in Media Capture	No	No	N/A
CVE-2023-6509	Chromium: CVE-2023-6509 Use after free in Side Panel Search	No	No	N/A
CVE-2023-6508	Chromium: CVE-2023-6508 Use after free in Media Stream	No	No	N/A

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36006	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35639	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35641	Internet Connection Sharing (ICS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35630	Internet Connection Sharing (ICS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35628	Windows MSHTML Platform Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-21740	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35633	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35632	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36011	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36005	Windows Telephony Server Elevation of Privilege Vulnerability	No	No	7.5
CVE-2023-36004	Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability	No	No	7.5
CVE-2023-35622	Windows DNS Spoofing Vulnerability	No	No	7.5
CVE-2023-35643	DHCP Server Service Information Disclosure Vulnerability	No	No	7.5
CVE-2023-35638	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-35629	Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability	No	No	6.8
CVE-2023-35642	Internet Connection Sharing (ICS) Denial of Service Vulnerability	No	No	6.5
CVE-2023-36012	DHCP Server Service Information Disclosure Vulnerability	No	No	5.3
CVE-2023-20588	AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice	No	Yes	N/A

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36020	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2023-35621	Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability	No	No	7.5

Microsoft Dynamics Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36019	Microsoft Power Platform Connector Spoofing Vulnerability	No	No	9.6

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35636	Microsoft Outlook Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36009	Microsoft Word Information Disclosure Vulnerability	No	No	5.5
CVE-2023-35619	Microsoft Outlook for Mac Spoofing Vulnerability	No	No	5.3

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36010	Microsoft Defender Denial of Service Vulnerability	No	No	7.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35634	Windows Bluetooth Driver Remote Code Execution Vulnerability	No	No	8
CVE-2023-35644	Windows Sysmain Service Elevation of Privilege	No	No	7.8
CVE-2023-36696	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35631	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36391	Local Security Authority Subsystem Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36003	XAML Diagnostics Elevation of Privilege Vulnerability	No	No	6.7
CVE-2023-35635	Windows Kernel Denial of Service Vulnerability	No	No	5.5

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/11/14/patch-tuesday-november-2023/

Microsoft is addressing 64 vulnerabilities this November Patch Tuesday, including five zero-day vulnerabilities as well as one critical remote code execution (RCE) vulnerability. Overall, this month sees significantly fewer vulnerabilities addressed across a smaller number of products than has been typical of Patch Tuesday over the past year or two. Browser vulnerabilities account for 20 of the 64 vulnerabilities patched, and 14 of those are republished third-party vulnerabilities in Chromium.

Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Windows SmartScreen: zero-day bypass

CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious Internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

Windows DWM: zero-day EoP

Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033, an elevation of privilege (EoP) vulnerability which Microsoft notes is both publicly disclosed and exploited in the wild. Exploitation leads to SYSTEM privileges, but Microsoft does not provide any further guidance on the attack mechanism.

Windows Cloud Files mini driver: zero-day EoP

Microsoft is patching CVE-2023-36036, an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. No details of the attack mechanism are provided in the advisory, but exploitation leads to SYSTEM privileges.

Office Protected View: zero-day bypass

CVE-2023-36413 describes a publicly disclosed Microsoft Office security feature bypass. A user who opens a specially crafted malicious file would find themselves in Editing mode, rather than Protected View, and would thus lose out on warning banners and other defenses designed to detect and quarantine malicious code in Office documents.

ASP.NET Core: zero-day DoS

CVE-2023-36038 describes an ASP.NET Core denial of service (DoS) attack, which affects only .NET 8 RC 1 running on the IIS InProcess hosting model. The mechanism of the attack is resource exhaustion on the web server via cancellation of requests; this sounds very similar to last month’s CVE-2023-44487, dubbed “Rapid Reset”. However, there’s no mention of HTTP/2 in the advisory for CVE-2023-36038.

Fewer critical vulns this month

Only three vulnerabilities patched this month qualify as Critical under Microsoft’s proprietary severity ranking scale: one each in Windows Pragmatic General Multicast (PGM), the Azure CLI, and Windows HMAC Key Derivation.

Windows PGM: critical RCE via MSMQ

CVE-2023-36397 describes an RCE vulnerability in Windows PGM. As with other similar previous vulnerabilities, an attacker can send a specially-crafted file over the network to attempt malicious code execution on the target asset. Only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t added to a default Windows installation. However, as Rapid7 has noted previously, administrators should be aware that a number of applications — including Microsoft Exchange — quietly introduce MSMQ as part of their own installation routine.

Hyper-V: critical VM escape

Attackers looking to escape from a low privilege Hyper-V guest OS and execute code as SYSTEM on the Hyper-V host system will take note of CVE-2023-36400. Successful exploitation requires running a specially crafted application in the context of the guest OS to exploit a weakness in Windows HMAC Key Derivation, so some prior access is required.

Azure CLI: critical credential leak via log files

The Azure CLI tool prior to version 2.53.1 does not sufficiently redact information published to log files in certain contexts, allowing recovery of plaintext(!) usernames and passwords. The advisory for CVE-2023-36052 notes that log files stored in open-source repositories are a potential avenue for credential leaks in this context. Although Microsoft understandably hasn’t provided any specific examples, it’s unlikely that they would mention this if they weren’t aware of one or more real world examples.

Exchange: RCE, spoofing, and ZDI disclosures

Patch Tuesday typically sees at least one Exchange remote code execution vulnerability fixed, and this month is no exception. Exploitation of CVE-2023-36439 requires that the attacker have valid credentials for an Exchange user, and be present on the local network, but grants execution as NT AUTHORITY\SYSTEM on Exchange server host; this is a built-in account with extensive privileges, including the ability to act as the computer on the network.

A trio of Exchange server spoofing vulnerabilities — CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050 — are also patched today. Successful exploitation requires that an attacker be present on the local network with valid Exchange credentials, but can lead to exposure of credentials or an NTLM hash for other users. Two of these vulnerabilities are exploited via PowerShell remoting.

Somewhat conspicuous by their absence: four flaws in Exchange published by Trend Micro’s Zero Day Initiative (ZDI) on 2023-11-02 do not appear to have received patches today. Microsoft had previously told ZDI that these vulnerabilities did not require immediate servicing. Since Microsoft is the CVE Numbering Authority (CNA) for its own products, there are no publicly available CVE numbers for these vulnerabilities yet.

cURL: patch for much-anticipated vuln

Microsoft admins who have been waiting for a patch for last month’s cURL SOCKS5 vulnerability CVE-2023-38545 will be pleased to see that Microsoft has included curl.exe 8.4.0 as part of the November updates for current versions of Windows. Many observers ultimately concluded that this vulnerability was perhaps of more limited scope and attacker value than the pre-publication buzz may have suggested, but a patch is always appreciated.

Is it 23H2 already?

A new arrival: Windows 11 23H2 was released on 2023-10-31 across all editions, and receives its first patches today.

Summary Charts

Summary Tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38151	Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36437	Azure DevOps Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36052	Azure CLI REST Command Information Disclosure Vulnerability	No	No	8.6
CVE-2023-36021	Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability	No	No	8

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36034	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36014	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36024	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	No	No	7.1
CVE-2023-36027	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	No	No	7.1
CVE-2023-36022	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-36029	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	4.3
CVE-2023-5996	Chromium: CVE-2023-5996 Use after free in WebAudio	No	No	N/A
CVE-2023-5859	Chromium: CVE-2023-5859 Incorrect security UI in Picture In Picture	No	No	N/A
CVE-2023-5858	Chromium: CVE-2023-5858 Inappropriate implementation in WebApp Provider	No	No	N/A
CVE-2023-5857	Chromium: CVE-2023-5857 Inappropriate implementation in Downloads	No	No	N/A
CVE-2023-5856	Chromium: CVE-2023-5856 Use after free in Side Panel	No	No	N/A
CVE-2023-5855	Chromium: CVE-2023-5855 Use after free in Reading Mode	No	No	N/A
CVE-2023-5854	Chromium: CVE-2023-5854 Use after free in Profiles	No	No	N/A
CVE-2023-5853	Chromium: CVE-2023-5853 Incorrect security UI in Downloads	No	No	N/A
CVE-2023-5852	Chromium: CVE-2023-5852 Use after free in Printing	No	No	N/A
CVE-2023-5851	Chromium: CVE-2023-5851 Inappropriate implementation in Downloads	No	No	N/A
CVE-2023-5850	Chromium: CVE-2023-5850 Incorrect security UI in Downloads	No	No	N/A
CVE-2023-5849	Chromium: CVE-2023-5849 Integer overflow in USB	No	No	N/A
CVE-2023-5482	Chromium: CVE-2023-5482 Insufficient data validation in USB	No	No	N/A
CVE-2023-5480	Chromium: CVE-2023-5480 Inappropriate implementation in Payments	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36560	ASP.NET Security Feature Bypass Vulnerability	No	No	8.8
CVE-2023-36038	ASP.NET Core Denial of Service Vulnerability	No	Yes	8.2
CVE-2023-36018	Visual Studio Code Jupyter Extension Spoofing Vulnerability	No	No	7.8
CVE-2023-36049	.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability	No	No	7.6
CVE-2023-36042	Visual Studio Denial of Service Vulnerability	No	No	6.2
CVE-2023-36558	ASP.NET Core – Security Feature Bypass Vulnerability	No	No	6.2

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36397	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-36025	Windows SmartScreen Security Feature Bypass Vulnerability	Yes	No	8.8
CVE-2023-36017	Windows Scripting Engine Memory Corruption Vulnerability	No	No	8.8
CVE-2023-36402	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36719	Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability	No	No	8.4
CVE-2023-36425	Windows Distributed File System (DFS) Remote Code Execution Vulnerability	No	No	8
CVE-2023-36393	Windows User Interface Application Core Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36705	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36424	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36036	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2023-36395	Windows Deployment Services Denial of Service Vulnerability	No	No	7.5
CVE-2023-36392	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-36423	Microsoft Remote Registry Service Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-36401	Microsoft Remote Registry Service Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-36403	Windows Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36398	Windows NTFS Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36428	Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability	No	No	5.5

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36050	Microsoft Exchange Server Spoofing Vulnerability	No	No	8
CVE-2023-36039	Microsoft Exchange Server Spoofing Vulnerability	No	No	8
CVE-2023-36035	Microsoft Exchange Server Spoofing Vulnerability	No	No	8
CVE-2023-36439	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36007	Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability	No	No	7.6
CVE-2023-36410	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2023-36031	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2023-36016	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	6.2
CVE-2023-36030	Microsoft Dynamics 365 Sales Spoofing Vulnerability	No	No	6.1

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36045	Microsoft Office Graphics Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36037	Microsoft Excel Security Feature Bypass Vulnerability	No	No	7.8
CVE-2023-36041	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36413	Microsoft Office Security Feature Bypass Vulnerability	No	Yes	6.5
CVE-2023-38177	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	6.1

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36422	Microsoft Windows Defender Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36043	Open Management Infrastructure Information Disclosure Vulnerability	No	No	6.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36028	Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-36400	Windows HMAC Key Derivation Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-36408	Windows Hyper-V Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36407	Windows Hyper-V Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36033	Windows DWM Core Library Elevation of Privilege Vulnerability	Yes	Yes	7.8
CVE-2023-36396	Windows Compressed Folder Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36047	Windows Authentication Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36399	Windows Storage Elevation of Privilege Vulnerability	No	No	7.1
CVE-2023-36046	Windows Authentication Denial of Service Vulnerability	No	No	7.1
CVE-2023-36394	Windows Search Service Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36405	Windows Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36427	Windows Hyper-V Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36404	Windows Kernel Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36406	Windows Hyper-V Information Disclosure Vulnerability	No	No	5.5
CVE-2023-24023	Mitre: CVE-2023-24023 Bluetooth Vulnerability	No	No	N/A

Updates

• 2023-11-14: Shortly after initial publication, some Microsoft advisory web pages were not listing any patches, although patches did exist. Microsoft appears to have remediated the issue with the advisory web pages. Removed a paragraph from the blog which mentioned this.

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/10/10/patch-tuesday-october-2023/

Microsoft is addressing 105 vulnerabilities this October Patch Tuesday, including three zero-day vulnerabilities, as well as 12 critical remote code execution (RCE) vulnerabilities, and one republished third-party vulnerability.

WordPad: zero-day NTLM hash disclosure

Another Patch Tuesday, another zero-day vulnerability offering NTLM hash disclosure, this time in WordPad. The advisory for CVE-2023-36563 describes two possible attack vectors: 1) enticing the user to open a specially crafted malicious file delivered via email, IM, or some other means, or 2) by causing a custom application to run. The advisory doesn’t give much more detail, but the attacker would either need existing access to the system, or some means of exfiltrating the NTLM hash. It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.

Skype for Business server: zero-day info disclosure

Defenders responsible for a Skype for Business server should take note of an exploited-in-the-wild information disclosure vulnerability for which public exploit code exists. Successful exploitation of CVE-2023-41763 via a specially crafted network call could result in the disclosure of IP addresses and/or port numbers. Although Microsoft does not specify what the scope of the disclosure might be, it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends.

ASP.NET Kestrel web server: zero-day denial of service

Rounding out this month’s trio of exploited-in-the-wild vulnerabilities, and perhaps of less concern: the cross-platform Kestrel web server for ASP.NET Core receives a fix for CVE-2023-44487, a denial of service vulnerability. In the advisory, Microsoft provides essentially no information about attack vector beyond the fact that the vulnerability is specific to HTTP/2 , but does suggest two potential workarounds:

1. Disabling the HTTP/2 protocol via a Windows Registry modification; and/or
2. Restricting protocols offered each Kestrel endpoint to exclude HTTP/2.

Microsoft advises timely patching regardless of whether or not one or more workarounds are applied.

N.B. In the advisory, a hyperlink attached to the word “workarounds” does not resolve to anything specific, and Kestrel is misspelled as “Kestral” more than once, although these issues will likely be resolved soon.

Layer 2 Tunneling Protocol: lots of critical RCEs

Twelve critical RCE vulnerabilities seems like a lot, and it is. Fully three-quarters of these are in the same Windows component — the Layer 2 Tunneling Protocol — which has already received fixes for a significant number of critical RCEs in recent months. Exploitation of each of the Layer 2 Tunneling Protocol critical RCEs this month — CVE-2023-41765 CVE-2023-41767 CVE-2023-41768 CVE-2023-41769 CVE-2023-41770 CVE-2023-41771 CVE-2023-41773 CVE-2023-41774 and CVE-2023-38166 — is via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.

If there is a silver lining here, it’s that the acknowledgements for almost all of these vulnerabilities cite Microsoft’s Network Security and Containers (NSC) team; a reasonable inference is that Microsoft is directing significant resources towards security research and patching in this area. Since CVEs are typically assigned sequentially, and there are gaps in the sequence, another reasonable inference here is that other similar as-yet-unpublished vulnerabilities have probably been identified and reported to MSRC.

Windows MSMQ: critical RCEs

CVE-2023-35349 describes an RCE vulnerability in the Message Queueing Service. Microsoft does not describe the attack vector, but other similar vulnerabilities require that the attacker send specially crafted malicious MSMQ packet to a MSMQ server. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, and the Message Queueing Service is not installed by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.

Another MSMQ RCE vulnerability also receives a patch this month: CVE-2023-36697 has a lower CVSS score than its sibling, both because valid domain credentials are required, and because exploitation requires that a user on the target machine connects to a malicious server. Alternatively, Microsoft suggests that an attacker could compromise a legitimate MSMQ server host and make it run as a malicious server to exploit this vulnerability, although it’s not immediately clear how the attacker could do that without already having significant control over the MSMQ host.

Microsoft vTPM: container escape

The final constituent of this month’s dozen patched critical RCE vulnerabilities is rather more exotic: CVE-2023-36718 describes a vulnerability in the Microsoft Virtual Trusted Platform Module (vTPM), which is a TPM 2.0-compliant virtualized version of a hardware TPM offered as a feature of Azure confidential VMs. Successful exploitation could lead to a container escape. The attacker would first need to access the vulnerable VM, and the advisory notes that exploitation is possible when authenticated as a guest mode user. On the bright side, Microsoft evaluates attack complexity as High, since ​​successful exploitation of this vulnerability would rely upon complex memory shaping techniques to attempt an attack.

Exchange (as is tradition): RCE

Exchange administrators should note the existence of CVE-2023-36778, a same-network RCE vulnerability in all current versions of Exchange Server. Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session. By default, PowerShell Remoting only allows connections from members of the Administrators group, and the relevant Windows Firewall rule for connections via public networks rejects connections from outside the same subnet. Defenders may wish to review these rules to ensure that they have not been loosened beyond the default.

Office: LPE

Microsoft Office receives a patch for CVE-2023-36569, a local privilege escalation (LPE) vulnerability. Successful exploitation could lead to SYSTEM privileges, but Microsoft states that the Preview Pane is not a vector. The advisory doesn’t provide much more information; patches are available for Office 2019, 2021, and Apps for Enterprise. Office 2016 is not listed, which might signify that it isn’t vulnerable, or could mean that patches will be provided later.

End of the line: 2012 edition

Today is the final Patch Tuesday for Windows Server 2012, and Windows Server 2012 R2. The only way to receive security updates for these versions of Windows from now on is to subscribe to Microsoft’s last-resort Extended Security Update (ESU) program. Windows 11 21H2 Home, Pro, Pro Education, Pro for Workstations, and SE also move past the end of support. No ESU program is available for Windows 11 client OS, so Windows 11 21H2 assets are insecure-by-default from now on. In all cases, both Microsoft and Rapid7 recommend upgrading to a newer version of Windows as soon as possible.

Summary Charts

Summary Table

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36415	Azure Identity SDK Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36414	Azure Identity SDK Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36419	Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-36418	Azure RTOS GUIX Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36737	Azure Network Watcher VM Agent Elevation of Privilege Vulnerability	No	No	7.8

Azure Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36561	Azure DevOps Server Elevation of Privilege Vulnerability	No	No	7.3

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-5346	Chromium: CVE-2023-5346 Type Confusion in V8	No	No	N/A

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36790	Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability	No	No	7.8

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36778	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36433	Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36429	Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36566	Microsoft Common Data Model SDK Denial of Service Vulnerability	No	No	6.5
CVE-2023-36416	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	6.1

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36569	Microsoft Office Elevation of Privilege Vulnerability	No	No	8.4
CVE-2023-36789	Skype for Business Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-36786	Skype for Business Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-36780	Skype for Business Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-36565	Microsoft Office Graphics Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36568	Microsoft Office Click-To-Run Elevation of Privilege Vulnerability	No	No	7
CVE-2023-41763	Skype for Business Elevation of Privilege Vulnerability	Yes	Yes	5.3

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36417	Microsoft SQL ODBC Driver Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36730	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36785	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36420	Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36728	Microsoft SQL Server Denial of Service Vulnerability	No	No	5.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36704	Windows Setup Files Cleanup Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36711	Windows Runtime C++ Template Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36725	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36723	Windows Container Manager Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-41772	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36557	PrintHTML API Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36729	Named Pipe File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36718	Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36701	Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36603	Windows TCP/IP Denial of Service Vulnerability	No	No	7.5
CVE-2023-36720	Windows Mixed Reality Developer Tools Denial of Service Vulnerability	No	No	7.5
CVE-2023-36709	Microsoft AllJoyn API Denial of Service Vulnerability	No	No	7.5
CVE-2023-36605	Windows Named Pipe Filesystem Elevation of Privilege Vulnerability	No	No	7.4
CVE-2023-36902	Windows Runtime Remote Code Execution Vulnerability	No	No	7
CVE-2023-38159	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36721	Windows Error Reporting Service Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36717	Windows Virtual Trusted Platform Module Denial of Service Vulnerability	No	No	6.5
CVE-2023-36707	Windows Deployment Services Denial of Service Vulnerability	No	No	6.5
CVE-2023-36596	Remote Procedure Call Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36576	Windows Kernel Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36698	Windows Kernel Security Feature Bypass Vulnerability	No	No	3.6

Windows Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38171	Microsoft QUIC Denial of Service Vulnerability	No	No	7.5
CVE-2023-36435	Microsoft QUIC Denial of Service Vulnerability	No	No	7.5
CVE-2023-44487	MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack	Yes	No	N/A

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36434	Windows IIS Server Elevation of Privilege Vulnerability	No	No	9.8
CVE-2023-35349	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-36577	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-41765	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41767	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41768	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41769	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41770	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41771	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41773	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-41774	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-38166	Layer 2 Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-36710	Windows Media Foundation Core Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36436	Windows MSHTML Platform Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36712	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36726	Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36594	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-41766	Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36732	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36731	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36743	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36598	Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36593	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36702	Microsoft DirectMusic Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36438	Windows TCP/IP Information Disclosure Vulnerability	No	No	7.5
CVE-2023-36602	Windows TCP/IP Denial of Service Vulnerability	No	No	7.5
CVE-2023-36567	Windows Deployment Services Information Disclosure Vulnerability	No	No	7.5
CVE-2023-36606	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-36581	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-36579	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-36431	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-36703	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-36585	Active Template Library Denial of Service Vulnerability	No	No	7.5
CVE-2023-36592	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36591	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36590	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36589	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36583	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36582	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36578	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36575	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36574	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36573	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36572	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36571	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36570	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36776	Win32k Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36697	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	6.8
CVE-2023-36564	Windows Search Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-29348	Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36706	Windows Deployment Services Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36563	Microsoft WordPad Information Disclosure Vulnerability	Yes	Yes	6.5
CVE-2023-36724	Windows Power Management Service Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36713	Windows Common Log File System Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36584	Windows Mark of the Web Security Feature Bypass Vulnerability	No	No	5.4
CVE-2023-36722	Active Directory Domain Services Information Disclosure Vulnerability	No	No	4.4

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/09/12/patch-tuesday-september-2023/

Microsoft is addressing 65 vulnerabilities this September Patch Tuesday, including two zero-day vulnerabilities, as well as four critical remote code execution (RCE) vulnerabilities, and six republished third-party vulnerabilities.

Word: zero-day NTLM hash disclosure

Microsoft Word receives a patch for CVE-2023-36761, which is marked as exploited in the wild as well as publicly disclosed; successful exploitation results in disclosure of NTLM hashes, which could provide an attacker with the means to “Pass the Hash” and authenticate remotely without any need to brute force the hash. Microsoft is clearly concerned about the potential impact of CVE-2023-36761, since they are providing patches not only for current versions of Word, but also for Word 2013, which reached its Extended End Date back in April 2023. In March, Microsoft patched CVE-2023-23397, a vulnerability in Outlook which also led to NTLM hash leaks, and which received significant attention at the time.

Streaming Service Proxy: zero-day elevation to SYSTEM

The second second zero-day vulnerability patched this month is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service Proxy, which could grant SYSTEM privileges via exploitation of a kernel driver. Microsoft has detected in-the-wild exploitation, but is not aware of publicly available exploit code. This is a debut Patch Tuesday appearance for Microsoft Streaming Service, but with several researchers from across the globe acknowledged on the advisory, it’s unlikely to be the last. Today’s confirmation of in-the-wild exploitation prior to publication all but guarantees that this will remain an area of interest.

Internet Connection Sharing: same-network critical RCE

CVE-2023-38148 describes a critical remote code execution (RCE) in the Windows Internet Connection Sharing (ICS) functionality. Although the advisory is light on detail, it’s likely that successful exploitation would lead to arbitrary code execution on the ICS host at SYSTEM level. The silver lining is that the attack cannot be carried out from another network, so attackers must first establish an adjacent foothold.

Visual Studio & .NET: critical RCE via malicious package file

This month’s three other critical RCE vulnerabilities have quite a lot in common: CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796 all rely on the user opening a malicious package file, and are thus classed as arbitrary code execution rather than no-interaction RCE. In each case, patches are available for a long list of Visual Studio and .NET installations. Organizations with large developer headcount are likely to be disproportionately at risk.

Exchange (as usual):  RCE

Microsoft is patching five vulnerabilities in Exchange this month. Although Microsoft doesn’t rate any of these higher than “Important” under their proprietary severity rating system, three of the five are RCE vulnerabilities with CVSSv3 base score of 8.0. CVE-2023-36744 CVE-2023-36745, and CVE-2023-36756 would surely receive higher severity if not for several mitigating factors. Successful exploitation requires that the attacker must be present on the same LAN as the Exchange server, and must already possess valid credentials for an Exchange user. Additionally, Microsoft notes that the August 2023 patches already protect against these newly published vulnerabilities, further underscoring the value of timely patching.

SharePoint: elevation to admin

SharePoint receives a patch for CVE-2023-36764, which allows an attacker to achieve administrator privileges via a specially-crafted ASP.NET page. As is often the case with SharePoint vulnerabilities, a level of access is already required, but Site Member privileges are typically widely granted.

Azure DevOps Server: elevation of privilege & RCE

Azure DevOps Server receives two fixes this month. While CVE-2023-38155 requires that an attacker carry out significant recon and preparation of the environment, successful exploitation would lead to administrator privileges. Potentially of greater concern is CVE-2023-33136, which allows an attacker with Queue Build permissions to abuse an overridable input variable to achieve RCE. While most DevOps Server installations are hopefully managed by people both willing and able to apply prompt upgrades, CI/CD environments are prime targets for supply chain attacks.

They do it with Mira

A vulnerability in the Windows implementation of wireless display standard Miracast allows for an unauthenticated user to project to a vulnerable system. Although CVE-2023-38147 requires that an attacker be in close physical proximity to the target, consider that wireless display technology is often used in high-traffic environments such as conventions, which could allow an opportunistic attacker to inflict reputational damage. While exploitation requires that the target asset is configured to allow “Projecting to this PC” and marked as “Available Everywhere” – and Microsoft points out that this is not the default configuration – most administrators will know from long experience that many users will simply select whichever options cause them the least friction.

Summary Charts

Summary Table

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36760	3D Viewer Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36740	3D Viewer Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36739	3D Viewer Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36773	3D Builder Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36772	3D Builder Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36771	3D Builder Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36770	3D Builder Remote Code Execution Vulnerability	No	No	7.8
CVE-2022-41303	AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior	No	No	N/A

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29332	Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability	No	No	7.5
CVE-2023-38156	Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability	No	No	7.2
CVE-2023-36736	Microsoft Identity Linux Broker Remote Code Execution Vulnerability	No	No	4.4

Azure Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-33136	Azure DevOps Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-38155	Azure DevOps Server Remote Code Execution Vulnerability	No	No	7

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-4863	Chromium: CVE-2023-4863 Heap buffer overflow in WebP	No	No	N/A
CVE-2023-4764	Chromium: CVE-2023-4764 Incorrect security UI in BFCache	No	No	N/A
CVE-2023-4763	Chromium: CVE-2023-4763 Use after free in Networks	No	No	N/A
CVE-2023-4762	Chromium: CVE-2023-4762 Type Confusion in V8	No	No	N/A
CVE-2023-4761	Chromium: CVE-2023-4761 Out of bounds memory access in FedCM	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36796	Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36793	Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36792	Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36794	Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36758	Visual Studio Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36742	Visual Studio Code Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36788	.NET Framework Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36759	Visual Studio Elevation of Privilege Vulnerability	No	No	6.7
CVE-2023-36799	.NET Core and Visual Studio Denial of Service Vulnerability	No	No	6.5
CVE-2023-39956	Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability	No	No	N/A

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36757	Microsoft Exchange Server Spoofing Vulnerability	No	No	8
CVE-2023-36756	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8
CVE-2023-36745	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8
CVE-2023-36744	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8
CVE-2023-36777	Microsoft Exchange Server Information Disclosure Vulnerability	No	No	5.7

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36886	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2023-38164	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	7.6
CVE-2023-36800	Dynamics Finance and Operations Cross-site Scripting Vulnerability	No	No	7.6

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36764	Microsoft SharePoint Server Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-36765	Microsoft Office Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36766	Microsoft Excel Information Disclosure Vulnerability	No	No	7.8
CVE-2023-36763	Microsoft Outlook Information Disclosure Vulnerability	No	No	7.5
CVE-2023-36762	Microsoft Word Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-36761	Microsoft Word Information Disclosure Vulnerability	Yes	Yes	6.2
CVE-2023-41764	Microsoft Office Spoofing Vulnerability	No	No	5.5
CVE-2023-36767	Microsoft Office Security Feature Bypass Vulnerability	No	No	4.3

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38163	Windows Defender Attack Surface Reduction Security Feature Bypass	No	No	7.8

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38146	Windows Themes Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-38147	Windows Miracast Wireless Display Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-38148	Internet Connection Sharing (ICS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-38150	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35355	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36802	Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2023-38162	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-36805	Windows MSHTML Platform Security Feature Bypass Vulnerability	No	No	7
CVE-2023-38140	Windows Kernel Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36803	Windows Kernel Information Disclosure Vulnerability	No	No	5.5

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38142	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38141	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38139	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38161	Windows GDI Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36804	Windows GDI Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38144	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38143	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38149	Windows TCP/IP Denial of Service Vulnerability	No	No	7.5
CVE-2023-38160	Windows TCP/IP Information Disclosure Vulnerability	No	No	5.5
CVE-2023-38152	DHCP Server Service Information Disclosure Vulnerability	No	No	5.3
CVE-2023-36801	DHCP Server Service Information Disclosure Vulnerability	No	No	5.3

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/08/08/patch-tuesday-august-2023/

Microsoft is addressing 86 vulnerabilities this August Patch Tuesday, including one zero-day vulnerability, as well as five critical remote code execution (RCE) vulnerabilities, and 12 browser vulnerabilities. An unpatched zero-day malicious document vulnerability from July also receives Windows OS updates and clarification in August.

ASP.NET: zero-day denial of service in Kestrel web server

The lone zero-day vulnerability patched this month is CVE-2023-38180, a denial of service (DoS) vulnerability in .NET , ASP.NET Core 2.1, and recent versions of Visual Studio. Microsoft is aware of in-the-wild exploitation. While the only impact noted is availability, administrators responsible for web apps built on ASP.NET are well-advised to patch as soon as possible. The cross-platform Kestrel web server is included in ASP.NET Core, and contains protections so that it can detect and disconnect a potentially malicious client. However, Kestrel will sometimes fail to disconnect the client, leading to denial of service. Microsoft notes that mitigating factors may include a reverse proxy or Web Application Firewall (WAF), since these are designed to detect and mitigate HTTP-based attacks.

Teams: critical remote execution vuln via malicious meeting

Potentially of greater concern are a pair of Microsoft Teams critical remote code execution (RCE) vulnerabilities. While the CVSS base score of 8.8 is at the top end of NVD’s High severity, Microsoft assesses both CVE-2023-29328 and CVE-2023-29330 as Critical on its own proprietary severity rating, and the advisories make clear why that is: both vulnerabilities allow an attacker to execute code in the context of anyone who joins a Teams meeting set up by the attacker. This affects Teams on all platforms: Windows Desktop, macOS, iOS, and Android. Given how widely Teams is used not just within organizations, but for collaboration outside of the organization in contexts requiring a level of trust of third parties not known to participants  – pre-sales calls, scoping calls, industry association calls and so on – these vulnerabilities surely deserve immediate remediation attention.

Windows MSMQ: critical RCE

The Windows Message Queuing Service is once again the site of multiple critical RCE vulnerabilities this month. CVE-2023-36910, CVE-2023-36911, and CVE-2023-35385 all come with a CVSSv3 base score of 9.8, reflecting the serious potential impact, lack of privileges required, and low attack complexity. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, and the Message Queueing Service is not installed by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.

Outlook: critical maldoc arbitrary code execution

Rounding out the August critical RCE vulnerabilities, CVE-2023-36895 describes a flaw in Microsoft Outlook where an attacker who can convince a user to open a specially-crafted malicious file will be able to execute code in the context of the victim. Patch Tuesday watchers will be familiar with Microsoft’s clarification that this type of exploit is sometimes referred to as arbitrary code execution (ACE) since the attack is local – a malicious document opened on the asset – even if the attacker is remote. With no known public disclosure, no known exploitation in the wild, and Microsoft assessing that exploitation is less likely, this is hopefully a case of patch-and-forget.

July unpatched zero-day: revised and patched in August

One month ago, on Patch Tuesday July 2023, Microsoft published a zero-day vulnerability for which they provided no patch, leaving many defenders understandably concerned. Exploitation of CVE-2023-36884 requires that the user opens a malicious document crafted by an attacker, and as Rapid7 noted at the time of publication, Microsoft did provide several mitigation strategies. Happily, the August 2023 Windows updates bring relief from CVE-2023-36884 in the form of patches for every current version of Windows: from Windows 11 and Server 2022 all the way back to Windows Server 2008 for 32-bit Systems Service Pack 2. These patches supersede last month’s mitigation advice, but at least some of those mitigation strategies remain generally applicable.

The advisory for CVE-2023-36884 has been radically updated today with a new title (Windows Search Remote Code Execution Vulnerability) in place of the previous title (Office and Windows HTML Remote Code Execution Vulnerability). Microsoft now states that the vulnerability is in fact a Windows Search security bypass involving a Mark of the Web (MOTW) removal leading to code execution on the victim system. Microsoft has also released a complementary non-CVE advisory ADV230003 with the latest defense-in-depth advice for Microsoft Office administrators; Microsoft claims that following the defense-in-depth advice will stop the attack chain leading to exploitation of CVE-2023-36884, and thus potentially also protect against other as-yet-unknown vulnerabilities. However, defenders should consider that other attack chains may exist which do not involve Office at all.

Exchange: critical elevation of privilege

Exploitation of CVE-2023-21709 allows an attacker to authenticate as a different user. Exchange admins should note that additional remediation actions must be taken after patching. Although the CVSSv3 base score is a Critical-ranked 9.8, Microsoft’s proprietary severity scale assesses this vulnerability as Important rather than Critical, since exploitation involves brute-forcing passwords, and strong passwords are challenging to brute force.

Summary Charts

Summary Tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38176	Azure Arc-Enabled Servers Elevation of Privilege Vulnerability	No	No	7
CVE-2023-35394	Azure HDInsight Jupyter Notebook Spoofing Vulnerability	No	No	4.6
CVE-2023-36877	Azure Apache Oozie Spoofing Vulnerability	No	No	4.5
CVE-2023-35393	Azure Apache Hive Spoofing Vulnerability	No	No	4.5
CVE-2023-38188	Azure Apache Hadoop Spoofing Vulnerability	No	No	4.5
CVE-2023-36881	Azure Apache Ambari Spoofing Vulnerability	No	No	4.5

Azure Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36869	Azure DevOps Server Spoofing Vulnerability	No	No	6.3

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38157	Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-4078	Chromium: CVE-2023-4078 Inappropriate implementation in Extensions	No	No	N/A
CVE-2023-4077	Chromium: CVE-2023-4077 Insufficient data validation in Extensions	No	No	N/A
CVE-2023-4076	Chromium: CVE-2023-4076 Use after free in WebRTC	No	No	N/A
CVE-2023-4075	Chromium: CVE-2023-4075 Use after free in Cast	No	No	N/A
CVE-2023-4074	Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling	No	No	N/A
CVE-2023-4073	Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE	No	No	N/A
CVE-2023-4072	Chromium: CVE-2023-4072 Out of bounds read and write in WebGL	No	No	N/A
CVE-2023-4071	Chromium: CVE-2023-4071 Heap buffer overflow in Visuals	No	No	N/A
CVE-2023-4070	Chromium: CVE-2023-4070 Type Confusion in V8	No	No	N/A
CVE-2023-4069	Chromium: CVE-2023-4069 Type Confusion in V8	No	No	N/A
CVE-2023-4068	Chromium: CVE-2023-4068 Type Confusion in V8	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35390	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36899	ASP.NET Elevation of Privilege Vulnerability	No	No	7.5
CVE-2023-38180	.NET and Visual Studio Denial of Service Vulnerability	Yes	No	7.5
CVE-2023-38178	.NET Core and Visual Studio Denial of Service Vulnerability	No	No	7.5
CVE-2023-36873	.NET Framework Spoofing Vulnerability	No	No	7.4
CVE-2023-35391	ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability	No	No	7.1

Developer Tools Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36897	Visual Studio Tools for Office Runtime Spoofing Vulnerability	No	No	8.1

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35379	Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36876	Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability	No	No	7.1

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21709	Microsoft Exchange Server Elevation of Privilege Vulnerability	No	No	9.8
CVE-2023-38181	Microsoft Exchange Server Spoofing Vulnerability	No	No	8.8
CVE-2023-38185	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35368	Microsoft Exchange Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35388	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8
CVE-2023-38182	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38167	Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability	No	No	7.2
CVE-2023-35389	Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability	No	No	6.5

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29328	Microsoft Teams Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-29330	Microsoft Teams Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36891	Microsoft SharePoint Server Spoofing Vulnerability	No	No	8
CVE-2023-36892	Microsoft SharePoint Server Spoofing Vulnerability	No	No	8
CVE-2023-36895	Microsoft Outlook Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36865	Microsoft Office Visio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36866	Microsoft Office Visio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35372	Microsoft Office Visio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35371	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36896	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-36890	Microsoft SharePoint Server Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36894	Microsoft SharePoint Server Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36893	Microsoft Outlook Spoofing Vulnerability	No	No	6.5

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38169	Microsoft OLE DB Remote Code Execution Vulnerability	No	No	8.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-38175	Microsoft Windows Defender Elevation of Privilege Vulnerability	No	No	7.8

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35387	Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-38186	Windows Mobile Device Management Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35382	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35386	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38154	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36904	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36898	Tablet Windows User Interface Application Core Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-38170	HEVC Video Extensions Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35378	Windows Projected File System Elevation of Privilege Vulnerability	No	No	7
CVE-2023-36905	Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36914	Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability	No	No	5.5
CVE-2023-35384	Windows HTML Platforms Security Feature Bypass Vulnerability	No	No	5.4

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36910	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-36911	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-35385	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-35381	Windows Fax Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36882	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-36903	Windows System Assessment Tool Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35359	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35380	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36900	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-38184	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	No	No	7.5
CVE-2023-35383	Microsoft Message Queuing Information Disclosure Vulnerability	No	No	7.5
CVE-2023-36912	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-38172	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-36913	Microsoft Message Queuing Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36909	Microsoft Message Queuing Denial of Service Vulnerability	No	No	6.5
CVE-2023-35376	Microsoft Message Queuing Denial of Service Vulnerability	No	No	6.5
CVE-2023-38254	Microsoft Message Queuing Denial of Service Vulnerability	No	No	6.5
CVE-2023-35377	Microsoft Message Queuing Denial of Service Vulnerability	No	No	6.5
CVE-2023-36908	Windows Hyper-V Information Disclosure Vulnerability	No	No	5.7
CVE-2023-36889	Windows Group Policy Security Feature Bypass Vulnerability	No	No	5.5
CVE-2023-36906	Windows Cryptographic Services Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36907	Windows Cryptographic Services Information Disclosure Vulnerability	No	No	5.5
CVE-2023-20569	AMD: CVE-2023-20569 Return Address Predictor	No	No	N/A

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/07/11/patch-tuesday-july-2023/

Microsoft is addressing 130 vulnerabilities this July Patch Tuesday, including five zero-day vulnerabilities, and eight further critical remote code execution (RCE) vulnerabilities. Overall, it’s safe to say that this is a busier Patch Tuesday than the past couple of months. Note that the total count of vulnerabilities reported no longer includes any Edge-on-Chromium fixes.

Office zero-day maldoc vuln: no patch, no problem

Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities. Microsoft is actively investigating publicly-disclosed Office RCE CVE-2023-36884, and promises to update the advisory as soon as further guidance is available. Exploitation requires the victim to open a specially crafted malicious document, which would typically be delivered via email.

A Microsoft Security Research Centre (MSRC) blog post links exploitation of this vulnerability with Storm-0978, Microsoft’s designation for a cybercriminal group based out of Russia also tracked across the wider industry under the name RomCom. MSRC suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.

Defenders who are understandably unsettled by the lack of immediate patches for CVE-2023-36884 should consult the multiple mitigation options on the advisory. Microsoft claims that assets with Defender for Office 365 are already protected. Further options include an existing optional Defender for Endpoint Attack Surface Reduction (ASR) rule to prevent Office from creating child processes, and a registry modification to disable the vulnerable cross-protocol file navigation. The registry option might be the most straightforward option for organizations without a mature Defender program, but Microsoft does warn that certain use cases relying on the functionality would be impacted if this mitigation is deployed.

There are broad similarities to last year’s Follina vulnerability, which was discussed publicly for over two weeks starting late May 2023 before Microsoft patched it on June 14th as part of Patch Tuesday. While it’s possible that a patch for CVE-2023-36884 will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884.

The menu of mitigation options here should offer something for every Microsoft shop, but it will come as something of a relief that Microsoft is offering patches for the four other zero-day vulnerabilities mentioned in this month’s Security Update Guide.

MSHTML, Windows Error Reporting: zero-day elevation of privilege vulns

CVE-2023-32046 describes a vulnerability in the MSHTML browser rendering engine which would allow an attacker to act with the same rights as the exploited user account. Successful exploitation requires the victim to open a specially-crafted malicious file, typically delivered either via email or a web page. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11, since it is used in other contexts (e.g. Outlook).

A separate vulnerability in the Windows Error Reporting Service allows elevation to the Administrator role via abuse of Windows performance tracing. To exploit CVE-2023-36874, an attacker must already have existing local access to an asset, so this vulnerability will most likely make up part of a longer exploit chain.

SmartScreen & Outlook: zero-day security feature bypass vulns

Rounding out this month’s zero-day vulnerabilities are two security feature bypass flaws. CVE-2023-32049 allows an attacker to formulate a URL which will bypass the Windows SmartScreen “Do you want to open this file?” dialog. Previous SmartScreen bypasses have been exploited extensively, not least for no-notice delivery of ransomware.

Broadly similar is CVE-2023-35311, which describes a bypass of the Microsoft Outlook Security Notice dialog via a specially-crafted URL.

Windows RRAS: critical RCEs

Eight further critical RCE vulnerabilities are also patched, including three related vulnerabilities in the Windows Routing and Remote Access Service (RRAS) with CVSS v3 base score of 9.8 (CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367). In each case, an attacker can send specially-crafted packets to vulnerable assets to achieve RCE. Happily, RRAS is not installed or configured by default, but admins with RRAS-enabled Windows Server installations will undoubtedly want to prioritize remediation.

SharePoint: critical RCEs

Anyone responsible for on-prem SharePoint should patch to avoid a variety of potential impacts from exploitation of CVE-2023-33157 and CVE-2023-33160, including information disclosure and editing, as well as reduced availability of the targeted environment. While both of these vulnerabilities require that an attacker already be authenticated as a user with at least Site Member privileges, this isn’t necessarily much of a defense, since this is the lowest standard permission group with the least privileges other than the read-only Site Visitor role, and will typically be widely granted. Microsoft assesses exploitation as more likely for both of these.

Windows core components: critical RCEs

The remainder of this month’s critical RCE patches target flaws in the Windows Layer-2 Bridge Network Driver (CVE-2023-35315), and usual suspects Windows Message Queuing (CVE-2023-32057) and Windows PGM (CVE-2023-35297).

Windows Remote Desktop: security feature bypass

CVE-2023-35352 will be of interest to anyone running an RDP server. Although the advisory is short on detail, an attacker could bypass certificate or private key authentication when establishing a remote desktop protocol session. Although the CVSS v3 base score of 7.5 falls short of the critical band, this is only because Microsoft has scored this vulnerability as having no impact on either confidentiality or availability, probably because the scoring is against the RDP service itself rather than whatever may be accessed downstream; this seems like a case where CVSS cannot fully capture the potential risk, and Microsoft’s Security Update Severity Rating System does rank this vulnerability as critical.

Summary Charts

Summary Tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-32047	Paint 3D Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35374	Paint 3D Remote Code Execution Vulnerability	No	No	7.8

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36868	Azure Service Fabric on Windows Information Disclosure Vulnerability	No	No	6.5

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35333	MediaWiki PandocUpload Extension Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-33170	ASP.NET and Visual Studio Security Feature Bypass Vulnerability	No	No	8.1
CVE-2023-33127	.NET and Visual Studio Elevation of Privilege Vulnerability	No	No	8.1
CVE-2023-36867	Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35373	Mono Authenticode Validation Spoofing Vulnerability	No	No	5.3

ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-32050	Windows Installer Elevation of Privilege Vulnerability	No	No	7

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-33171	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	8.2
CVE-2023-35335	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	8.2
CVE-2023-32052	Microsoft Power Apps (online) Spoofing Vulnerability	No	No	5.4

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-33150	Microsoft Office Security Feature Bypass Vulnerability	No	No	9.6
CVE-2023-33159	Microsoft SharePoint Server Spoofing Vulnerability	No	No	8.8
CVE-2023-33160	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-33134	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-33157	Microsoft SharePoint Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35311	Microsoft Outlook Security Feature Bypass Vulnerability	Yes	No	8.8
CVE-2023-33149	Microsoft Office Graphics Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33148	Microsoft Office Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-33158	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33161	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33152	Microsoft ActiveX Remote Code Execution Vulnerability	No	No	7
CVE-2023-33153	Microsoft Outlook Remote Code Execution Vulnerability	No	No	6.8
CVE-2023-33151	Microsoft Outlook Spoofing Vulnerability	No	No	6.5
CVE-2023-33162	Microsoft Excel Information Disclosure Vulnerability	No	No	5.5
CVE-2023-33165	Microsoft SharePoint Server Security Feature Bypass Vulnerability	No	No	4.3

Microsoft Office Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-36884	Office and Windows HTML Remote Code Execution Vulnerability	Yes	Yes	8.3

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-33156	Microsoft Defender Elevation of Privilege Vulnerability	No	No	6.3

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-32049	Windows SmartScreen Security Feature Bypass Vulnerability	Yes	No	8.8
CVE-2023-35315	Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35364	Windows Kernel Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-35302	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-29347	Windows Admin Center Spoofing Vulnerability	No	No	8.7
CVE-2023-21756	Windows Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35317	Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-32056	Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35313	Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35323	Windows OLE Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35356	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35357	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35358	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35363	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35304	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35305	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35343	Windows Geolocation Service Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33155	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35362	Windows Clip Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35337	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-32051	Raw Image Extension Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-35320	Connected User Experiences and Telemetry Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35353	Connected User Experiences and Telemetry Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35352	Windows Remote Desktop Security Feature Bypass Vulnerability	No	No	7.5
CVE-2023-35325	Windows Print Spooler Information Disclosure Vulnerability	No	No	7.5
CVE-2023-35339	Windows CryptoAPI Denial of Service Vulnerability	No	No	7.5
CVE-2023-32084	HTTP.sys Denial of Service Vulnerability	No	No	7.5
CVE-2023-35298	HTTP.sys Denial of Service Vulnerability	No	No	7.5
CVE-2023-35348	Active Directory Federation Service Security Feature Bypass Vulnerability	No	No	7.5
CVE-2023-35347	Microsoft Install Service Elevation of Privilege Vulnerability	No	No	7.1
CVE-2023-35360	Windows Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2023-35361	Windows Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2023-35336	Windows MSHTML Platform Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-35308	Windows MSHTML Platform Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-35331	Windows Local Security Authority (LSA) Denial of Service Vulnerability	No	No	6.5
CVE-2023-32037	Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-35329	Windows Authentication Denial of Service Vulnerability	No	No	6.5
CVE-2023-35296	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-32083	Microsoft Failover Cluster Information Disclosure Vulnerability	No	No	6.5
CVE-2023-36871	Azure Active Directory Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-32041	Windows Update Orchestrator Service Information Disclosure Vulnerability	No	No	5.5
CVE-2023-35326	Windows CDP User Components Information Disclosure Vulnerability	No	No	5.5
CVE-2023-36872	VP9 Video Extensions Information Disclosure Vulnerability	No	No	5.5
CVE-2023-32039	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2023-32040	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2023-35324	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2023-32085	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2023-35306	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	5.5

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-35365	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-35366	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-35367	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-32057	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-35322	Windows Deployment Services Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35303	USB Audio Class System Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35300	Remote Procedure Call Runtime Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-32038	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-35328	Windows Transaction Manager Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-33154	Windows Partition Management Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-32046	Windows MSHTML Platform Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2023-32053	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35342	Windows Image Acquisition Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-36874	Windows Error Reporting Service Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2023-35299	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35340	Windows CNG Key Isolation Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35312	Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-35297	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	7.5
CVE-2023-35338	Windows Peer Name Resolution Protocol Denial of Service Vulnerability	No	No	7.5
CVE-2023-33163	Windows Network Load Balancing Remote Code Execution Vulnerability	No	No	7.5
CVE-2023-35330	Windows Extended Negotiation Denial of Service Vulnerability	No	No	7.5
CVE-2023-35309	Microsoft Message Queuing Remote Code Execution Vulnerability	No	No	7.5
CVE-2023-32044	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-32045	Microsoft Message Queuing Denial of Service Vulnerability	No	No	7.5
CVE-2023-21526	Windows Netlogon Information Disclosure Vulnerability	No	No	7.4
CVE-2023-32054	Volume Shadow Copy Elevation of Privilege Vulnerability	No	No	7.3
CVE-2023-35350	Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-32043	Windows Remote Desktop Security Feature Bypass Vulnerability	No	No	6.8
CVE-2023-35332	Windows Remote Desktop Protocol Security Feature Bypass	No	No	6.8
CVE-2023-32055	Active Template Library Elevation of Privilege Vulnerability	No	No	6.7
CVE-2023-35344	Windows DNS Server Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-35345	Windows DNS Server Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-35346	Windows DNS Server Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-35310	Windows DNS Server Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-35351	Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-32033	Microsoft Failover Cluster Remote Code Execution Vulnerability	No	No	6.6
CVE-2023-35321	Windows Deployment Services Denial of Service Vulnerability	No	No	6.5
CVE-2023-35316	Remote Procedure Call Runtime Information Disclosure Vulnerability	No	No	6.5
CVE-2023-33166	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-33167	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-33168	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-33169	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-33172	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-33173	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-32034	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-32035	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-35314	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-35318	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-35319	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-33164	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-32042	OLE Automation Information Disclosure Vulnerability	No	No	6.5
CVE-2023-35341	Microsoft DirectMusic Information Disclosure Vulnerability	No	No	6.2
CVE-2023-33174	Windows Cryptographic Information Disclosure Vulnerability	No	No	5.5

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2023/06/13/patch-tuesday-june-2023/

It’s June, and it’s Patch Tuesday. The volume of fixes this month is typical compared with recent history: 94 in total (including Edge-on-Chromium). For the first time in a while, Microsoft isn’t offering patches for any zero-day vulnerabilities, but we do get fixes for four critical Remote Code Execution (RCE) vulnerabilities: one in .NET/Visual Studio, and three in Windows Pragmatic General Multicast (PGM). Also patched: a critical SharePoint Elevation of Privilege vulnerability.

SharePoint: Critical EoP via JWT spoofing

SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely.

The FAQ provided with Microsoft’s advisory suggests that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable. So far so good for SharePoint 2019, but there is a lack of clarity around a patch for SharePoint 2016.

Initially, neither the advisory nor the SharePoint 2016 Release history listed a relevant patch for SharePoint 2016. Microsoft has since updated both the SharePoint 2016 release history to include a link to the June security update for SharePoint Enterprise Server 2016; however, the link incorrectly points to the May advisory, and should instead point to the June 2023 security update for SharePoint 2016 KB5002404.

Complicating matters further, KB5002404 does not mention CVE-2023-29357, and the advisory for CVE-2023-29357 still does not mention any patch for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow developments here closely; on present evidence, the only safe assumption is that there is no patch yet which addresses CVE-2023-29357 for SharePoint 2016.

Microsoft also mentions that there may be more than one patch listed for a particular version of SharePoint, and that every patch for a particular version of SharePoint must be installed to remediate this vulnerability (although order of patching doesn’t matter).

Windows PGM: Critical RCE

This is the third month in a row where Patch Tuesday features at least one critical RCE in Windows PGM, and June adds three to the pile. Microsoft hasn’t detected exploitation or disclosure for any of these, and considers exploitation less likely, but a trio of critical RCEs with CVSS 3.1 base score of 9.8 will deservedly attract a degree of attention.

All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

As with previous similar vulnerabilities, Windows Message Queueing Service (MSMQ) must be enabled for an asset to be exploitable, and MSMQ isn’t enabled by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine. With several prolific researchers active in this area, we should expect further PGM vulnerabilities in the future.

.NET & Visual Studio: Critical RCE

Rounding out this month’s critical RCE list is CVE-2023-24897: a flaw in .NET, .NET Framework and Visual Studio. Exploitation requires an attacker to convince the victim to open a specially-crafted malicious file, typically from a website.

Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years. Somewhat unusually for this class of vulnerability, Microsoft doesn’t give any indication of filetype. However, the Arbitrary Code Execution (ACE) boilerplate qualifier is present: “remote” refers here to the location of the attacker, rather than the attack, since local user interaction is required.

Exchange: Important RCEs; Exploitation More Likely

After a brief reprieve last month, Exchange admins will want to patch a pair of RCE vulnerabilities this month. While neither CVE-2023-28310 nor CVE-2023-32031 quite manages to rank as critical vulnerabilities, either via CVSSv3 base score, or via Microsoft’s proprietary severity scale, they’re not far off. Only the requirement that the attacker has previously achieved an authenticated role on the Exchange server prevents these vulnerabilities from scoring higher – but that’s just the sort of issue that exploit chains are designed to overcome.

Microsoft expects to see exploitation for both of these vulnerabilities. Successful exploitation will make use of PowerShell remoting sessions to achieve remote code execution.

Azure DevOps: spoofing, information disclosure

A vulnerability in Azure DevOps server could lead to an attacker accessing detailed data such as organization/project configuration, groups, teams, projects, pipelines, boards, and wiki. CVE-2023-21565 requires an attacker to have existing valid credentials for the service, but no elevated privilege is required. The advisory lists  patches for 2020.1.2, 2022 and 2022.0.1.

Summary Charts

Summary Tables

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-33143	Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability	No	No	7.5
CVE-2023-33145	Microsoft Edge (Chromium-based) Information Disclosure Vulnerability	No	No	6.5
CVE-2023-29345	Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability	No	No	6.1
CVE-2023-3079	Chromium: CVE-2023-3079 Type Confusion in V8	No	No	N/A
CVE-2023-2941	Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API	No	No	N/A
CVE-2023-2940	Chromium: CVE-2023-2940 Inappropriate implementation in Downloads	No	No	N/A
CVE-2023-2939	Chromium: CVE-2023-2939 Insufficient data validation in Installer	No	No	N/A
CVE-2023-2938	Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture	No	No	N/A
CVE-2023-2937	Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture	No	No	N/A
CVE-2023-2936	Chromium: CVE-2023-2936 Type Confusion in V8	No	No	N/A
CVE-2023-2935	Chromium: CVE-2023-2935 Type Confusion in V8	No	No	N/A
CVE-2023-2934	Chromium: CVE-2023-2934 Out of bounds memory access in Mojo	No	No	N/A
CVE-2023-2933	Chromium: CVE-2023-2933 Use after free in PDF	No	No	N/A
CVE-2023-2932	Chromium: CVE-2023-2932 Use after free in PDF	No	No	N/A
CVE-2023-2931	Chromium: CVE-2023-2931 Use after free in PDF	No	No	N/A
CVE-2023-2930	Chromium: CVE-2023-2930 Use after free in Extensions	No	No	N/A
CVE-2023-2929	Chromium: CVE-2023-2929 Out of bounds write in Swiftshader	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24936	.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability	No	No	8.1
CVE-2023-24897	.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-24895	.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29326	.NET Framework Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33141	Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability	No	No	7.5
CVE-2023-29331	.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability	No	No	7.5
CVE-2023-32030	.NET and Visual Studio Denial of Service Vulnerability	No	No	7.5
CVE-2023-33126	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-33128	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	7.3
CVE-2023-33135	.NET and Visual Studio Elevation of Privilege Vulnerability	No	No	7.3
CVE-2023-29337	NuGet Client Remote Code Execution Vulnerability	No	No	7.1
CVE-2023-32032	.NET and Visual Studio Elevation of Privilege Vulnerability	No	No	6.5
CVE-2023-33139	Visual Studio Information Disclosure Vulnerability	No	No	5.5
CVE-2023-29353	Sysinternals Process Monitor for Windows Denial of Service Vulnerability	No	No	5.5
CVE-2023-33144	Visual Studio Code Spoofing Vulnerability	No	No	5
CVE-2023-29012	GitHub: CVE-2023-29012 Git CMD erroneously executes doskey.exe in current directory, if it exists	No	No	N/A
CVE-2023-29011	GitHub: CVE-2023-29011 The config file of connect.exe is susceptible to malicious placing	No	No	N/A
CVE-2023-29007	GitHub: CVE-2023-29007 Arbitrary configuration injection via git submodule deinit	No	No	N/A
CVE-2023-25815	GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place	No	No	N/A
CVE-2023-25652	GitHub: CVE-2023-25652 "git apply –reject" partially-controlled arbitrary file write	No	No	N/A
CVE-2023-27911	AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior	No	No	N/A
CVE-2023-27910	AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior	No	No	N/A
CVE-2023-27909	AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or prior	No	No	N/A

Developer Tools Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21565	Azure DevOps Server Spoofing Vulnerability	No	No	7.1
CVE-2023-21569	Azure DevOps Server Spoofing Vulnerability	No	No	5.5

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29363	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-32014	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-32015	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-29362	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-29372	Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-29373	Microsoft ODBC Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-29351	Windows Group Policy Elevation of Privilege Vulnerability	No	No	8.1
CVE-2023-29365	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29358	Windows GDI Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-29371	Windows GDI Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-29346	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-32017	Microsoft PostScript Printer Driver Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29359	GDI Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-32011	Windows iSCSI Discovery Service Denial of Service Vulnerability	No	No	7.5
CVE-2023-29368	Windows Filtering Platform Elevation of Privilege Vulnerability	No	No	7
CVE-2023-29364	Windows Authentication Elevation of Privilege Vulnerability	No	No	7
CVE-2023-32016	Windows Installer Information Disclosure Vulnerability	No	No	5.5
CVE-2023-32020	Windows DNS Spoofing Vulnerability	No	No	3.7

Exchange Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-32031	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-28310	Microsoft Exchange Server Remote Code Execution Vulnerability	No	No	8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24896	Dynamics 365 Finance Spoofing Vulnerability	No	No	5.4
CVE-2023-32024	Microsoft Power Apps Spoofing Vulnerability	No	No	3

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-29357	Microsoft SharePoint Server Elevation of Privilege Vulnerability	No	No	9.8
CVE-2023-33131	Microsoft Outlook Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-33146	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-32029	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33137	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33133	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-33130	Microsoft SharePoint Server Spoofing Vulnerability	No	No	7.3
CVE-2023-33142	Microsoft SharePoint Server Elevation of Privilege Vulnerability	No	No	6.5
CVE-2023-33129	Microsoft SharePoint Denial of Service Vulnerability	No	No	6.5
CVE-2023-33140	Microsoft OneNote Spoofing Vulnerability	No	No	6.5
CVE-2023-33132	Microsoft SharePoint Server Spoofing Vulnerability	No	No	6.3

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-32009	Windows Collaborative Translation Framework Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-29367	iSCSI Target WMI Provider Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29360	Windows TPM Device Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-32008	Windows Resilient File System (ReFS) Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29370	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-32018	Windows Hello Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-29366	Windows Geolocation Service Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-32022	Windows Server Service Security Feature Bypass Vulnerability	No	No	7.6
CVE-2023-32021	Windows SMB Witness Service Security Feature Bypass Vulnerability	No	No	7.1
CVE-2023-29361	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7
CVE-2023-32010	Windows Bus Filter Driver Elevation of Privilege Vulnerability	No	No	7
CVE-2023-29352	Windows Remote Desktop Security Feature Bypass Vulnerability	No	No	6.5
CVE-2023-32013	Windows Hyper-V Denial of Service Vulnerability	No	No	6.5
CVE-2023-24937	Windows CryptoAPI Denial of Service Vulnerability	No	No	6.5
CVE-2023-24938	Windows CryptoAPI Denial of Service Vulnerability	No	No	6.5
CVE-2023-29369	Remote Procedure Call Runtime Denial of Service Vulnerability	No	No	6.5
CVE-2023-32012	Windows Container Manager Service Elevation of Privilege Vulnerability	No	No	6.3
CVE-2023-29355	DHCP Server Service Information Disclosure Vulnerability	No	No	5.3
CVE-2023-32019	Windows Kernel Information Disclosure Vulnerability	No	No	4.7