Normal view

There are new articles available, click to refresh the page.
Before yesterdayCrowdStrike

November 2023 Patch Tuesday: 58 Vulnerabilities Including Three Actively Exploited Zero-Days

15 November 2023 at 17:27

Microsoft has released security updates for 58 vulnerabilities, including five zero-days, three of which are being actively exploited. One of the zero-days (CVE-2023-36025) is a Windows SmartScreen Security Feature Bypass Vulnerability, the second (CVE-2023-36033) is a privilege escalation vulnerability in the Windows DWM Core Library, and the third (CVE-2023-36036) is another privilege escalation vulnerability affecting the Windows Cloud Files Mini Filter Driver. Three of the 58 vulnerabilities addressed today are rated as Critical, and the remaining 55 are rated as Important. 

November 2023 Risk Analysis

This month’s leading risk type is elevation of privilege (28%), followed by remote code execution (26%) and spoofing (17%).

Figure 1. Breakdown of November 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month (32), followed by Extended Support Updates (17).

Figure 2. Breakdown of product families affected by November 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Enables Windows SmartScreen Security Feature Bypass

Windows SmartScreen has received a patch for CVE-2023-36025. According to Microsoft, by exploiting this vulnerability, “The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.” This vulnerability requires user interaction — the user would have to click on a specially crafted internet shortcut (.URL) or a hyperlink pointing to an internet shortcut file in order to be compromised by the attacker.

Severity CVSS Score CVE Description
Important 8.8 CVE-2023-36025 Windows SmartScreen Security Feature Bypass

Table 1. Zero-day in Windows SmartScreen Security Feature

Actively Exploited Zero-Day Vulnerability Affects Windows DWM (Desktop Window Manager) Core Library

CVE-2023-36033 is a publicly disclosed vulnerability affecting the Windows DWM Core Library. This vulnerability could allow an attacker to gain SYSTEM privileges.

Rank CVSS Score CVE Description
Important 7.8 CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability

Table 2. Zero-day in Windows DWM Core Library

Actively Exploited Zero-Day Affects Windows Cloud Files Mini Filter Driver

CVE-2023-36036 is another vulnerability affecting the Windows Cloud Files Mini Filter Driver being exploited in the wild. Successful exploitation of this flaw could allow an attacker to gain SYSTEM privileges.

Severity CVSS Score CVE Description
Important 7.8 CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Table 3. Zero-day affecting Windows Cloud Files Mini Filter Driver

Critical Vulnerabilities 

CVE-2023-36397, a remote code execution vulnerability rated as Critical, affects Windows Pragmatic General Multicast. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the Message Queuing service is running and TCP port 1801 is listening on the machine; if the service is running and not in use, consider disabling.

CVE-2023-36400, a privilege escalation vulnerability rated as Critical, affects Windows HMAC Key Derivation. If exploited, this could allow an attacker to gain SYSTEM privileges. According to Microsoft, “A successful attack could be performed from a low privilege Hyper-V guest. The attacker could then traverse the guest’s security boundary to execute code on the Hyper-V host execution environment.”

CVE-2023-36052 is a Critical vulnerability affecting Azure CLI commands. An attacker could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions in public repositories. Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability, Microsoft says. This also applies to customers with log files created using these commands through Azure DevOps and/or GitHub Actions.

Rank CVSS Score CVE Description
Critical 9.8 CVE-2023-36397 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability
Critical 8.8 CVE-2023-36400 Microsoft Office Remote Code Execution Vulnerability
Critical 8.6 CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability

Table 4. Critical vulnerabilities in Windows and Azure

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j and ProxyNotShell, not every highly exploitable vulnerability can be easily patched. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

October 2023 Patch Tuesday: 104 Vulnerabilities Including Three Actively Exploited Zero-Days

10 October 2023 at 23:54

This month marks the 20th anniversary of Patch Tuesday, and Microsoft has released security updates for 104 vulnerabilities, including three zero-days. One of the zero-days (CVE-2023-41763) is an elevation of privilege vulnerability in Microsoft Skype for Business. The second (CVE-2023-36563) is an information disclosure vulnerability in Microsoft WordPad, and the third (CVE-2023-44487) enables a distributed denial-of-service (DDoS) attack technique named “HTTP/2 Rapid Reset.” Twelve of the vulnerabilities addressed today are rated as Critical while the remaining 92 are rated as Important.

October 2023 Risk Analysis

This month’s leading risk type is remote code execution (43%), followed by elevation of privilege (25%) and denial of service (16%).

Figure 1. Breakdown of October 2023 Patch Tuesday attack types

 

The Microsoft Windows product family received the most patches this month (78), followed by Microsoft Office (7), and Azure (6).

Figure 2. Breakdown of product families affected by October 2023 Patch Tuesday

Actively Exploited Zero-Day Vulnerability Affecting Microsoft Skype for Business

Microsoft Skype for Business has received a patch for CVE-2023-41763, which is rated Important and has a CVSS score of 5.3. This local privilege escalation vulnerability allows an attacker to gain access to sensitive information on a target Skype for Business server. The vulnerability allows an attacker to send specially crafted network calls to the target server and potentially reveal IP addresses and/or ports to the attacker. The proof-of-concept has already been publicly disclosed.

Severity CVSS Score CVE Description
Important 5.3 CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability

Table 1. Zero-day in Microsoft Skype for Business

Actively Exploited Zero-Day Vulnerability Affecting Microsoft WordPad

Microsoft WordPad has received a patch for CVE-2023-36563, which is rated Important and has a CVSS score of 6.5. The vulnerability allows for information disclosure, specifically NTLM (Windows New Technology LAN Manager) hashes. This allows an attacker to steal NTLM hashes by utilizing the preview pane when opening a document. NTLM hashes are important for gaining account access due to the nature of the protocol allowing for secure authentication, and an attacker would be able to exploit the vulnerability to crack the hashes or use them in an NTLM relay attack. The proof-of-concept has already been publicly disclosed.

Severity CVSS Score CVE Description
Important 6.5 CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

Table 2. Zero-day in Microsoft WordPad

Actively Exploited Zero-Day Attack Technique Affecting HTTP/2

Microsoft has released an update and workarounds to help protect against denial of service attacks exploiting CVE-2023-44487, which is rated Important. This vulnerability on HTTP/2 allows malicious actors to launch DDoS attacks targeting HTTP/2 servers by sending HTTP requests using HEADERS and RST_STREAM frames in a single connection. By doing this, an attacker can eventually bring down the server due to resource exhaustion. Microsoft and many other vendors have already applied mitigations and various protections to their own infrastructure to address Layer 7 request floods.

Severity CVSS Score CVE Description
Important N/A CVE-2023-44487 MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

Table 3. Zero-day distributed denial-of-service (DDoS) attack against HTTP/2

Critical Vulnerabilities Affecting Microsoft Windows

CVE-2023-35349 and CVE-2023-36697 are Critical remote code execution (RCE) vulnerabilities affecting Microsoft Message Queuing (MSMQ), and both have a CVSS score of 9.8. MSMQ has been highlighted in the past blogs and continues to be patched. To successfully exploit this vulnerability, an attacker would have to send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to remote code execution. This Windows component needs to be enabled for a system to be vulnerable. Microsoft recommends checking if the “Message Queuing” service is running and TCP port 1801 is listening on the machine; if service is running and not being utilized, consider disabling.

CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, CVE-2023-41774 and CVE-2023-38166 are Critical RCE vulnerabilities affecting Layer 2 Tunneling Protocol, and all have a CVSS score of 8.1. For an attacker to take advantage of these vulnerabilities, they would need to win a race condition by sending specially crafted protocol messages to a routing and remote access service (RRAS) server. This can lead to remote code execution (RCE)on the targeted server.

CVE-2023-36718 is a Critical RCE vulnerability affecting Microsoft Virtual Trusted Platform Module with a CVSS score of 7.8. Successfully exploitation of this vulnerability relies on complex memory shaping techniques, and the attacker must have privileges to the target environment. Operating as a guest user within the virtual machine, an attacker can potentially escape the isolated machine and access resources outside of that protected device.

Severity CVSS Score CVE Description
Critical 9.8 CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 8.1 CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Critical 7.8 CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability

Table 4. Critical vulnerabilities in Windows 

Out-of-Band Zero-Day’s Patched Vulnerabilities Affecting Edge, Teams, Skype and Visual Studio

CVE-2023-4863 is a Critical heap buffer overflow vulnerability in libwebp (WebP image library) in Chromium Open Source Software (OSS) that is utilized by Microsoft Edge (Chromium-based) and has a CVSS score of 8.8. This allows for a remote attacker to perform an out-of-bounds memory write via a specially crafted HyperText Markup Language (HTML) page. Microsoft released security updates to VP9 Video Extension, Skype, WebP Image Extension, Teams and Edge (Chromium-based) on October 4, 2023. The proof-of-concept has already been publicly disclosed and is actively being exploited.

CVE-2023-5346 is a High severity type confusion vulnerability in Version 8 of Microsoft Edge (Chromium-based). The vulnerability allows for a remote attacker to potentially exploit heap corruption via a crafted HyperText Markup Language (HTML) page. Microsoft released security updates to Microsoft Edge (Chromium-based) on October 4, 2023.

Severity CVSS Score CVE Description
Critical 8.8 CVE-2023-4863 Chromium: CVE-2023-4863 Heap buffer overflow in WebP
High 8.8 CVE-2023-5346 Chromium: CVE-2023-5346 Type Confusion in V8

Table 5. Vulnerabilities in Chromium, Edge, Teams, Skype and Visual Studio

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched — as is also the case for the ProxyNotShell vulnerabilities. It’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

August 2023 Patch Tuesday: Two Actively Exploited Zero-Days and Six Critical Vulnerabilities Addressed

9 August 2023 at 13:02

Microsoft has released security updates for 76 vulnerabilities and two zero-days for its August 2023 Patch Tuesday rollout. One of the zero-days (CVE-2023-38180) is a denial-of-service vulnerability in .NET and Visual Studio. The other zero-day (CVE-2023-36884) received a Defense in Depth update to mitigate a flaw under active attack; however, it is not a patch. Six of the vulnerabilities addressed today are rated as Critical while the remaining 68 are rated as Important and two are Moderate.

August 2023 Risk Analysis

This month’s leading risk type is remote code execution (37%), followed by elevation of privilege (29%) and information disclosure (17%).

Figure 1. Breakdown of August 2023 Patch Tuesday attack types

The Microsoft Windows product family received the most patches this month with 36, followed by Extended Support Updates (25) and Microsoft Office products (15).

Figure 2. Breakdown of product families affected by August 2023 Patch Tuesday

Defense in Depth Update Mitigates an Actively Exploited Zero-Day Vulnerability 

Microsoft Office has released an update for a previously disclosed unpatched vulnerability (CVE-2023-36884). As Microsoft stated, installing this update will stop the attack chain leading to the exploitation of the Windows Search security feature bypass vulnerability. It is recommended that users install the Office updates as well as the Windows updates from August 2023.

Impact Severity CVE Description
Defense in Depth Moderate ADV230003 Microsoft Office Defense in Depth Update

Table 1. Zero day in Microsoft Office & Windows

Actively Exploited Zero-Day Vulnerability Affects .NET and Visual Studio

Microsoft .NET & Visual Studio has received a patch for CVE-2023-38180, which is rated Important and has a CVSS of 7.5. The vulnerability allows for a denial-of-service attack. Details of the flaw have not been publicly disclosed.

Severity CVSS Score CVE Description
Important 7.5 CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability

Table 2. Zero day in Microsoft .NET & Visual Studio

Critical Vulnerabilities Affect Windows

CVE-2023-29328 and CVE-2023-29330 are Critical remote code execution vulnerabilities affecting Microsoft Teams each with a CVSS of 8.8. To exploit these vulnerabilities, the attacker must deceive the victim into joining a malicious Teams meeting, which would allow them an opportunity to execute code on the system remotely. No special privileges are necessary for a successful attack.

CVE-2023-36910, CVE-2023-36911 and CVE-2023-35385 are Critical vulnerabilities affecting Microsoft Message Queuing (MSMQ), and each has a CVSS score of 9.8. In order for an attacker to take advantage of these vulnerabilities, they would need to transmit a specifically designed MSMQ packet to an MSMQ server, leading to remote code execution. Microsoft has provided guidance on best practices and steps to see if there is a service running Message Queuing and TCP port 1801 listening on a system.

CVE-2023-36895 is a Critical vulnerability affecting Microsoft Outlook with a CVSS of 7.8. According to Microsoft, this is an Arbitrary Code Execution flaw. The attack complexity is low, no privileges required to exploit this attack and exploitation is less likely according to Microsoft.

Severity CVSS Score CVE Description
Critical 8.8 CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability
Critical 8.8 CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 9.8 CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 7.8 CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability

Table 3. Critical vulnerabilities in MS Windows

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of security events every day from across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Spotlight vulnerability management can help you quickly and easily discover and prioritize vulnerabilities here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article

Additional Resources

  • For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
  • See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments. 
  • Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
  • Learn how Falcon identity protection products can stop workforce identity threats faster. 
  • Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards
  • Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.
❌
❌