Normal view

There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

What to Expect when Exploiting: A Guide to Pwn2Own Participation

So you’ve heard of Pwn2Own and think you are up to the challenge of competing in the world’s most prestigious hacking competition. Great! We would love to have you! However, there are a few things you should know before we get started. With Pwn2Own Vancouver just around the corner, here are 10 things you need to know before participating in Pwn2Own.

1.     You need to register before the contest.

We try to make this as apparent as possible in the rules, but we still have people walk into the room on the first day of the contest hoping to participate. There are a lot of logistics around Pwn2Own, so we need everyone to complete their registration before the contest starts. We can’t support anyone who wants to join on the first day of the competition.

2.     You need to answer the vetting email.

Again, the logistics of running the Pwn2Own competition can be daunting. One way we prepare is by vetting all entries before registration closes. We need to understand the nature of your exploit to ensure it fits within the rules and to ensure we have everything we need on hand to run the attempt. For example, we need to know how you plan on demonstrating if the exploit is successful. If you answer, “Our exploit will provide a root shell when it has succeeded” – we know you have a solid plan and that it is within the rules. If you tell us you need to start as an admin user and require four reboots, your entry is unlikely to qualify. We’ll also ask for things like other user interactions or the need for a Man-in-the-Middle (MitM). These could disqualify the entry – or it could be fine. It depends on the target and details, which is why we want to know before the competition. It’s not fair to any of the contestants to have them think their exploit is a winner just to be disqualified during the contest.

3.     What should we call you?

We know people enter Pwn2Own to win cash and prizes, but they want recognition, too. We’re more than happy to include your Twitter handle, your company name, or just about anything else. Just let us know. We try to pre-stage a lot of our communications, so an omission or misspelling could take a bit to get fixed, and we want to give contestants the attention they deserve. You’d be surprised how many people wait until during or after the event to clarify how they wish to be mentioned.

4.     Will you be participating locally or remotely?

This is a newer question but opening up the contest to remote participation has allowed many to participate that otherwise would not. However, remote contestants have a few extra hurdles the on-site participants do not. For remote participants, all artifacts must be submitted to the ZDI prior to registration closing. This includes things like the white paper, the exploit, and any further details needed for the entry. Contestants competing in person have until the contest begins to have these deliverables ready.

5.     Are you aware a white paper is required for each entry?

This is one aspect that many don’t realize. Each entry in Pwn2Own needs an accompanying white paper describing the vulnerabilities used during the attempt. These white papers are critical in the judging of the competition, especially if exploits from different contestants seem similar. For example, if two groups both use a use-after-free bug against a target, is it the same bug? Maybe. Maybe not. A clearly written white paper will help us understand your research and identify whether it is unique or a bug collision. It also helps the vendor pinpoint the exact place to look at when they start working on the fix.

6.     Ask questions before the competition.

There can be a lot of nuances in exploiting targets at Pwn2Own. How will we judge certain scenarios? How will the targets be configured? Does this type of exploit qualify for this bonus? Is the target in this configuration or that configuration? Is this software completely in the default configuration, or is this commonly applied setting used? There are a lot of very reasonable questions to ask before the contest, and we try to answer every one of them the best we can. If you are thinking about participating but have a specific configuration or rule-related questions, please e-mail us. Questions asked over Twitter or other means may not be answered in a timely manner. It might seem archaic to some, but e-mail makes it easier to track inquiries and ensure they get responses.

7.     Be prepared for things to go wrong.

Five minutes seems like plenty of time – until you’re on stage at Pwn2Own and there’s a clock counting down. If your first attempt fails, do you have a plan? What are you going to check? Can you adjust your exploit in a meaningful way within the allotted time? Certain types of exploits work better at Pwn2Own than others. For example, timing attacks and race conditions might not be the best choice to use at Pwn2Own. Yes, your exploit may work 100% of the time before you arrive at the contest, but what if it doesn’t when you’re on stage? Make a plan B, and probably a plan C and D as well.

8.     Are you participating as an individual, a part of a team, or representing a company?

While we do want maximum participation in each contest, we also need to place some restrictions on how that participation occurs. For example, if you are representing a company, you can’t also participate as an individual. If you are a part of a small team, you can’t also represent a company. This restriction helps keep the contest fair to everyone involved and prevents bug sharing meant to skew the overall results.

9.     When you arrive at the contest, take a minute to confirm the target versions.

Before the contest begins – even before we do the drawing for order – we allow contestants to verify configurations and software versions of the targets. We always use the latest and greatest versions of available software as Pwn2Own targets, and vendors are known to release patches right before the competition in a last-ditch attempt to thwart contestants. It’s a good idea to take a minute and double-check the versions in the contest are the same versions you were testing back home. We will communicate the versions before the contest, so you will know what to target.

10.  Rub a rabbit’s foot, grab a four-leafed clover, or do whatever else brings you luck.

Thanks to the drawing for order at the beginning of each contest, there is a degree of randomness to the competition. You could end up with a great spot in the schedule, or you could end up late in the contest when the chances for bug collisions are higher. But you can’t rely on luck, either. Some teams will just move on to a new target as soon as they find a bug to try to get as many entries in as possible and hope for a good draw - even if their bugs are low-hanging fruit. However, the teams that really want to compete for Master of Pwn spend a lot of time going deep and finding bugs other teams may miss. Pwn2Own is certainly a competition of skill but having a little luck (at least good luck) never hurts either.

Of course, there’s a lot more to participating in Pwn2Own than just these 10 things, but these will definitely help you prepare for the competition and, hopefully, increase your chances of winning. We really do root for all of the contestants, and we want to do all we can to increase your chances of success. Still, we need to adjudicate the contest fairly for all competitors. If you are on the fence about participating in Pwn2Own, I hope this guidance helps you find the right path to joining us. We celebrate the 15th anniversary of the contest this year in Vancouver, and we’d love to see you there.

What to Expect when Exploiting: A Guide to Pwn2Own Participation

The April 2023 Security Update Review

11 April 2023 at 17:25

It’s the second Tuesday of the month, which means Adobe and Microsoft (and others) have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for April 2023

For April, Adobe released six bulletins addressing 56 CVEs in Acrobat and Reader, Adobe Digital Editions, InCopy, Substance 3D Designer, Substance 3D Stager, and Adobe Dimension. A total of 47 of these CVEs were reported by ZDI vulnerability researchers Mat Powell and Michael DePlante. The update for Reader is likely the most important. It corrects 16 different CVEs, and 14 of these could lead to arbitrary code execution if a threat actor can get a user to open a specially crafted PDF with an affected version of Reader. This update also includes four CVEs from Abdul-Aziz Hariri of Haboob SA that were a part of his successful demonstration at the recent Pwn2Own Vancouver.

The patch for Adobe Digital Edition corrects a single Critical-rated code execution bug. The fix for InCopy also addresses a lone Critical-rated code execution issue. The other updates are noticeably larger. The update for Substance 3D Designer addresses nine bugs, all of which are rated Critical. The fix for Substance 3D Stager corrects 14 vulnerabilities, 10 of which are rated Critical and could lead to arbitrary code execution. The final patch from Adobe covers Adobe Dimension and corrects 15 unique bugs. A total of 14 of these bugs could lead to arbitrary code execution with the other being a memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Apple Patches for April 2023

Apple had a couple of CVEs patched last week and yesterday covering two bugs under active attack. CVE-2023-28205 is a UAF in WebKit and can be found in Safari, macOS, and iOS. It can lead to code execution at the level of the logged-on user. It would need to be paired with a privilege escalation to take over a system. The second bug patched by Apple does just that. CVE-2023-28206 is a privilege escalation in the IOSurfaceAccelerator component in macOS and iOS. Apple doesn’t expressly state these were used in conjunction, but they were reported by the same researchers at the same time, so their combined use makes sense.

Microsoft Patches for April 2023

This month, Microsoft released 97 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Windows Defender; SharePoint Server; Windows Hyper-V; PostScript Printer; and Microsoft Dynamics. This is in addition to three Edge (Chromium-based) CVEs previously released and being documented today. That brings today’s total CVE count to an even 100. Six of these bugs came were submitted through the ZDI program.

Of the patches released today, seven are rated Critical and 90 are rated Important in severity. While this volume does seem to be in line with past years, the number of remote code execution (RCE) bugs makes up nearly half the release. It’s unusual to see that many RCE fixes in a single month. Also, note that none of the bugs disclosed over Teams during Pwn2Own Vancouver are being addressed by Microsoft this month.

One of the new CVEs is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

 -       CVE-2023-28252 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the one bug under active attack this month, and if it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago. To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly.

-       CVE-2023-21554 – Microsoft Message Queuing Remote Code Execution Vulnerability
This is a CVSS 9.8 bug and receives Microsoft’s highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it’s not clear what impact this may have on operations. Your best option is to test and deploy the update.

-       CVE-2023-23384 – Microsoft SQL Server Remote Code Execution Vulnerability
This is a silent patch released by Microsoft in February and is just now being documented. The problem of silent patching has already been well documented, so I won’t rehash it here. The patch fixes an OOB Write bug in the SQLcmd tool that could allow a remote, unauthenticated attacker to exploit code with elevated privileges. While not listed in the CVSS, the attack complexity seems high since the attacker can only control a few bytes at a time. A server crash is much more likely. If you’re running SQL server, read the Cumulative Update table to ensure you have both the February and April updates installed.

-       CVE-2013-3900 – WinVerifyTrust Signature Validation Vulnerability
That’s no mistake on the CVE number – this is a 10-year-old patch being reissued. And if this bug sounds familiar, it’s because it was used by a threat actor in the recent 3CX attacks. This was an “opt-in” fix in the past, meaning admins had to opt-in to get this fix. With this revision, add fixes for additional platforms and adds further recommendations for enterprises. Definitely take the time to review all of the recommendations, including the information on the Microsoft Trusted Root Program, and take the actions needed to protect your environment.

Here’s the full list of CVEs released by Microsoft for April 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-28252 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-28231 DHCP Server Service Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-28219 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-28220 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-21554 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-28291 Raw Image Extension Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2023-28232 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2023-28250 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-28260 .NET DLL Hijacking Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28312 Azure Machine Learning Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-28300 Azure Service Connector Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2023-24860 Microsoft Defender Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28309 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-28314 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2023-28313 Microsoft Dynamics 365 Customer Voice Cross-Site Scripting Vulnerability Important 6.1 No No XSS
CVE-2023-21769 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28302 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28285 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-24883 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24884 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24885 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24886 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24887 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24924 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24925 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24926 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24927 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24928 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24929 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-28243 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-28287 Microsoft Publisher Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28295 Microsoft Publisher Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28288 Microsoft SharePoint Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-23375 Microsoft SQL Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-23384 Microsoft SQL Server Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-28304 Microsoft SQL Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28275 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-28311 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28268 Netlogon RPC Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2023-28292 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28267 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-21729 Remote Procedure Call Runtime Information Disclosure Vulnerability Important 4.3 No No Info
CVE-2023-21727 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-24893 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28262 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28263 Visual Studio Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-28296 Visual Studio Remote Code Execution Vulnerability Important 8.4 No No RCE
CVE-2023-28299 Visual Studio Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2023-24914 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-28223 Windows Domain Name Service Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28216 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-28218 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-28227 Windows Bluetooth Driver Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-28249 Windows Boot Manager Security Feature Bypass Vulnerability Important 6.6 No No SFB
CVE-2023-28269 Windows Boot Manager Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2023-28273 Windows Clip Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-28229 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-28266 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-28277 Windows DNS Server Information Disclosure Vulnerability Important 4.9 No No Info
CVE-2023-28254 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-28255 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28256 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28278 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28305 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28306 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28307 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28308 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-28226 Windows Enroll Engine Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2023-28221 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-24912 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28276 Windows Group Policy Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2023-28238 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-28244 Windows Kerberos Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2023-28298 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-28222 Windows Kernel Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-28236 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28248 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28272 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28293 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28253 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-28271 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-28237 Windows Kernel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28235 Windows Lock Screen Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2023-28270 Windows Lock Screen Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2023-28217 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28247 Windows Network File System Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-28240 Windows Network Load Balancing Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-28225 Windows NTLM Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28224 Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2023-28246 Windows Registry Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28297 Windows Remote Procedure Call Service (RPCSS) Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-24931 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28233 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28234 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28241 Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-28228 Windows Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2023-28274 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-28284 * Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Moderate 4.3 No No SFB
CVE-2023-24935 * Microsoft Edge (Chromium-based) Spoofing Vulnerability Low N/A No No Spoofing
CVE-2023-28301 * Microsoft Edge (Chromium-based) Tampering Vulnerability Low 4.2 No No Tampering

* Indicates this CVE had been released prior to today.

 

Looking at the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that’s similar to the MSMQ bug already discussed. However, this bug is listed as not exploitable as the Messaging Queue vulnerability. There’s a bug in the DHCP server, but it may not be as severe as it initially seems. It requires a network adjacent attacker to send an affected DHCP server a specially crafted RPC call. DHCP is not a routable protocol (or a secure one), so external threat actors can’t take advantage of this vulnerability. There are a couple of Critical-rated bugs in the Layer 2 Tunneling Protocol and the Point-to-Point Tunneling Protocol. We’ve seen plenty of similar bugs receive fixes over the last few months, but none have ever been reported as being exploited in the wild. The final Critical-rated bug impacts the Raw Image Extension. Viewing a specially-crafted file could allow code execution.

Moving on to the other code execution bugs, the first thing that jumps out are the 11 different patches for the PostScript and PCL6 Class Printer driver. It seems printers will continue to be a security issue for Microsoft for some time to come. There are also eight patches for DNS server to go along with the one already mentioned. These are less severe as they require the attacker to have elevated privileges. There’s a fix for RPC Runtime, but the description is confusing. While the CVSS state low permissions are needed, the description states an unauthenticated attacker could exploit this bug. There’s a patch for the Internet Key Exchange (IKE) protocol, but it requires the IKE and AuthIP IPsec Keying Modules to be running. Note that disabling either of these will adversely impact IPSec functionality, so if you are running these, patch rather than disable services. There’s an RCE bug in the Network Load Balancer that leave it open to network adjacent attackers. In this case, it’s recommended to upgrade to the newer Software Load Balancing service, which is listed as not affected. The Bluetooth component receives a patch that would require an attacker to be in close physical proximity to a target. Most of the remaining patches fix open-and-own bugs, including a rare Windows kernel RCE. Most kernel bugs are privilege escalations, so it’s interesting to see a RCE bug in the component.

There are roughly half as many elevation of privilege (EoP) patches as there are RCE patches, and the vast majority of these require an authenticated user to run specially crafted code to elevate to SYSTEM. There are a couple of exceptions worth noting. Both the Kerberos and the Netlogon RPC bugs require a man-in-the-middle (MiTM) attacker. The Kerberos bug could lead to a downgrade of a client's encryption to the RC4-md4 cypher. An attacker could use this to compromise the user's Kerberos session key to elevate privileges. Similarly, an MiTM attacker could intercept Netlogon RPC messages to modify Netlogon protocol traffic to elevate their privileges.  

Seven different security feature bypass (SFB) bugs receive patches this month, and this continues the trend of increasing SFB bugs in each release. The first in the Azure Service Connector could allow attackers to bypass internal firewall restrictions. There are two different bugs in the Lock Screen that could allow it to by bypassed, but both of these would require physical access. That’s the same for the two bugs in the Windows Boot Manager. The bug in Group Policy is interesting as it would prevent an admin from updating group policies under certain circumstances. The patch for the Windows Enroll Engine fixes a bug that could bypass certificate validation during the account enrollment process. The final SFB bug is in the Driver Revocation List. As the name would imply, the bypass allows an attacker to modify the revocation list, thus allowing drivers to load that are otherwise banned. 

Moving on to the information disclosure bugs receiving fixes this month, and almost all of them simply result in info leaks consisting of unspecified memory contents. While this may be useful when chaining bugs for an exploit, they aren’t very interesting on their own. The lone exception this month is the info disclosure bug in the Azure Machine Learning component. An attacker could use this bug to read (but not modify) system logs. Instead of a patch, you will need to upgrade your instance of Azure Machine Learning Compute to address the vulnerability.

There are three spoofing-related fixes in the April release. The first is in SharePoint and was reported by ZDI vulnerability researcher Piotr Bazydło. The bug allows a low-privileged attacker with site creation permissions to perform an NTLM relay exploit on affected SharePoint servers. There’s no real information on what the spoofing bugs in Visual Studio and Windows could lead to, but Microsoft does note the Windows spoofing bug require a target user to open a specially-crafted HTML application (HTA) file designed to appear as a signed Windows Imaging Format (WIM) file.

Looking at the denial-of-service (DoS) fixes for April, most of these have no additional information or documentation from Microsoft. The bugs in the Windows Secure Channel only impact devices running TLS version 1.3. The bug in the Network Address Translation (NAT) service is limited to attacker traffic inside the NAT firewall. Finally, the DoS bug in Microsoft Defender may already be remediated on your systems as the Malware Protection Engine is updated frequently. However, if you are in an isolated environment, you will need to manually apply the fix. Also note that Microsoft says the patch also includes “defense-in-depth updates to help improve security-related features,” but doesn’t document what those changes may be.

Finally, there are three cross-site scripting (XSS) bugs in Dynamics 365, which breaks the streak of five XSS bugs in Dynamics seen in the last two months. That’s we call a combo breaker.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on May 9, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The May 2023 Security Update Review

It’s patch Tuesday once again, and Adobe and Microsoft have released their monthly batch of security updates. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel.

Adobe Patches for May 2023

For May, Adobe released a single bulletin for Substance 3D Painter addressing 11 Critical-rated and 3 Important-rated vulnerabilities. All of these bugs were found and reported by ZDI vulnerability researcher Mat Powell. The most severe of these issues would allow an attacker to execute arbitrary code on an affected system if they can convince a user to open a specially-crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for May 2023

This month, Microsoft released 38 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Microsoft Edge (Chromium-based); SharePoint Server; Visual Studio; SysInternals; and Microsoft Teams. This is in addition to 11 CVEs in Chromium that were previously released for Edge and are now being documented in the Security Updates Guide.

A total of four of these bugs were submitted through the ZDI program. This includes three SharePoint fixes that were reported during the most recent Pwn2Own Vancouver competition. However, none of the other bugs reported at that event have yet to be addressed by Microsoft.

Of the new patches released today, seven are rated Critical and 31 are rated Important in severity. May tends to be a smaller month for fixes historically, but this month’s volume is the lowest since August 2021. However, considering just the number of ZDI cases waiting to be patched, this number is expected to rise in the coming months.

One of the new CVEs is listed as under active attack and two are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the one bug under active attack:

-       CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability
This is the one bug listed as being under active attack at the time of release, and you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack. This type of privilege escalation is usually combined with a code execution bug to spread malware. Considering this was reported by an AV company, that seems the likely scenario here. As always, Microsoft offers no information about how widespread these attacks may be.

-       CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability
While the title says OLE, when it comes to this bug, the real component to worry about is Outlook. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. And while Outlook is the more likely exploit vector, other Office applications are also impacted. This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly.

-       CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability
This bug has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. No user interaction is required. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. The better idea is to test and deploy this month’s fix instead.

-       CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This bug was demonstrated by the STAR Labs team during Pwn2Own Vancouver and was part of a chain used to obtain code execution on the target server. While this specific bug requires authentication, during the contest, it was combined with an authentication bypass. This is what would happen in real-world scenarios as well. Although there are other SharePoint fixes being released this month, additional patches will be required to fully address what was disclosed. Hopefully, we’ll see the remaining Pwn2Own fixes in the coming months.

Here’s the full list of CVEs released by Microsoft for May 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-29336 Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-29325 Windows OLE Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability Important 6.7 Yes No SFB
CVE-2023-24955 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 7.2 No No RCE
CVE-2023-28283 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-29324 Windows MSHTML Platform Elevation of Privilege Vulnerability Critical 7.5 No No EoP
CVE-2023-24941 Windows Network File System Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-24943 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-24903 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-29340 AV1 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-29341 AV1 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-29333 Microsoft Access Denial of Service Vulnerability Important 3.3 No No DoS
CVE-2023-29350 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2023-24953 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-29344 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-24954 Microsoft SharePoint Server Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24950 Microsoft SharePoint Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-24881 Microsoft Teams Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-29335 Microsoft Word Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2023-24905 Remote Desktop Client Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28290 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-24942 Remote Procedure Call Runtime Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-24939 Server for NFS Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-29343 SysInternals Sysmon for Windows Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29338 Visual Studio Code Information Disclosure Vulnerability Important 5 No No Info
CVE-2023-24902 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24946 Windows Backup Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24948 Windows Bluetooth Driver Elevation of Privilege Vulnerability Important 7.4 No No EoP
CVE-2023-24944 Windows Bluetooth Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-24947 Windows Bluetooth Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-28251 Windows Driver Revocation List Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2023-24899 Windows Graphics Component Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-24904 Windows Installer Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-24945 Windows iSCSI Target Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-24949 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24901 Windows NFS Portmapper Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-24900 Windows NTLM Security Support Provider Information Disclosure Vulnerability Important 5.9 No No Info
CVE-2023-24940 Windows Pragmatic General Multicast (PGM) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-24898 Windows SMB Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-29354 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Moderate 4.7 No No SFB
CVE-2023-2459 * Chromium: CVE-2023-2459 Inappropriate implementation in Prompts Medium N/A No No RCE
CVE-2023-2460 * Chromium: CVE-2023-2460 Insufficient validation of untrusted input in Extensions Medium N/A No No RCE
CVE-2023-2462 * Chromium: CVE-2023-2462 Inappropriate implementation in Prompts Medium N/A No No RCE
CVE-2023-2463 * Chromium: CVE-2023-2463 Inappropriate implementation in Full Screen Mode Medium N/A No No RCE
CVE-2023-2464 * Chromium: CVE-2023-2464 Inappropriate implementation in PictureInPicture Medium N/A No No RCE
CVE-2023-2465 * Chromium: CVE-2023-2465 Inappropriate implementation in CORS Medium N/A No No RCE
CVE-2023-2466 * Chromium: CVE-2023-2466 Inappropriate implementation in Prompts Low N/A No No RCE
CVE-2023-2467 * Chromium: CVE-2023-2467 Inappropriate implementation in Prompts Low N/A No No RCE
CVE-2023-2468 * Chromium: CVE-2023-2468 Inappropriate implementation in PictureInPicture Low N/A No No RCE

* Indicates this CVE had been released prior to today.

 

Looking at the remaining Critical-rated patches, there’s another CVSS 9.8 bug in Pragmatic General Multicast (PGM) that looks identical to PGM bug patched last month. This could indicate a failed patch or, more likely, a wide attack surface in PGM that is just starting to be explored. There are patches for Critical-rated bugs in the LDAP and SSTP protocols. Finally, there’s an intriguing bug in MSHTML that could allow a remote attacker to escalate to administrator privileges. Microsoft doesn’t provide details here, but they do note some level of privileges are required. As written, it reads as though an authenticated user could browse to a site and gain administrative rights. 

Moving on to the other code execution bugs fixed this month, there are the standard open-and-own bugs in Office products. There are a couple of fixes for the AV1 Video Extensions, which are not installed by default. These updates are available from the Windows Store, so if you’re in a disconnected environment, you’ll need to manually apply these fixes. The code execution bug in RDP is somewhat troubling, but it’s client not server, so that lessens the severity a bit. The bug in Bluetooth requires the attacker to be in close physical proximity. The final RCE patch for May fixes a bug in the NuGet package manager client. Microsoft provides no details on the attack scenario, but it’s likely a client would need to connect to a specially crafted .NET project to be exploited.

In addition to the two already mentioned, there are eight other elevation of privilege (EoP) bugs being fixed this month. Most of these require an authenticated user to run specially crafted code, resulting in code execution at the level of SYSTEM. Like the Bluetooth RCE, the EoP in Bluetooth requires close proximity. The bug in Windows Installer only allows an attacker to delete targeted files rather than escalate to SYSTEM.

There are four security feature bypass (SFB) vulnerabilities being patched this month, including a publicly known bypass of the Secure Boot feature. As is typical, Microsoft does not provide information on where this vulnerability is public, however, they do provide some additional information about some additional configuration guidance resulting from this change. The bypass in Word would allow attackers to evade Office Protected View. The fix for Edge addresses a bug that could allow an iFrame sandbox escape, but not a full browser sandbox escape. The bug in the Driver Revocation List would allow an attacker to bypass the revocation list feature by modifying it and thus impact the integrity of that list.

The May release contains eight fixes for information disclosure bugs, including a SharePoint bug that was disclosed as a part of Pwn2Own. It was another piece of the SharePoint exploit chain mentioned above. For the most part, the remaining info disclosure bugs merely result in info leaks consisting of unspecified memory contents. There are some notable exceptions. The info disclosure in RDP Client could allow the recovery of plaintext information from TLS-protected data. The vulnerability in Teams could allow an attacker to disclose various “sensitive data,” including a user's full trust token. Although not specified, it’s possible this token could be replayed to impersonate a user. The last info disclosure fix is for Visual Studio. This bug allows attackers to disclose NTLM hashes. Again, it’s possible these hashes could be passed to impersonate other users.

There are five fixes for denial-of-service (DoS) bugs in the release, and four of these are mostly unremarkable. The fifth, however, impacts only the hotpatch version of Windows Server 2022. It also impacts SMB over QUIC, which is a rather interesting VPN-like functionality for SMB. Apart from the DoS in Access, it’s unclear if any of these bugs blue screen the system or merely interrupt service operations. The bug in Access impacts the database connectivity but doesn’t fully deny service.

Finally, there is a spoofing bug in SharePoint receiving a patch this month. It was reported through the ZDI program by an anonymous researcher and could allow an authenticated attacker to cause the server to leak its NTLM hash. Any user on the SharePoint site has the needed permissions.

No new advisories were released this month, but there was a patch re-release of note. CVE-2022-26928 was re-released to add security updates for all affected versions of Microsoft Windows. Microsoft indicates these new updates are needed to “fully address” the bug, which sounds like the original fix from last year was incomplete. Regardless, ensure you don’t miss applying this update to your systems – again.

Looking Ahead

The next Patch Tuesday will be on June 13, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Adventures in Disclosure: When Reporting Bugs Goes Wrong

8 June 2023 at 15:46

The Zero Day Initiative (ZDI) is the world’s largest vendor-agnostic bug bounty program. That means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc. We don’t buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan.

Why Disclose at All?

This is a fine place to start. Why would anyone disclose a bug to a vendor – or anywhere for that matter? In our opinion – disclosure drives action. We hope that the action will be a vendor producing a patch. We hold vendors accountable for producing patches and will release public details if they fail to take action within a reasonable timeline. Wait – what action does this drive? To start, it provides defenders with information they can use to protect their unpatched systems. It also produces additional pressure on the vendor to produce a patch. Just look at this example. And behind the scenes, there are numerous examples of us telling a vendor we’ll 0day the case on Friday only for a patch to “appear” on Wednesday. Of course, not every patch released – scheduled or other otherwise – is of perfect quality. That’s one reason we announced special disclosure timelines for bugs resulting from faulty or incomplete patches. We want to drive the action of vendors producing real, effective defenses for the bug reports we send them.

Who Pays for All of This?

This is another area where there’s a lot of public confusion. Many people think the vendors pay us for the bug reports. I wish that were true. The simple fact is that the Trend Micro Zero Day Initiative pays 100% of the cost of the vulnerabilities we acquire. And we pay before we disclose a bug to the vendor, too. Some programs only pay out when a patch is made available. When people realize the ZDI pays for the bugs we purchase, their first question usually is, “Then how do you make money?” That’s the neat part – we don’t! We take the threat intelligence we gain through bug acquisition and add it to our internal research to develop virtual patches and better filters for Trend Micro products. We take no money from other vendors through our standard program. We do have some co-sponsors for Pwn2Own events. For example, Tesla has worked with us for several years, and they are the ones providing the actual Model 3 under test. However, most of other vendors have products under test that provide no funding at all. In fact, some even refuse to participate in receiving the bug reports even though we don’t ask for any funding or compensation. That was the case in Pwn2Own Toronto for one router vendor, and this is not a unique occurrence. We’ve had other vendors decline participation. We’ve even had a few that acted surprised when we e-mailed them bugs after the contest – even though they had participated in previous events. By the way, you don’t have to be in person to participate. We disclose over Teams/Zoom all the time, even if you’re less than a two hour drive from being in the room where it happens. It’s free real estate bug reports, so it’s always confusing to us as to why vendors don’t want free bugs, but here we are.

What’s the Problem with Disclosure?

Sometimes, there isn’t a problem. We reach out to a vendor’s PSIRT and report the bug. They acknowledge receipt and produce a patch within 120 days. They publish their advisory and let us know we can publish ours. Easy peasy lemon squeezy. Unfortunately, that’s not always the case. Sometimes it’s hardy tardy lemon party. Not every vendor has a “[email protected]” or “[email protected]” e-mail address. It can take some time to find the right place to notify. Not everyone is familiar with ZDI or what we do, so we get some interesting responses. We had one vendor CC their local FBI field office when replying to a bug report. I still don’t know what they expected the FBI to do. We’ve received threats responses from lawyers threatening all sorts of legal actions. We’ve been at this since 2005, so we’re aware of all the relevant laws (and have had some input on more than one of them). One odd problem we run in to is vendors not telling us when a patch is available. We buy lots of bugs and can’t track every step of every report. This means vendors will release a patch we don’t know about, or the advisories are paywalled, or they just choose to not involve us in the public disclosure at all. It isn’t until we inform them that we’re releasing a report as 0day that they tell us the bug was patched last month. The sad fact is that plenty of vendors do not have a robust and efficient sustained engineering program to handle bug reports, patch releases, and customer notification. In fact, it’s becoming increasingly rare to find a well-run PSIRT, and it’s something as an industry we should all be worried about.

Why Does It Have to Be So Hard?

Sustained engineering and running a PSIRT are not trivial. We know this. Many people on the ZDI team come from that world, so we intimately know the problems that can arise. But we have seen a disturbing trend over the last few years of companies disinvesting in these areas. We’ve already seen companies outsource support to third parties. Now, they are outsourcing PSIRT responsibilities as well. Even though many in our industry have seen this decline in quality occur, there have been no negative consequences to vendors who do not patch well. No one is losing market share due to bad patches. The insurance companies that are paying out ransomware fees aren’t chasing vendors for higher-quality fixes. There’s no legislation enacted to hold vendors accountable for poor disclosure practices. Quite frankly, this decline will likely continue until there are negative consequences.

If I Report a Bug, Do I Have to Do All of This?

If you report a bug to the ZDI, we handle the disclosure process entirely. We’ll keep you informed of course, but we handle all the interactions with the vendor. That’s one of the primary benefits of working with the ZDI (aside from us paying you cash). We find the e-mail address. We handle the questions from the vendor. We respond to requests for more info, or stack traces, or proof of concept, or (in rare cases) demonstration videos. Yes – we really had a vendor ask for a video. When necessary, we assign a CVE. We monitor releases as much as we can, and when the vendor informs us it’s fixed, we publish our advisory. You say want to publish a blog about the bug after the patch is available? No problem – just let us know ahead of time. We may even offer to host it for you. In other words, you’ve already done the hard part of finding the bug. Let us do the next hard part of disclosing the bug to the vendor.

Today I Learned…

Hopefully, this blog has educated you on something about our program. Maybe it reinforced something you already knew. Maybe you learned something new today. Hopefully, I was able to answer some questions you may have had about our program or disclosing bugs in general. Finding, disclosing, and fixing bugs are three different processes, and none of those processes are inconsequential. Here at the ZDI, we try to improve all three areas wherever we can. ZDI researchers find a multitude of bugs on their own – pretty much whenever they aren’t working on bugs submitted to the program. We disclose bugs at a wholesale rate. We might not get every one of these reports 100% right, but we get plenty of chances to get better. Finally, we work with any willing vendor to help them improve their response process. When they are willing to learn, we walk vendors through the PSIRT process and provide them guidance on what to expect since they may not understand how it works.

While these problems may not be something that affects you personally, they do have a negative impact on the industry at large. Exploits resulting from failed patches and variant vulnerabilities are being used in the wild. This isn’t an opinion – it’s based on data seen by our sensors and our competitors. And a lot of that starts with improving the disclosure process. We certainly will keep buying and disclosing bugs at a high rate. Hopefully, we can see some improvement in this process in the years to come.

Until then, be sure to follow us on TwitterMastodonLinkedIn, or Instagram for the latest updates from the ZDI. 

The June 2023 Security Update Review

13 June 2023 at 17:28

It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, check out the Patch Report webcast on our YouTube channel.

Adobe Patches for June 2023

For June, Adobe released four patches addressing 18 CVEs in Adobe Commerce, Substance 3D Designer, Adobe Animate, and Experience Manager. The bug in Substance 3D Designer was found by ZDI researcher Mat Powell and could lead to arbitrary code execution when opening a specially crafted file. The patch for Commerce is the largest this month with a dozen total fixes. Most of these are Important or Moderate rated Security Feature Bypasses (SFB), but there is a lone Critical-rate code execution bug in there as well. The fix for Adobe Animate also addresses a lone code execution bug. The patch for Experience Manager fixes four bugs, but none are Critical. There are three Important-rated cross-site scripting (XSS) bugs getting fixes plus one more SFB.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for June 2023

This month, Microsoft released 69 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; Microsoft Edge (Chromium-based); SharePoint Server; .NET and Visual Studio; Microsoft Teams; Azure DevOps; Microsoft Dynamics; and the Remote Desktop Client. This is in addition to 25 CVEs that were previously released by third parties and are now being documented in the Security Updates Guide.

A total of five of these bugs were submitted through the ZDI program. This includes fixes for some of the bugs submitted at the Pwn2Own Vancouver contest. The SharePoint and local privilege escalations should be addressed with these fixes. However, we’re still awaiting the fixes for the Teams bugs demonstrated during the competition.

Of the new patches released today, six are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume of fixes is slighter larger than the typical number of fixes for June, but not extraordinarily so. July tends to be a larger month as it is the last patch Tuesday before the Black Hat USA conference. It will be interesting to see if this trend continues.

None of the CVEs released today are listed as being publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a familiar-looking bug in the Exchange Server:

-       CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability
This vulnerability was discovered by ZDI researcher Piotr Bazydło and is a bypass of both CVE-2022-41082 and CVE-2023-21529. The former was listed as being under active exploit. The specific flaw exists within the Command class. The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. While this does require the attacker to have an account on the Exchange server, successful exploitation could lead to executing code with SYSTEM privileges.

-       CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability
This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft recommends enabling the AMSI feature to mitigate this vulnerability, but we have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible.

-       CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
These three bugs look identical on paper, and all are listed as a CVSS 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it’s beginning to be a bit of a theme. While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts.

-       CVE-2023-3079 – Chromium: CVE-2023-3079 Type Confusion in V8
This CVE shouldn’t be news to anyone as it was released by the Chrome team back on June 1. However, since it’s listed as being under active attack, I wanted to highlight it for anyone who may have missed it due to graduations, vacations, or other distractions. This is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. It’s also the second type of confusion bug in Chrome actively exploited this year. Definitely make sure your Chromium-based browsers (including Edge) are up to date.

Here’s the full list of CVEs released by Microsoft for June 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-24897 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability Critical 9.8 No No EoP
CVE-2023-32013 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2023-29363 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-32014 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-32030 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-32032 .NET and Visual Studio Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2023-33135 .NET and Visual Studio Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-33126 .NET and Visual Studio Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-33128 .NET and Visual Studio Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-29331 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-29326 .NET Framework Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-24895 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-27909 * AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or prior Important 7.8 No No RCE
CVE-2023-27910 * AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior Important 7.8 No No RCE
CVE-2023-27911 * AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior Important 7.8 No No RCE
CVE-2023-21565 Azure DevOps Server Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2023-21569 Azure DevOps Server Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2023-29355 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-25652 * GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write Important 7.5 No No N/A
CVE-2023-25815 * GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place Important 3.3 No No N/A
CVE-2023-29007 * GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit` Important 7.8 No No N/A
CVE-2023-29011 * GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing Important 7.5 No No N/A
CVE-2023-29012 * GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists Important 7.2 No No N/A
CVE-2023-29367 iSCSI Target WMI Provider Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-24896 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2023-33145 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-32029 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-33133 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-33137 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-28310 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-32031 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-29373 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-33146 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-33140 Microsoft OneNote Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-33131 Microsoft Outlook Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-32017 Microsoft PostScript Printer Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32024 Microsoft Power Apps Spoofing Vulnerability Important 3 No No Spoofing
CVE-2023-33129 Microsoft SharePoint Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33142 Microsoft SharePoint Server Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2023-33130 Microsoft SharePoint Server Spoofing Vulnerability Important 7.3 No No Spoofing
CVE-2023-33132 Microsoft SharePoint Server Spoofing Vulnerability Important 6.3 No No Spoofing
CVE-2023-29372 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-29346 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29337 NuGet Client Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2023-29362 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-29369 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-29353 Sysinternals Process Monitor for Windows Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-33144 Visual Studio Code Spoofing Vulnerability Important 5 No No Spoofing
CVE-2023-33139 Visual Studio Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2023-29359 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29364 Windows Authentication Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-32010 Windows Bus Filter Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-29361 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-32009 Windows Collaborative Translation Framework Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-32012 Windows Container Manager Service Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2023-24937 Windows CryptoAPI Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-24938 Windows CryptoAPI Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-32020 Windows DNS Spoofing Vulnerability Important 3.7 No No Spoofing
CVE-2023-29358 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29366 Windows Geolocation Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-29351 Windows Group Policy Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2023-32018 Windows Hello Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32016 Windows Installer Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-32011 Windows iSCSI Discovery Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-32019 Windows Kernel Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2023-29365 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-29370 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-29352 Windows Remote Desktop Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2023-32008 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32022 Windows Server Service Security Feature Bypass Vulnerability Important 7.6 No No SFB
CVE-2023-32021 Windows SMB Witness Service Security Feature Bypass Vulnerability Important 7.1 No No SFB
CVE-2023-29368 Windows TCP/IP Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-29360 Windows TPM Device Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29371 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-33141 Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-24936 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Moderate 8.1 No No RCE
CVE-2023-33143 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate 7.5 No No EoP
CVE-2023-29345 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Low 6.1 No No SFB
CVE-2023-3079 * Chromium: CVE-2023-3079 Type Confusion in V8 High N/A No Yes RCE
CVE-2023-2929 * Chromium: CVE-2023-2929 Out of bounds write in Swiftshader High N/A No No RCE
CVE-2023-2930 * Chromium: CVE-2023-2930 Use after free in Extensions High N/A No No RCE
CVE-2023-2931 * Chromium: CVE-2023-2931 Use after free in PDF High N/A No No RCE
CVE-2023-2932 * Chromium: CVE-2023-2932 Use after free in PDF High N/A No No RCE
CVE-2023-2933 * Chromium: CVE-2023-2933 Use after free in PDF High N/A No No RCE
CVE-2023-2934 * Chromium: CVE-2023-2934 Out of bounds memory access in Mojo High N/A No No RCE
CVE-2023-2935 * Chromium: CVE-2023-2935 Type Confusion in V8 High N/A No No RCE
CVE-2023-2936 * Chromium: CVE-2023-2936 Type Confusion in V8 High N/A No No RCE
CVE-2023-2937 * Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture Medium N/A No No N/A
CVE-2023-2938 * Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture Medium N/A No No N/A
CVE-2023-2939 * Chromium: CVE-2023-2939 Insufficient data validation in Installer Medium N/A No No N/A
CVE-2023-2940 * Chromium: CVE-2023-2940 Inappropriate implementation in Downloads Medium N/A No No N/A
CVE-2023-2941 * Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API Low N/A No No N/A

* Indicates this CVE had been released prior to today.

There are only two other Critical-rated bugs in this month’s release. The first is in what appears to be all supported versions of .NET, .NET Framework, and Visual Studio. It’s an open-and-own sort of exploit, but guessing by the Critical rating, it appears there are no warning dialogs when opening the dodgy file. The final Critical-rated fix for June addresses a Denial-of-Service (DoS) bug in the Hyper-V server. The Critical rating here implies a guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition.

Moving on to the other code execution bugs fixed this month, there are the standard complement of open-and-own bugs in Office components and services. There are also a few more RCE bugs in .NET, .NET Framework, and Visual Studio. This includes the lone Moderate-rated bug, which surprisingly still comes in at a CVSS of 8.1. It’s implied (but not stated) that there would be some warning dialog when opening a crafted XML, thus lowering the severity. There’s another bug in Exchange that allows network adjacent authenticated attackers to achieve RCE via a PowerShell remoting session. You rarely see RCE bugs with a physical component, but that’s the case for the vulnerability in the Windows Resilient File System (ReFS). An attacker could gain code execution either through mounting a specially crafted VHD or by inserting a malicious USB drive. There’s a fix for the RDP client, but since it requires connecting to a malicious RDP server, it’s not as concerning. That’s similar to the two bugs that require connecting to an attacker’s SQL server. The final code execution bug is in our old frenemy the PostScript Printer Driver. Again, a user would need to open a specially crafted file on an affected system to trigger the RCE.

Looking at the Elevation of Privilege (EoP) bugs receiving fixes this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. The EoP bugs in .NET and Visual Studio lead some different scenarios, such as gaining some understanding of the filesystem layout or gaining the rights of the user running an affected application. This Moderate-rated EoP in Edge could allow a browser sandbox escape.

The June release includes fixes for four security feature bypass (SFB) bugs, and two of these involve bypassing the check RPC procedure. They could allow the execution of RCE procedures that should otherwise be restricted when making calls to an SMB server. The bug in the RDP requires someone open a specially crafted file, but if they can convince the use to take that action, the attacker could bypass certificate or private key authentication when establishing a remote desktop protocol session. The final SFB patch is the Low-severity bug in Edge that could allow attackers to bypass the permissions dialog feature when clicking on a URL.

There’s an unusually large number of spoofing bugs receiving patches this month. There are two bugs in the Azure DevOps Server that could be exploited to gain data available to the current user. An attacker is able to manipulate DOM model of website adding/removing elements, with crafted script is able to do actions on ADO in current user context without user consent or awareness. There’s little detail provided about the SharePoint bugs, but spoofing in SharePoint generally equates to cross-site scripting (XSS). The bug in the Power Apps component almost acts like an information disclosure, as successful exploitation would allow the attacker to read information in the target’s browser associated with a vulnerable URL. Little detail is provided about the other spoofing bugs other than to say user interaction is required to trigger them.

There are only five patches addressing information disclosure bugs this month, and as usual, the majority result in info leaks consisting of unspecified memory contents. The two exceptions are for Edge and the DHCP service. The bug in the DHCP server could allow an attacker to learn the IP addresses pool information of affected systems. The Edge bug could disclose IDs, tokens, nonces, and other sensitive information when following malicious URLs. Considering how much is down in the browser these days, that information could prove quite useful to threat actors.

Looking at the remaining DoS fixes for June, the vast majority have no details. It’s not clear an attack would only impact the component or the entire system. The bugs in the CryptoAPI service may impact authentication actions, but that’s just speculation based on the component. Microsoft does specify the SharePoint bug only crashes the application. The bug in the Sysinternals Process Monitor likely only crashed the application. For that fix, you’ll need to access the Microsoft Store. If you have updates enabled, you should get it automatically. However, if you’re in a disconnected or otherwise isolated environment, you’ll need to get the Sysinternals MSIX package.

The June release is rounded out with a fix for a single XSS bug in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on July 11, and we’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The July 2023 Security Update Review

11 July 2023 at 17:30

It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here.

Apple Patches for July 2023

Apple doesn’t conform to “Patch Tuesday,” but they started things off yesterday with an emergency patch for macOS, iOS, and iPadOS. The bug in Webkit is labeled as CVE-2023-34750. Apple notes the vulnerability has been reported to be under active attack. Apple terms these emergency patches as “Rapid Security Response (RSR)” and reserves them for the most critical components where exploitation has been detected in the wild. Apple also notes this update is causing problems rendering certain websites. You should expect an update in the near future. I would anticipate this CVE to be patched on other supported macOS versions soon as well.

Adobe Patches for July 2023

For July, Adobe released two patches addressing 15 CVEs in Adobe InDesign and ColdFusion. The patch for ColdFusion is arguably more critical as it contains a CVSS 9.8-rated remote code execution bug. The bulletin also recommends reading (and implementing) the ColdFusion Lockdown guide and updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. The fix for InDesign corrects one Critical and 11 Important rated bugs. The most sever of these could lead to code execution when opening a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for July 2023

This month, Microsoft released 130 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure Active Directory and DevOps; Microsoft Dynamics; Printer Drivers; DNS Server; and Remote Desktop. One of these CVEs was reported through the ZDI program, but if you check out our upcoming page, you’ll find quite a few more awaiting resolution.

Of the new patches released today, nine are rated Critical and 121 are rated Important in severity. This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.

One of the CVEs released today is listed as being publicly known, but five(!) are listed as being under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the multiple bugs currently being exploited in the wild:

-       CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
Of the five active attacks receiving patches today, this is arguably the most severe. Microsoft states they are aware of targeted exploits using this bug in specially crafted Office documents to get code execution on targeted systems. For now, the keyword there is “targeted”. However, Microsoft has taken the odd action of releasing this CVE without a patch. That’s still to come. Their Threat Intelligence team has released this blog with some guidance. Oh, and Microsoft lists this as “Important”. I recommend treating it as Critical.

-       CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability
This bug is listed as being under active exploit, but as always, Microsoft provides no information on how broadly these attacks are spread. The bug allows attackers to bypass an Outlook Security Notice prompt after clicking a link. This is likely being paired with some other exploit designed to execute code when opening a file. Outlook should pop a warning dialog, but this vulnerability evades that user prompt. Considering how broadly Outlook is used, this should be your first priority for test and deployment.

-       CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability
This is the second bug listed as under active attack for July, but it doesn’t affect every user on a system. To elevate to administrative privileges, an attacker would need to have access to a user account with the ability to create folders and performance traces on the target system. Standard user accounts don’t have these permissions by default. Privilege escalations are often combined with code execution exploits to spread malware, and that’s likely the case here as well.

-       CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability
This is the final bug listed as being under active attack this month, but it’s not a straightforward privilege escalation. Instead of granting the attacker SYSTEM privileges, it only elevates to the level of the user running the affected application. Of course, many applications run with elevated privileges, so this point may be moot. It still requires a user to click a link or open a file, so remain wary of suspicious-looking attachments or messages.

-       CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability
The final exploited bug this month is in the SmartScreen filter. Similar to the Outlook SFB, the bug in SmartScreen allows attackers to evade warning dialog prompts. Again, a user would need to click a link or otherwise take an action to open a file for an attacker to use this. This is likely being paired with another exploit in the wild to take over a system or at least install some form of malware on a target.

-       CVE-2023-32057 - Microsoft Message Queuing Remote Code Execution Vulnerability
Not only is this tied for the highest-rated CVSS (9.8) bug this month, but it’s also nearly identical to a CVE patched back in April. It was even reported by the same researcher. That has all the hallmarks of a failed patch. Either way, this bug could allow unauthenticated remote attackers to execute code with elevated privileges on affected systems where the message queuing service is enabled. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly. Let’s also hope the quality of this patch is higher than the last one.

Here’s the full list of CVEs released by Microsoft for July 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability Important 8.3 Yes Yes RCE
CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability Important 8.8 No Yes SFB
CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-32046 Windows MSHTML Platform Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-32049 Windows SmartScreen Security Feature Bypass Vulnerability Important 8.8 No Yes SFB
CVE-2023-32057 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-33157 Microsoft SharePoint Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-33160 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-35315 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-35297 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2023-35352 Windows Remote Desktop Security Feature Bypass Vulnerability Critical 7.5 No No SFB
CVE-2023-35365 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-35366 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-35367 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36871 Azure Active Directory Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2023-33127 .NET and Visual Studio Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2023-35348 Active Directory Federation Service Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2023-32055 Active Template Library Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-33170 ASP.NET Core Security Feature Bypass Vulnerability Important 8.1 No No SFB
CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability Important 6.3 No No Spoofing
CVE-2023-35320 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35353 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-32084 HTTP.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35298 HTTP.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-33152 Microsoft Access Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2023-33156 Microsoft Defender Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2023-33171 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2023-35335 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 8.2 No No XSS
CVE-2023-33162 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-33158 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-33161 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32083 Microsoft Failover Cluster Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-32033 Microsoft Failover Cluster Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-35333 Microsoft Media-Wiki Extensions Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2023-32044 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-32045 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35309 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-32038 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-33148 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-33149 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-33150 Microsoft Office Security Feature Bypass Vulnerability Important 9.6 No No SFB
CVE-2023-33153 Microsoft Outlook Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2023-33151 Microsoft Outlook Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-32039 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-32040 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-32085 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35296 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35306 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35324 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35302 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-32052 Microsoft Power Apps Spoofing Vulnerability Important 6.3 No No Spoofing
CVE-2023-33134 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-33165 Microsoft SharePoint Server Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2023-33159 Microsoft SharePoint Server Spoofing Vulnerability Important 8.8 No No Spoofing
CVE-2023-35347 Microsoft Store Install Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-35312 Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-35373 Mono Authenticode Validation Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2023-32042 OLE Automation Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-32047 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35374 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32051 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32034 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-32035 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33164 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33166 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33167 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33168 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33169 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33172 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-33173 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35314 Remote Procedure Call Runtime Denial of Service Vulnerability Important 5.3 No No DoS
CVE-2023-35318 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35319 Remote Procedure Call Runtime Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35316 Remote Procedure Call Runtime Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35300 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-35303 USB Audio Class System Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36867 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-32054 Volume Shadow Copy Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-36872 VP9 Video Extensions Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35337 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35350 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-35351 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-29347 Windows Admin Center Spoofing Vulnerability Important 8.7 No No Spoofing
CVE-2023-35329 Windows Authentication Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35326 Windows CDP User Components Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35362 Windows Clip Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-33155 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35340 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35299 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35339 Windows CryptoAPI Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-33174 Windows Cryptographic Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35321 Windows Deployment Services Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35322 Windows Deployment Services Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-35310 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-35344 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-35345 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-35346 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2023-35330 Windows Extended Negotiation Denial of Service Vulnerability Important 6.2 No No DoS
CVE-2023-35343 Windows Geolocation Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35342 Windows Image Acquisition Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-32050 Windows Installer Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-32053 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35304 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35305 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35356 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35357 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35358 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35360 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-35361 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-35363 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35364 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-32037 Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35331 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35341 Windows Media Information Disclosure Vulnerability Important 6.2 No No Info
CVE-2023-35308 Windows MSHTML Platform Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2023-35336 Windows MSHTML Platform Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2023-21526 Windows Netlogon Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2023-33163 Windows Network Load Balancing Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-35323 Windows OLE Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35313 Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability Important 6.7 No No RCE
CVE-2023-33154 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35338 Windows Peer Name Resolution Protocol Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35325 Windows Print Spooler Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-35332 Windows Remote Desktop Protocol Security Feature Bypass Important 6.8 No No SFB
CVE-2023-32043 Windows Remote Desktop Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2023-32056 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35317 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35328 Windows Transaction Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-32041 Windows Update Orchestrator Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-21756 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP

Looking at the other Critical-rated patches, the three bugs in the Routing and Remote Access Service (RRAS) stand out. All have a CVSS of 9.8 and allow a remote, unauthenticated attacker to execute code at the level of the service by merely sending a specially-crafted packet. That makes these bugs wormable – albeit only between systems with RRAS enabled. It’s not on by default. There are two patches for SharePoint server. Both require authentication, but the level required is the default for any regular SharePoint user. The bug in the Layer-2 Bridge Network Driver is really a guest-to-host code execution bug. Someone on a guest VM could execute code on the underlying host OS. The bug in PGM also has a network adjacent requirement and could be seen on VMs. The Security Feature Bypass (SFB) in Remote Desktop would allow an attacker to bypass certificate or private key authentication when establishing a remote desktop protocol session. Considering how much RDP is targeted by ransomware gangs, I would expect to see this incorporated into their toolkits.  

Looking at the remaining 24 remote code execution patches, many are the open-and-own variety in Office and Windows components. Of the others, everything old is new again. There’s a fix for the printer driver to remind us of PrintNightmare. There are more SharePoint RCEs, and like the ones previously mentioned, they do require authentication. There’s an RPC bug that’s reminiscent of RPC bugs from the early 2000s. There’s another Message Queueing patch, although this one doesn’t have the failed patch hallmarks of the one previously mentioned. There’s a fix for an Outlook RCE, but the Preview Pane is not an attack vector. There are four bugs in the DNS Server, but all require elevated privileges for exploitation. That’s the same for the two Active Directory Certificate Services (AD CS) vulnerabilities. An attacker would need Certificate Authority (CA) read access permissions, which are restricted to domain admins by default. Speaking of admin credentials, the bug in the Online Certificate Status Protocol (OCSP) SnapIn requires an attacker to compromise admin credentials. I’m a little surprised Microsoft chose to fix this as a security patch. The patch for Windows Deployment Services is interesting in that it requires no user interaction but it does require authentication. Finally, the bug in Network Load Balancing would allow RCE to unauthenticated attackers, but only if they are network adjacent.

Moving on to the Elevation of Privilege (EoP) bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. This includes 11 fixes for the kernel and Win32k. There’s a fix for Active Template Libraries (ATL) that personally makes me twitch, but I ran the case behind MS09-035 and the myriad of applications it affected. The EoP in .NET and Visual Studio would allow an attacker to elevate to the rights of the user running the application. That’s also true for the bug in Volume Shadow Copy. The bug in volsnap.sys could allow an attacker to elevate to administrator, which is different than SYSTEM, but just barely. The final EoP patch for July is in Office. It would allow an attacker to make RPC calls that are restricted to local clients only.

There are nine more SFB patches to go along with the two already mentioned. The bug in the Active Directory Federation Service is a bit of an odd one. An attacker could bypass the TPM by crafting an assertion and using the assertion to request a Primary Refresh Token from another device. That’s the same impact as the bug in Azure Active Directory. The Office bypass would allow attackers to escape Office Protected View, but not if you have Application Guard for Office enabled. The SFB bug in SharePoint would allow an attacker to bypass the logging of downloaded files. There are two SFB bugs in Remote Desktop. The first could allow a machine-in-the-middle (MitM) attacker to bypass the certificate validation performed when a targeted user connects to a trusted server. The other also requires a MitM attacker and could compromise the confidentiality and integrity of data when the targeted user connects to a trusted server. There are also two bugs in MSHTML. The first allows a bypass of the Mark of the Web (MotW) designator. The other allows attackers to access a URL in a less restricted Internet Security Zone than intended. No additional information is given regarding the SFB in ASP.NET.

The July release contains 18 total information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. The lone exception is a frightening one. The bug in NetLogin could allow an attacker to intercept and potentially modify traffic between client and server systems. The attacker would need to be able to monitor traffic (i.e., MiTM) to exploit this vulnerability.

This month’s release contains 22 fixes for Denial-of-Service (DoS) bugs. A dozen of these vulnerabilities are in the RPC runtime library. Microsoft provides no details about these bugs other than to note authentication is required. That’s also true for the flaws in Windows Authentication and Deployment Services. The remaining DoS bugs do not require authentication, but again, no additional details from Microsoft are available. The lone exception is one of the vulnerabilities in HTTP.sys. In this case, Microsoft notes an unauthenticated attacker could send crafted messages utilizing the Server Name Indication (SNI) to an affected system.

There are a half dozen spoofing bugs in this month’s release, and the one in Outlook stands out the most. An exploit would require the target to click a link, but that’s all it takes to allow the disclosure of NetNTLMv2 hashes. Another interesting one is in Mono Authenticode Validation as it requires low privileges and no user interaction. However, Microsoft provides no real details on what an attack would look like. The other spoofing bugs all do require user interaction. Spoofing on SharePoint looks very much like cross-site scripting (XSS). The bug in Power Apps could be used either to retrieve cookies or present a fake dialog box to a user. The bug in Windows Admin Center requires extensive user interaction but could result in code execution. You’ll also need to manually install the latest build of the Windows Admin Center from here.

The July release is rounded out by two XSS bugs in Microsoft Dynamics 365.

There are two new advisories in this month’s release – the first advisories of 2023. The first provides guidance for Microsoft-signed drivers being used maliciously. This has been known since at least last December, so it’s nice something is coming out of Redmond to deal with it. The update in the advisory revokes the certificate for known impacted files. The other advisory provides guidance for an SFB in Trend Micro EFI modules. This is something we disclosed back in May.

Looking Ahead

The next Patch Tuesday will be on August 8, and we’ll return with details and patch analysis then. I’ll be blogging from Las Vegas while attending the Black Hat conference, so say hello if you see me. I like it when people say hello. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The August 2023 Security Update Review

8 August 2023 at 17:30

Greetings from hacker summer camp! Black Hat and DEFCON start this week, but let’s kick everything off with Patch Tuesday and the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here.

Adobe Patches for August 2023

For August, Adobe released four patches addressing 37 CVEs in Adobe Acrobat and Reader, Commerce, Dimension, and the Adobe XMP Toolkit SDK. A total of 28 of these CVEs came through the ZDI program. The update for Reader is the largest, clocking in with 30 CVEs. The most severe of these are rated Critical and would allow code execution when opening a specially crafted PDF. The update for Commerce fixes three CVEs, including an OS command injection bug rated at a CVSS 9.1. The update for Dimension also fixes three CVEs. Similar to reader, and attacker could gain code execution if an affected system opened a specially crafted file. The final patch for the Adobe XMP Toolkit SDK corrects a single Denial-of-Service (DoS) bug.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for August 2023

This month, Microsoft released 74 new patches and two new advisories addressing CVES in Microsoft Windows and Windows Components; Edge (Chromium-Based); Exchange Server; Office and Office Components; .NET and Visual Studio; ASP.NET; Azure DevOps and HDInsights; Teams; and Windows Defender. Three of these CVEs were reported through the ZDI program and based on our upcoming page, many others are coming in the near future. Once you include the 11 fixes from the Chromium group for Edge (Chromium-Based) and the fix for AMD, it brings the total number of CVEs to 86.

Of the new patches released today, six are rated Critical and 67 are rated Important in severity. This is on the lower side for an August release, but perhaps Microsoft was distracted by other security problems.

None of the CVEs released today are listed as being publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the fix that’s not a fix:

-       ADV230003 - Microsoft Office Defense in Depth Update
This advisory does not provide a fix for CVE-2023-36884, but it does (allegedly) break the exploit chain currently being used in active attacks. Microsoft released an advisory last month providing some details about this bug, but not a patch to fix it. Surprisingly, there still isn’t a patch – just this mitigation. Hopefully, a full patch to thoroughly address this bug under exploit will be released soon.

[UPDATE] Microsoft has now revised CVE-2023-36844 to include patches for all 33 affected products. You should apply the patch and consider this advisory as a temporary fix only.

-       CVE-2023-38181 - Microsoft Exchange Server Spoofing Vulnerability
This is a patch bypass of CVE-2023-32031, which itself was a bypass of CVE-2023-21529, which was a bypass of CVE-2022-41082, which was under active attack. This exploit does require authentication, but if exploited, an attacker could use this to perform an NTLM relay attack to authenticate as another user. It could also allow an attacker to get a PowerShell remoting session to the server. This is one of six CVEs fixed in Exchange this month, and each seems more severe than the next. Definitely take the time to test and deploy the cumulative update quickly.

-       CVE-2023-35385/36910/36911 - Microsoft Message Queuing Remote Code Execution Vulnerability
All three of these are rated at a CVSS of 9.8 and could allow a remote anonymous attacker to execute their code on an affected server at the level of the Message Queuing service. There are 11 total bugs impacting Message Queuing getting fixed this month, and it’s clear that the research community is paying close attention to this service. While we haven’t detected active exploits targeting Message Queuing yet, it’s like just a matter of time as example PoCs exist. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly.

-       CVE-2023-29328/29330 - Microsoft Teams Remote Code Execution Vulnerability
These bugs allow an attacker to gain code execution on a target system by convincing someone to a malicious Teams meeting set up by the attacker. Microsoft doesn’t specifically state what level the code execution occurs, but they do note the attacker could provide “access to the victim's information and the ability to alter information,” so that implies at the logged-on user level. We’ve seen similar exploits demonstrated at Pwn2Own, so don’t skip this update.

-       CVE-2023-21709 - Microsoft Exchange Server Elevation of Privilege Vulnerability
I know I already brought up Exchange, but I couldn’t let this CVE pass without a mention. This vulnerability allows a remote, unauthenticated attacker to log in as another user. In this case, you’re elevating from no permissions to being able to authenticate to the server, which makes all of those post-authentication exploits (see above) viable. Although rated Important, I would consider this bug rated Critical and act accordingly.

Here’s the full list of CVEs released by Microsoft for August 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-20569 * AMD: CVE-2023-20569 Return Address Predictor Important N/A No No Info
CVE-2023-35390 .NET Core Remote Code Execution Vulnerability Important 8.4 No No RCE
CVE-2023-36899 .NET Framework Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2023-36873 .NET Framework Spoofing Vulnerability Important 5.9 No No Spoofing
CVE-2023-35391 ASP.NET Core and Visual Studio Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2023-38178 ASP.NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38180 ASP.NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36881 Azure Apache Ambari Spoofing Vulnerability Important 4.5 No No Spoofing
CVE-2023-38188 Azure Apache Hadoop Spoofing Vulnerability Important 4.5 No No Spoofing
CVE-2023-35393 Azure Apache Hive Spoofing Vulnerability Important 4.5 No No Spoofing
CVE-2023-36877 Azure Apache Oozie Spoofing Vulnerability Important 4.5 No No Spoofing
CVE-2023-38176 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability Important 8.5 No No EoP
CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability Important 6.3 No No Spoofing
CVE-2023-35394 Azure HDInsight Jupyter Notebook Spoofing Vulnerability Important 4.5 No No Spoofing
CVE-2023-38170 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2023-38157 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability Important 3.9 No No SFB
CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35368 Microsoft Exchange Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2023-35388 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-38182 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-38185 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38181 Microsoft Exchange Server Spoofing Vulnerability Important 8.8 No No Spoofing
CVE-2023-35376 Microsoft Message Queuing Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35377 Microsoft Message Queuing Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36909 Microsoft Message Queuing Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36912 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38172 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38254 Microsoft Message Queuing Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-35383 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36913 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35371 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35372 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36865 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36866 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-38169 Microsoft OLE DB Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36893 Microsoft Outlook Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2023-36890 Microsoft SharePoint Server Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36894 Microsoft SharePoint Server Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36891 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36892 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36882 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36898 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36897 Visual Studio Tools for Office Runtime Spoofing Vulnerability Important 5.9 No No Spoofing
CVE-2023-35387 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36904 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36900 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-35381 Windows Fax Service Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36889 Windows Group Policy Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2023-35384 Windows HTML Platforms Security Feature Bypass Vulnerability Important 5.4 No No SFB
CVE-2023-36908 Windows Hyper-V Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2023-35359 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35380 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38154 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35382 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35386 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38184 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2023-38186 Windows Mobile Device Management Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35378 Windows Projected File System Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36914 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36876 Windows Task Scheduler Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36905 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38167 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-4068 * Type Confusion in V8 High N/A No No RCE
CVE-2023-4069 * Type Confusion in V8 High N/A No No RCE
CVE-2023-4070 * Type Confusion in V8 High N/A No No RCE
CVE-2023-4071 * Heap buffer overflow in Visuals High N/A No No RCE
CVE-2023-4072 * Out of bounds read and write in WebGL High N/A No No RCE
CVE-2023-4073 * Out of bounds memory access in ANGLE High N/A No No RCE
CVE-2023-4074 * Use after free in Blink Task Scheduling High N/A No No RCE
CVE-2023-4075 * Use after free in Cas High N/A No No RCE
CVE-2023-4076 * Use after free in WebRTC High N/A No No RCE
CVE-2023-4077 * Insufficient data validation in Extensions Medium N/A No No SFB
CVE-2023-4078 * Inappropriate implementation in Extensions Medium N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

There are only other Critical-rated patches being released today deals with Outlook. This is a bit odd since these types of open-and-own bugs are typically rated Important due to the needed user interaction. The exception is when the Preview Pane is an attack vector, but that’s not documented here. There’s clearly something that makes this bug stand out, but Microsoft offers no clues as to what that may be. Also note that if you use Outlook for Mac, you’ll have to wait for your update as Microsoft didn’t release it today.

Looking at the other remote code execution patches, many are the expected Important-rated Office bugs. There are additional Exchange RCEs as well, although they require the attacker to be network adjacent – meaning on the same LAN as the target. The concerning one is CVE-2023-38185, which does require authentication, but could allow an attacker to run elevated code through a network call. There are two separate bugs that require connecting to a malicious database. Also note that if you have installed Microsoft SQL Server 2022 for x64-based Systems (GDR) or Microsoft SQL Server 2019 for x64-based Systems (GDR), you are still vulnerable and need to apply this update. There’s a patch for LDAP that would allow an attacker to run code with the service’s permissions through a specially crafted LDAP call. The final RCE this month is a fix for Dynamics 365 that could be exploited by clicking a link in e-mail.

Moving on to the Elevation of Privilege (EoP) bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. The bug in Azure Arc-Enabled servers is somewhat interesting in that it affects both Linux and Windows servers. An attacker could elevate to root or administrator respectively. The bug in Windows Defender would allow an attacker to delete arbitrary files on a system. The Task Scheduler vulnerability also allows for the creation and deletion of files, but you wouldn’t be able to overwrite existing files – just delete them. The bug in .NET Framework would only yield the privileges on the application targeted. Lastly, the bug in Bluetooth would yield SYSTEM access, but only after you pair a Bluetooth device.

There are only four security feature bypass (SFB) fixes in this month’s release, and the most severe is likely the bug in the Windows Smart Card Resource Management Server. This flaw could allow an attacker to bypass the Fast Identity Online (FIDO) secure authentication feature, which effectively removes two-factor authentication. The SFB in HTML Platforms is similar to other bugs that have been exploited in the wild. An attacker could use this bug to have URLs map to the incorrect Security Zone. The SFB for Edge-Chromium is confusing as Microsoft states physical access and user interaction are required, but they don’t elaborate on either point. The bug in Group Policy would allow an attacker to read specific Group Policy configurations but not alter them.

In addition to the Exchange spoofing bug previously mentioned, there are 11 other spoofing fixes in the August release. The bugs in SharePoint act like cross-site scripting (XSS) bugs and require multiple patches to address. Be sure you install all applicable updates. The bug in Outlook could allow the disclosure of NetNTLMv2 hashes, which would allow an attacker to potentially authenticate as another user. Little information is available about the other fixes, although Microsoft notes user interaction is required for all of the other bugs. The Azure Apache cases (yes – that sounds odd to me too) require an administrator to open a malicious file.

The August release contains 10 total information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. One of the bugs in SharePoint could disclose the cryptically-named “sensitive information”. Thanks for narrowing that down. The other SharePoint bug could leak private property values. The bug in ASP.NET is interesting as it could be used to listen to any group or user with a specially crafted group/username. By exploiting this vulnerability, the attacker can now receive messages for group(s) that they are unauthorized to view. The Hyper-V bug could allow a guest to disclose info from the Hyper-V host, but no details on what information is available. Finally, the AMD return address predictor fix is also included in this release.

Wrapping things up, there are eight fixes for Denial-of-Service (DoS) bugs, with six of these being for the Message Queuing service. Microsoft notes user interaction is required for some of these bugs in that the bug is triggered “when a user on the target machine accesses message queuing.” However, users may not be aware which application use message queuing and unintentionally create a DoS condition on the system. No further information is available regarding the two ASP.NET DoS bugs.

The other new advisory (ADV230004) is a defense-in-depth update for the Memory Integrity System Readiness scan tool. Also known as the hypervisor-protected code integrity (HVCI), this tool for ARM64 and AMD64 processors checks for compatibility issues with memory integrity. The release update takes care of a publicly known bug. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday will be on September 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The September 2023 Security Update Review

12 September 2023 at 17:28

Hello and welcome to another patch Tuesday in what continues to be a hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check it out here.

Apple Patches for September 2023

Apple kicked off the September patch release by patching two bugs in macOS Ventura, iPad and iOS, and watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.

Cisco Advisories for September 2023

You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.   

Adobe Patches for September 2023

For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for Experience Manager and Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.

Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2023

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.

Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.

Two of the CVEs released today are listed as being under active attack at the time of release while only one is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug being exploited:

-       CVE-2023-36761 - Microsoft Word Information Disclosure Vulnerability
This is the bug currently under active attack, but I wouldn’t classify it as “information disclosure”. An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack. Those are usually defined as Spoofing bugs (see Exchange blew). Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.

-       CVE-2023-29332 - Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
This Critical-rated bug in the Azure Kubernetes service could allow a remote, unauthenticated attacker to gain Cluster Administration privileges. We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity. Microsoft gives this an “Exploitation Less Likely” rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.

-       CVE-2023-38148 - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
This Critical-rated bug is the highest-rated CVSS this month (8.8), but it’s not all bad news. First, this is limited to network-adjacent attackers. A successful exploit also relies on ICS being enabled. Most places these days don’t require ICS, and it’s not turned on by default. However, if you’re in one of those places where ICS is used, this could allow an unauthenticated attacker to run their code on affected systems.

-       CVE-2023-38146 - Windows Themes Remote Code Execution Vulnerability
This probably isn’t one of the most severe bugs patched this month, but it kicked off such a wave of nostalgia, that I had to call it out. This bug could allow code execution if an attacker can convince a user to open a specially crafted theme file. If this sounds like screensaver exploits from 20+ years, it’s because it’s just like screensaver bugs from 20+ years ago. Congrats to Pwn2Own winners Thijs Alkemade and Daan Keuper of Computest Sector 7 for helping bring this oldie but goodie to light.

Here’s the full list of CVEs released by Microsoft for September 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability Important 6.2 Yes Yes Info
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Critical 7.5 No No EoP
CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36770 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36771 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36772 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36773 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No EoP
CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-41303 * AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior Important 7.8 No No RCE
CVE-2023-38155 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-39956 * Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36736 Microsoft Identity Linux Broker Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability Important 7 No No RCE
CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass Important 7.8 No No SFB
CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-41764 Microsoft Office Spoofing Vulnerability Moderate 5.5 No No Spoofing
CVE-2023-4761 * Chromium: CVE-2023-4761 Out of bounds memory access in FedCM High N/A No No RCE
CVE-2023-4762 * Chromium: CVE-2023-4762 Type Confusion in V8 High N/A No No RCE
CVE-2023-4763 * Chromium: CVE-2023-4763 Use after free in Networks High N/A No No RCE
CVE-2023-4764 * Chromium: CVE-2023-4764 Incorrect security UI in BFCache High N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

Before we get to the other Critical-rated patches for September, let’s talk about the Exchange fixes released this month. Yes – even though Exchange just received a big update last month, there’s another one* today. There are five different Exchange CVEs today, and all were reported by ZDI researcher Piotr Bazydło. He’s been on quite the Exchange kick recently, including finding bypasses for both patches and silent fixes. The one that concerns me the most is the NTLM relay, which is marked as a Spoofing bug (see my pedantic note above). What’s most concerning about this is that this vulnerability seems to have been patched last month but wasn’t documented. This bug, along with the three RCE bugs, require authentication, but recall that last month’s Exchange patches included an auth bypass. Nifty. The final Exchange patch corrects an info disclosure bug that could disclose “file content.” It’s not clear if that’s a random file or if an attacker can name an arbitrary file. All of these patches require the August update to be installed, so don’t skip that and think you’re protected. And to all those admins rebooting Exchange over the weekend, I wish you Godspeed and good luck.

*UPDATE: Microsoft reached out to let us know these CVEs are not new updates but were released in the August update and are now being documented. They did not state why they were patched silently in August and gave no indication if their omission was intentional or accidental.

The remaining Critical-rated patches are all for Visual Studio. These are all open-and-own bugs that could lead to arbitrary code execution when opening a malicious package file with an affected version of Visual Studio.

Looking at the 15 other RCE getting patches this month, most share that open-and-own exploit scenario as the Critical-rated Visual Studio bugs. Interestingly, there are two Important-rated Visual Studio RCEs that look identical to the Critical-rated ones. There’s no indication why one is more severe than the others. There are six fixes for RCE in 3D Viewer Remote, and four of these were reported by ZDI researcher Mat Powell. The bugs are simple open-and-own vulns, but the product must be updated through the app store. If automatic updates from the store are disabled or if you’re otherwise disconnected, you’ll need to manually update. One of the RCEs in Word has a Preview Pane vector, but a user needs to click the attachment preview to trigger the exploit. There’s a scripting engine (Trident/EdgeHTML) bug that was reported through the ZDI. Under limited circumstances, crafted data in an image can lead to execution of untrusted script. An attacker can leverage this vulnerability to execute code in the context of the current process. There’s a patch for Miracast that could allow an attacker to project to an affected system in limited circumstances. Microsoft lists that as Adjacent, but I would consider it more of a Physical attack. Finally, there’s a fix for Azure DevOps that’s listed as RCE, but I would classify it as a privilege escalation instead. An attacker needs Queue Build permissions on an Azure DevOps pipeline that has an overridable variable. They could then use this to get a code injection by overriding the variable. You decide if it’s RCE or EoP as you patch your affected servers.

Before looking at the privilege escalation bugs, there are some impactful Denial-of-Service (DoS) vulnerability we should address. The first involves TCP/IP. A remote, unauthenticated attacker could take down an affected system by sending specially crafted IPv6 packets. As you might imagine, systems with IPv6 disabled aren’t impacted, but considering IPv6 is enabled by default, this could create some havoc on unpatched systems. Microsoft lists disabling router discovery on the IPv6 as a temporary workaround. As above, patches are permanent while workarounds are temporary. The other DoS bug of note impacts the DHCP server, although Microsoft provides no other details about the bug. The final DoS impact .NET and Visual Studio, but this bug requires someone to open a specially crafted file.

Moving on to the other EoP bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. That’s true for CVE-2023-36802, which is the other bug listed as being under active attack. In most cases, this leads to either administrator privileges or running code at SYSTEM level. In fact, this is true of all of the EoP bugs patched this month outside of the previously mentioned Azure Kubernetes escalation.

Two fixes in this month’s release address security feature bypass (SFB) bugs. The first is in the Windows Defender Attack Surface Reduction blocking feature. The vulnerability could allow attackers to bypass the Windows Defender Attack Surface Reduction blocking feature, which definitely falls into the you-had-one-job category. The other patch impacts Office and corrects a bypass that could allow a potentially dangerous extension from being uploaded and downloaded. Like one of the Office bugs mentioned above, the Preview Pane is an attack vector, but a user would need to click to preview an attachment.

The September release contains eight additional information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. There are two significant exceptions. The first is in Outlook. A successful exploit could allow the disclosure of credentials. Yikes. At least the Preview Pane is not an attack vector here. The other interesting bug resides in the Microsoft Identity Linux Broker. Exploiting this vulnerability could disclose application data on the target. However, encrypted data at rest remains encrypted.

The lone Moderate-rated bug in this month’s release impacts Office components. Successful exploitation would allow an unauthenticated attacker to insert malicious content into a document. This document may then pass an authentication check when a partial signature is present.

Wrapping things up, there are three cross-site scripting (XSS) bugs fixed in this release. One fix is for Dynamics Finance and Operations while the remaining are for the on-prem Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on October 10, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The October 2023 Security Update Review

10 October 2023 at 17:29

Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.

Adobe Patches for October 2023

For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2023

This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.

Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below).  That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.

Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack.  Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability
This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.

-       CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.

-       CVE-2023-35349 - Microsoft Message Queuing Remote Code Execution Vulnerability
This is one of 20(!) Message Queuing patches this month and the highest CVSS (9.8) of the bunch. A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.

-       CVE-2023-36434 - Windows IIS Server Elevation of Privilege Vulnerability
Although labeled Important by Microsoft, it receives a CVSS 9.8 rating. An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly.

Here’s the full list of CVEs released by Microsoft for October 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability Important 6.5 Yes Yes Info
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability Important 5.3 Yes Yes EoP
CVE-2023-44487 * MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack Important 8.8 No Yes DoS
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2023-36585 Active Template Library Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36420 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36730 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36785 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36417 Microsoft SQL OLE DB Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36789 Skype for Business Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability Important Unknown No No EoP
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability Important 3.6 No No SFB
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 No No SFB
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability Important 7.4 No No EoP
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-5346 * Chromium: CVE-2023-5346 Type Confusion in V8 High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

A quick note about CVE-2023-44487 – this was reported as being under active attack across Google systems in August. They have provided a thorough write-up of the exploit, but at a high level, attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.

As I already mentioned, about 20% of this entire release impacts the Message Queuing service with a variety of remote code execution and DoS bugs. Unlike the previously mentioned bug, the other RCEs do require user interaction – typically by clicking a link on an affected system. The DoS bugs do not require user interaction. Microsoft doesn’t state if successful exploitation would simply stop the service or blue screen the entire system. They also don’t note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.

And yes, there is another Exchange bug being patched this month. It could allow an authenticated attacker on the same LAN to execute code through a PowerShell remoting connection. Last month’s “patch” ended up just being more CVEs being publicly documented in the August patch. We’ll what the Exchange team does with this one.

Moving on to the other Critical-rated patches, nine are for the Layer 2 Tunneling Protocol – all of which could lead to RCE. A remote, unauthenticated attacker could send malicious packets to an affected server to get arbitrary code execution. Microsoft rates this a bit lower since the attack involves exploiting a race condition, but I’d still take these seriously. The patch for the Virtual Trusted Platform Model addresses a container escape.

Looking at the other RCE fixes in this release, only a few really stand out. There are additional fixes for Skype for Business similar to the one under active attack. There are several patches for bugs that involve connecting to a malicious SQL server. The bugs in MSHTML and PrintHTML require user interaction – essentially open-and-own type attacks. There are also two updates for Azure Identity SDK that result from integer overflows. An attacker could use these to run arbitrary code with elevated privileges.

There are nearly 30 EoP bugs receiving patches this month, and the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. There are a couple of exceptions. The EoP in Azure DevOps server could reveal to secrets of the user of the affected application, which sounds like information disclosure to me. The bug in Azure HDInsight Apache Oozie Workflow Scheduler could lead to an attacker gaining cluster administrative privileges. And who names something “Oozie”? The bug in Azure Network Watcher seems intriguing. According to Microsoft, “An attacker who successfully exploited this vulnerability could route Packet Captures to a location in their control and perform file deletions that would limit the victim's troubleshooting and diagnostic capabilities.” Neat. The Office Click-to-Run vulnerability could allow an attacker to gain administrative privileges. The bug in Windows Runtime C++ Template Library could allow an attacker to delete arbitrary files. This has been known to lead to privilege escalation as explained in this blog by Simon Zuckerbraun.

There are just a few security feature bypass (SFB) vulnerabilities to discuss this month. The SFB in the kernel could allow an attacker to evade the Arbitrary Code Guard exploit protection feature. That would certainly help make other exploits more reliable. The bug in Mark-of-the-Web (MotW) could allow attackers to evade MotW detection. The bug in Search allows attackers to plant files without the MotW on affected systems.

Information disclosure bugs account for 12 fixes this month, including the one under active attack. As usual, the majority of these merely result in info leaks consisting of unspecified memory contents. There are also a few of these that disclose the ever enigmatic “sensitive information”. There’s a rare kernel info disclosure that isn’t random memory. It instead discloses device information such as resource IDs, SAS tokens, user properties, and other sensitive information. The bug in TCP/IP stack could allow an attacker to view the unencrypted contents of IPsec packets from other sessions on a server.

The October release contains fixes for around a dozen DoS bugs. Unfortunately, Microsoft doesn’t provide much information regarding these vulnerabilities. It would be nice to know if the DoS affected just the impacted component or the whole system. If you need to prioritize your testing, I suggest focusing on the TCP/IP and DHCP bugs as they have potentially the biggest impact on your enterprise.

Wrapping up this release, there is one cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Pwn2Own Toronto 2023 - The Full Schedule

23 October 2023 at 23:21

Welcome to Pwn2Own Toronto for 2023! Last year’s event was our largest ever, and this year’s contest looks to be just as exciting. Despite last-minute patches from many vendors, we have plenty of attempts across multiple categories - with plenty of attempts in the new Surveillance category as well. We have more than $1,000,000 in cash and prizes available for contestants. We came close last year to exceeding the million-dollar mark, and we are fans of setting records. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Eastern [GMT -4:00]).

Note: All times subject to change

Tuesday, October 24 – 0930

Peter Geissler targeting the Canon imageCLASS MF753Cdw in the Printers category.

Binary Factory targeting the Synology BC500 in the Surveillance Systems category.

Tuesday, October 24 – 1030

Pentest Limited targeting the My Cloud Pro Series PR4100 in the NAS category.

Team Viettel targeting the Xiaomi 13 Pro in the Mobile Phone category.

Tuesday, October 24 – 1130

Nguyen Quoc Viet targeting the Canon imageCLASS MF753Cdw in the Printers category. 

Synacktiv targeting the Synology BC500 in the Surveillance Systems category.

Tuesday, October 24 – 1230

Team ECQ targeting the QNAP TS-464 in the NAS category.

Team Orca of Sea Security targeting the Sonos Era 100 in the Smart Speakers category.

Tuesday, October 24 – 1330

An anonymous researcher targeting the Canon imageCLASS MF753Cdw Printers category.

Compass Security targeting the Synology BC500 in the Surveillance Systems category.

Tuesday, October 24 – 1430

Team Viettel targeting the QNAP TS-464 in the NAS category.

Pentest Limited targeting the Samsung Galaxy S23 in the Mobile Phone category.

Tuesday, October 24 – 1530

Team PHPHooligans targeting the Lexmark CX331adwe in the Printers category.

Tuesday, October 24 – 1630

STAR Labs SG targeting the QNAP TS-464 in the NAS category.

NCC Group targeting the Xiaomi 13 Pro in the Mobile Phone category.

Tuesday, October 24 – 1730

Team Viettel targeting the Canon imageCLASS MF753Cdw in the Printers category.

Interrupt Labs targeting the Lexmark CX331adwe in the Printers category.

Tuesday, October 24 – 1830

Thales targeting the QNAP TS-464 in the NAS category.

STAR Labs SG targeting the Samsung Galaxy S23 in the Mobile Phone category.

Tuesday, October 24 – 1930

R-sec targeting the Canon imageCLASS MF753Cdw in the Printers category.

 Wednesday, October 25 – 0930

Chris Anastasio attempting a SOHO Smashup, going from the TPLink router to the Lexmark printer.

Team Viettel targeting the Sonos Era 100 in the Smart Speakers category.

Wednesday, October 25 – 1030

DEVCORE Intern attempting a SOHO SMASHUP, going from the TPLink router to the QNAP NAS device.

Wednesday, October 25 – 1130

Team Viettel targeting the HP Color LaserJet Pro MFP 4301fdw in the Printers category.

Bugscale targeting the Synology BC500 in the Surveillance Systems category.

Wednesday, October 25 – 1200

Peter Geissler targeting the Wyze Cam v3 in the Surveillance Systems category.

Wednesday, October 25 – 1230

Team Orca of Sea Security attempting a SOHO Smashup, going from the Synology router to the QNAP NAS device.

Eason Liu targeting the Xiaomi 13 Pro in the Mobile Phone category.

Wednesday, October 25 – 1330

Interrupt Labs targeting the Canon imageCLASS MF753Cdw in the Printers category.

SAFA ex Teamt5 targeting the Synology BC500 in the Surveillance Systems category.

Wednesday, October 25 – 1400

Sonar targeting the Wyze Cam v3 in the Surveillance Systems category.

Wednesday, October 25 – 1430

VNG Security Response Center (VSRC) targeting the QNAP TS-464 in the NAS category.

Wednesday, October 25 – 1530

Nettitude targeting the Canon imageCLASS MF753Cdw in the Printers category.

Sina Kheirkhah targeting the Synology BC500 in the Surveillance Systems category.

Interrupt Labs targeting the Samsung Galaxy S23 Mobile Phone category.

Wednesday, October 25 – 1630

Peter Geissler  Targeting the QNAP TS-464 in the NAS Device category.

SEFCOM T0 targeting the Wyze Cam v3 in the Surveillance Systems category.

Wednesday, October 25 – 1730

ANHTUD targeting the Canon imageCLASS MF753Cdw in the Printers category.

Chris Anastasio targeting the Lexmark CX331adwe in the Printers category.

ToChim targeting the Samsung Galaxy S23 in the Mobile Phone category.

Thursday, October 26 – 0930

DEVCORE Intern targeting the Canon imageCLASS MF753Cdw in the Printers category.

Interrupt Labs targeting the Synology BC500 in the Surveillance Systems category.

Thursday, October 26 – 1000

Rafal Goryl targeting the Wyze Cam v3 in the Surveillance Systems category.

Thursday, October 26 – 1030

Team Orca of Sea Security targeting the Xiaomi 13 Pro in the Mobile Phone category.

Thursday, October 26 – 1130

Claroty Research - Team82 attempting a SOHO Smashup, going from the TPLink router to the Synology BC500 surveillance camera.

Thursday, October 26 – 1200

STEALIEN targeting the Wyze Cam v3 in the Surveillance Systems category.

Thursday, October 26 – 1230

Team Orca of Sea Security targeting the Samsung Galaxy S23 in the Mobile Phone category.

ToChim targeting the Xiaomi 13 Pro in the Mobile Phone category.

Thursday, October 26 – 1330

Team Viettel targeting the Lexmark CX331adwe in the Printers category.

Thursday, October 26 – 1400

Synacktiv targeting the Wyze Cam v3 in the Surveillance Systems category.

Thursday, October 26 – 1430

Interrupt Labs targeting the Xiaomi 13 Pro in the Mobile Phone category.

Thursday, October 26 – 1530

Sina Kheirkhah attempting a SOHO Smashup, going from the TPLink router to the Lexmark CX331adwe printer.

Thursday, October 26 – 1630

ANHTUD targeting the Xiaomi 13 Pro in the Mobile Phone category.

Friday, October 27 – 0930

ANHTUD attempting a SOHO SMASHUP, going from the TPLink router to the Canon printer.

Foundry Zero targeting the Lexmark CX331adwe in the Printers category.

Friday, October 27 – 1030

Interrupt Labs targeting the Sonos Era 100 in the Smart Speakers category

Friday, October 27 – 1130

Team Viettel attempting a SOHO SMASHUP, going from the TPLink router to the Canon printer.

We’ll be publishing results live on the blog as the contest unfolds. We’ll also be posting brief video highlights to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.

Pwn2Own Toronto 2023 - Day One Results

24 October 2023 at 13:28

Welcome to Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Eastern (GMT -4:00).


FAILURE - Peter Geissler was unable to get his exploit of the Canon imageCLASS MF753Cdw working within the time allotted.

SUCCESS - Binary Factory was able to execute their stack-based buffer overlow attack against the Synology BC500. They earn $30,000 and 3 Master of Pwn points.

SUCCESS - Pentest Limited was able to execute their 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and SSRF. They earn $40,000 and 4 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a single-bug attack against the Xiaomi 13 Pro. They earn $40,000 and 4 Master of Pwn points.

SUCCESS - Nguyen Quoc Viet was able to execute a buffer overflow attack against the Canon imageCLASS MF753Cdw. He earns $20,000 and 2 Master of Pwn points.

SUCCESS - Synacktiv was able to execute a 3-bug chain against the Synology BC500. They earn $15,000 and 3 Master of Pwn points.

SUCCESS - Team Orca of Sea Security was able to execute a 2-bug chain using an OOB Read and UAF against the Sonos Era 100. They earn $60,000 and 6 Master of Pwn points.

SUCCESS - Team ECQ was able to execute a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464. They earn $40,000 and 4 Master of Pwn points.

BUG COLLISION - Compass Security was able to execute their stack overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

SUCCESS - "Ben" was able to execute a stack-based buffer overflow against the Canon imageCLASS MF753Cdw. He earns $10,000 and 2 Master of Pwn points.

SUCCESS - Pentest Limited was able to execute an Improper Input Validation against the Samsung Galaxy S23. They earn $50,000 and 5 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a 2-bug chain against the QNAP TS-464. They earn $20,000 and 4 Master of Pwn points.

SUCCESS - Team PHPHooligans were able to execute a memory corruption bug leading to RCE against the Lexmark CX331adwe. They earn $20,000 and 2 Master of Pwn points.

SUCCESS - STAR Labs SG was able to execute a 2-bug chain including directory traversal and command injection against the QNAP TS-464. They earn $20,000 and 4 Master of Pwn points.

FAILURE - Interrupt Labs was unable to get their exploit of the Lexmark CX331adwe working within the time allotted.

SUCCESS - NCC Group was able to execute their attack against the Xiaomi 13 Pro. They earn $20,000 and 4 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a stack-based buffer overflow attack against the Canon imageCLASS MF753Cdw. They earn $10,000 and 2 Master of Pwn points.

SUCCESS STAR Labs SG was able to exploit a permissive list of allowed inputs against the Samsung Galaxy S23. They earn $25,000 and 5 Master of Pwn points.

BUG COLLISION - Thales was able to execute their attack against the QNAP TS-464. However, the exploit they used was previously known. They still earn $12,500 and 2.5 Master of Pwn points.

BUG COLLISION - R-sec was able to execute their stack buffer overflow attack against the Canon imageCLASS MF753Cdw. However, the exploit they used was previously known. They still earn $2,500 and 0.5 Master of Pwn points.


That’s a wrap for Day 1 of Pwn2Own Toronto 2023 – we’ve already awarded over $400,000 in prizes! We’ll be back tomorrow with another full day of attempts, so follow along on Twitter, YouTube, Mastodon, LinkedIn, and Instagram.

Pwn2Own Toronto 2023 - Day Two Results

25 October 2023 at 13:26

Welcome to Day 2 of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Eastern (GMT -4:00).


SUCCESS - Team Viettel was able to execute an OOB write against the Sonos Era 100. They earn $30,000 and 6 Master of Pwn points.

SUCCESS - Chris Anastasio was able to exploit a bug in the TP-Link Omada Gigabit Router and another in the Lexmark CX331adwe. He earns $100,000 and 10 Master of Pwn points.

BUG COLLISION - Bugscale was able to execute their stack-based buffer overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

SUCCESS - A DEVCORE Intern was able to execute a stack overflow attack against the TP-Link Omada Gigabit Router and exploit two bugs in the QNAP TS-464. They earn $50,000 and 10 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a stack-based buffer overflow attack against the HP Color LaserJet Pro MFP 4301fdw. They earn $20,000 and 2 Master of Pwn points.

WITHDRAWAL - Peter Geissler withdrew his attempt to target the Wyze Cam v3.

WITHDRAWAL - Eason Liu withdrew his attempt to target the Xiaomi 13 Pro.

BUG COLLISION - Interrupt Labs was able to execute their stack-based buffer overflow attack against the Canon imageCLASS MF753Cdw. However, the exploit they used was previously known. They still earn $2,500 and 0.5 Master of Pwn points.

BUG COLLISION - SAFA ex Teamt5 was able to execute their stack-based buffer overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

SUCCESS - Team Orca of Sea Security was able to execute their attack with one bug against the Synology RT6600ax and a three-bug chain against the QNAP TS-464 for the SOHO Smashup. They earn $50,000 and 10 Master of Pwn points.

BUG COLLISION - The VNG Security Response Center was able to execute a 2-bug chain against the QNAP TS-464. However, the exploit they used was previously known. They still earn $5,000 and 1 Master of Pwn point.

BUG COLLISION - Sina Kheirkhah was able to execute an RCE attack against the Synology BC500. However, the exploit he used was previously known. He still earns $3,750 and 0.75 Master of Pwn points.

SUCCESS - Sonar was able to execute a command injection against the Wyze Cam v3. They earn $30,000 and 3 Master of Pwn points.

BUG COLLISION - SEFCOM T0 was able to execute a command injection against the Wyze Cam v3. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

WITHDRAWAL - Peter Geissler withdrew his attempt to target the QNAP TS-464.

WITHDRAWAL - Chris Anastasio withdrew his attempt to target the Lexmark CX331adwe.

SUCCESS - Interrupt Labs was able to execute an improper input validation attack against the Samsung Galaxy S23. They earn $25,000 and 5 Master of Pwn points.

FAILURE - Nettitude was unable to get their exploit of the Canon imageCLASS MF753Cdw working within the time allotted.

SUCCESS - ToChim was able to exploit a permissive list of allowed inputs against the Samsung Galaxy S23. They earn $25,000 and 5 Master of Pwn points.

SUCCESS - ANHTUD was able to execute a stack-based buffer overflow attack against the Canon imageCLASS MF753Cdw. They earn $10,000 and 2 Master of Pwn points.


That’s a wrap for Day 2 of Pwn2Own Toronto 2023 – we’ve awarded a total of $801,250 so far this week! We’ll be back tomorrow with another full day of attempts, so follow along on Twitter, YouTube, Mastodon, LinkedIn, and Instagram.

Pwn2Own Toronto 2023 - Day Three Results

26 October 2023 at 13:17

Welcome to Day 3 of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Eastern (GMT -4:00).


FAILURE - The DEVCORE Intern was unable to get their exploit of the Canon imageCLASS MF753Cdw working within the time allotted.

BUG COLLISION - Interrupt Labs was able to execute an RCE attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

FAILURE - Team Orca of Sea Security was unable to get their exploit of the Xiamoi 13 Pro working within the time allotted.

WITHDRAWAL - ToChim withdrew their attempt to target the Xiaomi 13 Pro.

BUG COLLISION - Claroty was able to execute a 4-bug chain against the TP-Link Omada Gigabit Router and Synology BC500 for the SOHO Smashup. However, one of the bugs they used was previously known. They still earn $40,750 and 8.25 Master of Pwn points.

SUCCESS - STEALIEN executed a stack-based buffer overflow attack against the Wyze Cam v3 resulting in a root shell. They earn $15,000 and 3 Master of Pwn Points.

SUCCESS - Rafal Goryl used a 2-bug chain to exploit the Wyze Cam v3 and gain a root shell. He earns $15,000 and 3 Master of Pwn Points.

BUG COLLISION - Team Orca of Sea Security was able to execute their attack against the Samsung Galaxy S23. However, the bug they used was previously known. They still earn $6,250 and 1.25 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a stack-based buffer overflow attack leading to RCE against the Lexmark CX331adwe. They earn $10,000 and 2 Master of Pwn points.

FAILURE - Interrupt Labs was unable to get their exploit of the Xiaomi 13 Pro working within the time allotted.

SUCCESS - Synacktiv was able to execute a heap-based buffer overflow in the kernel triggered via WiFi and leading to RCE against the Wyze Cam v3. They earn $15,000 and 3 Master of Pwn points.

WITHDRAWAL - ANHTUD withdrew their attempt to target the Xiaomi 13 Pro.

BUG COLLISION - Sina Kheirkhah was able to exploit a stack-based buffer overflow and a missing authentication for critical function against the TP-Link Omada Gigabit Router and the Lexmark CX331adwe for the SOHO Smashup. However, one of the bugs he used was previously known. He still earns $31,250 and 6.25 Master of Pwn points.


That’s a wrap for Day 3 of Pwn2Own Toronto 2023 – total prize payout is now $938,250! We’ll be back tomorrow with our last few attempts to see if we can break $1 million in prizes. Follow along on Twitter, YouTube, Mastodon, LinkedIn, and Instagram.

Pwn2Own Toronto 2023 - Day Four Results

27 October 2023 at 13:31

The contest has wrapped, and we awarded $1,038,500 during the event for 58 unique 0-days. These bugs have been disclosed to the vendors, who now have 90 days to produce a patch. Congratulations to Team Viettel for winning Master of Pwn with $180,000 and 30 points. Our thanks goes out to the contestants and vendors for participating, and special thanks to Google and Synology for co-sponsoring the contest.


Welcome to the final day of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. All times are Eastern (GMT -4:00).

FAILURE - Foundry Zero was unable to get their exploit of the Lexmark CX331adwe working within the time allotted.

BUG COLLISION - ANHTUD was able to execute a 2-bug chain of stack-based buffer overflows against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. However, one of the bugs he used was previously known. He still earns $31,250 and 6.25 Master of Pwn points.

BUG COLLISION - Interrupt Labs was able to execute a 2-bug chain including a UAF and integer underflow against the Sonos Era 100. However, one of the bugs they used was previously known. They still earn $18,750 and 3.75 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. They earn $50,000 and 10 Master of Pwn points.

The November 2023 Security Update Review

14 November 2023 at 18:36

It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Adobe Patches for November 2023

For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs came through the ZDI program, with most attributed to ZDI vulnerability researcher Mat Powell. The patch for Acrobat and Reader is the largest with 17 CVEs, and likely the most important since it is often targeted in phishing campaigns. The update for ColdFusion contains three Critical-rated CVEs and should also be at the top of your test and deployment list. The update for Audition is quite large, with nine total CVEs addressed. The After Effects is just behind it with eight CVEs receiving fixes.

The Photoshop patch should also be prioritized. It contains six fixes and could allow code execution when opening a specially crafted file. That’s also true for the Premiere Pro update. Both of those applications often rely on Media Encoder, and it gets five patches this month as well. The patch for InDesign includes seven CVEs, but the most severe is only rated Important. The update for RoboHelp includes five CVEs – four of which are rated Critical. If you use that tool to author your technical content, definitely test and deploy the patch quickly. The fix for Adobe Bridge contains three Moderate-rated CVEs. The fixes for InCopy and the FrameMaker Publishing Server both fix a single Critical-rated CVE, while the patches for Dimension and Animate both correct a single Important-rated CVE.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for November 2023

This month, Microsoft released 63 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. A total of five of these CVEs were reported through the ZDI program. In addition to the new CVEs, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.

Of the new patches released today, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. This is one of the smallest monthly releases Microsoft has done this year, although the total CVEs to date are right at 2021 levels with a month more to go. It will be interesting to see what patches come out of Microsoft in December.

Three of the CVEs released today are listed as under active attack at the time of release and a total of three CVEs are listed as publicly known. It seems the “Hot 0-day Summer” lasts into the fall. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
This bug allows a privilege escalation through the Windows Desktop Manager (DWM) and is listed as being under active attack. Microsoft doesn’t provide any indication of how widespread the attacks are at this point, but these types of exploits typically begin with small outbreaks before spreading wider. An attacker who uses this can gain SYSTEM privileges, which is why these types of bugs are often paired with some form of code execution bug to compromise a system.

-       CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
This is another privilege escalation bug under active attack, and just like the DWM bug, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly.

-       CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the final bug listed as under active attack this month, but this is a bypass rather than a privilege escalation. An attack that exploits this bug would be able to bypass Windows Defender SmartScreen checks and other prompts. That means this bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen. I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document.

-       CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
With a CVSS of 9.8, this is the highest-rated bug for the month, and it deserves the rating. It would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment. There shouldn’t be a lot of those out there, but if you are one of them, definitely test and apply this update quickly.

Here’s the full list of CVEs released by Microsoft for November 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 Yes Yes EoP
CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability Important 8.8 No Yes SFB
CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability Important 8.2 Yes No DoS
CVE-2023-36413 Microsoft Office Security Feature Bypass Vulnerability Important 6.5 Yes No SFB
CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability Critical 8.6 No No Info
CVE-2023-36400 Windows HMAC Key Derivation Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2023-36397 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability Important 7.6 No No EoP
CVE-2023-36558 ASP.NET Core - Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2023-36560 ASP.NET Security Feature Bypass Vulnerability Important 8.8 No No SFB
CVE-2023-36437 Azure DevOps Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36392 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36031 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36410 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36016 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.2 No No XSS
CVE-2023-36030 Microsoft Dynamics 365 Sales Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2023-36024 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36027 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-36439 † Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-38151 Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36428 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36021 Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2023-36028 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2023-36401 Microsoft Remote Registry Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36007 Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2023-38177 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2023-36719 Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2023-36402 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36422 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24023 * Mitre: CVE-2023-24023 Bluetooth Vulnerability Important Unknown No No Spoofing
CVE-2023-36043 † Open Management Infrastructure Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2023-36042 Visual Studio Denial of Service Vulnerability Important 6.2 No No DoS
CVE-2023-36046 Windows Authentication Denial of Service Vulnerability Important 7.1 No No DoS
CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36424 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36395 Windows Deployment Services Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36425 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36407 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36408 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36427 Windows Hyper-V Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36406 Windows Hyper-V Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36403 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36405 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36404 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36398 Windows NTFS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36017 Windows Scripting Engine Memory Corruption Vulnerability Important 8.8 No No RCE
CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36393 Windows User Interface Application Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36014 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 7.3 No No RCE
CVE-2023-36034 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 7.3 No No RCE
CVE-2023-36022 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 6.6 No No RCE
CVE-2023-36029 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate 4.3 No No Spoofing
CVE-2023-5480 * Chromium: CVE-2023-5480 Inappropriate implementation in Payments High N/A No No RCE
CVE-2023-5482 * Chromium: CVE-2023-5482 Insufficient data validation in USB High N/A No No RCE
CVE-2023-5849 * Chromium: CVE-2023-5849 Integer overflow in USB High N/A No No RCE
CVE-2023-5996 * Chromium: CVE-2023-5996 Use after free in WebAudio High N/A No No RCE
CVE-2023-5850 * Chromium: CVE-2023-5850 Incorrect security UI in Downloads Medium N/A No No SFB
CVE-2023-5851 * Chromium: CVE-2023-5851 Inappropriate implementation in Downloads Medium N/A No No RCE
CVE-2023-5852 * Chromium: CVE-2023-5852 Use after free in Printing Medium N/A No No RCE
CVE-2023-5853 * Chromium: CVE-2023-5853 Incorrect security UI in Downloads Medium N/A No No SFB
CVE-2023-5854 * Chromium: CVE-2023-5854 Use after free in Profiles Medium N/A No No RCE
CVE-2023-5855 * Chromium: CVE-2023-5855 Use after free in Reading Mode Medium N/A No No RCE
CVE-2023-5856 * Chromium: CVE-2023-5856 Use after free in Side Panel Medium N/A No No RCE
CVE-2023-5857 * Chromium: CVE-2023-5857 Inappropriate implementation in Downloads Medium N/A No No RCE
CVE-2023-5858 * Chromium: CVE-2023-5858 Inappropriate implementation in WebApp Provider Low N/A No No SFB
CVE-2023-5859 * Chromium: CVE-2023-5859 Incorrect security UI in Picture In Picture Low N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates post-installation actions are required to fully address the vulnerability.

There are only two other Critical-rated bugs to discuss, and the first is an information disclosure in the Azure Command-Line Interface (CLI). Info disclosure vulnerabilities rarely get a Critical rating, but this one could reveal plaintext passwords and usernames from log files, so it seems appropriate. The other Critical-rated patch is a privilege escalation in the Windows Hash-based Message Authentication Code (HMAC) that could allow a guest on Hyper-V to execute code on the underlying host OS. Fortunately, this is a local-only attack. However, if one guest can take over the host, they could do anything they wanted to other guest OSes on that server.

Looking at the remaining code execution bugs, the glaring one we all dread is sitting right there – a patch for Exchange Server. The good news here is that an attacker would need to be network adjacent and authenticated. The bad news is that simply installing the patch isn’t enough to be protected from this vulnerability. You will need to follow the post-install steps listed here to enable the Serialized Data Signing feature to be fully protected. Most of the remaining RCE bugs are mostly the typical open-and-own sort in Office and other Windows components. The bug in Azure DevOps reads more like an EoP since it requires an attacker to be authenticated. That’s also the same for the Registry Service, DFS, and SharePoint bugs. The bugs in the Host Integration Server and WDAC require connecting to a malicious database. The bug in Protected Extensible Authentication Protocol (PEAP) is nearly as bad as the PGM bug, but again, it requires a non-default setting. Fortunately, PEAP isn’t used too much these days, but if you have a legacy enterprise, you should not skip this patch.

Moving on to the privilege escalation bugs, most require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. This is even true for the bugs in Hyper-V, although it’s not entirely clear they could all be launched from a guest OS.

There are several spoofing bugs getting addressed this month, and for obvious reasons, the Exchange bugs stand out the most. These were reported by ZDI vulnerability researcher Piotr Bazydlo and act as NTLM relay bugs. One (CVE-2023-36035) results from a failed patch. These bugs do require authentication, but an insider could exploit these to relay NTLM credentials and gain further access. The bugs in Dynamics 365 both occur in the webserver. However, they allow malicious scripts to execute in the victim’s browser. The final spoofing bug in Visual Studio reads more like a privilege escalation as Microsoft states it could allow an attacker to gain high privileges, which include read, write, and delete functionality.

In addition to the one under active attack, there are five other security feature bypass (SFB) bugs getting patches this month. The bug in ASP.NET Core allows attackers to bypass validations on Blazor Server forms. There’s another bug in ASP.NET that would allow the bypass of certain checks designed to prevent an attacker from accessing internal applications on a website. The SFB in Office allows attackers to evade the Office Protected View, while the one in Excel could bypass the Microsoft Office Trust Center external links check. The final SFB for November is in the On-Prem Data Gateway. An attacker could exploit this bug to bypass certificate validation mechanisms and provide arbitrary certificates that do not have proper signatures.

There are just a few information disclosure bugs to discuss, and the majority of these merely result in info leaks consisting of unspecified memory contents. There are two exceptions to this. The bug in Open Management Infrastructure could allow an attacker to access the credentials of privileged accounts stored in trace logs on the machine being monitored by SCOM. Microsoft recommends resetting the passwords of privileged accounts after applying the update. The kernel information disclosure bug would allow attackers to view registry keys they would normally be able to access.

This month’s release includes a handful of fixes for denial-of-service (DoS) bugs. The most intriguing is the bug in the DHCP Server. This could certainly cause quite a disruption to most enterprises. Unfortunately, Microsoft provides no additional information about the bug. The Windows Authentication could also cause a disruption as it would prevent normal authentication actions from occurring. No substantial information regarding the other DoS bugs is provided by Microsoft.

Lastly, the November release is rounded out by three cross-site scripting (XSS) bugs in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The final Patch Tuesday of 2023 will be on December 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The December 2023 Security Update Review

12 December 2023 at 18:27

It’s the final patch Tuesday of 2023, and Apple, Adobe, and Microsoft have released their latest security offerings. Take a break from your holiday hustle and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Apple Patches for December 2023

Apple kicked off the December release cycle with patches for iOS and iPadOS with eight CVEs. Two of these CVEs in Webkit are reported as being under active attack on iOS versions 16.7.1 and older. If you’re using an older iPhone or iPad, you should definitely update your device immediately. If you’re using a device running iOS 17 and later, you should still update when possible.

Adobe Patches for December 2023

For December, Adobe released nine patches covering a whopping 212 CVEs in Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer. Ten of these bugs came through the ZDI program. A total of 186 of these CVEs are in Experience Manager and are all Important-rate cross-site scripting (XSS) bugs. That definitely skews the numbers a bit for this month. Looking beyond that, the patch for After Effects stands out as it is Critical rated and could allow arbitrary code execution. The patches for Illustrator and Substance 3D Sampler are also rated Critical and could result in arbitrary code execution.

The remaining patches are rated Important or Moderate. The fix for InDesign addressed a denial of service and a memory leak. The Dimension update corrects four memory leaks, all reported by ZDI’s Mat Powell. The patch for Substance 3D Stager fixes two different out-of-bounds (OOB) Read bugs. The Substance 3D Designer update addresses a single Critical-rated OOB Write and three OOB Read bugs. The final Adobe patch for December is a fix for Prelude that corrects a single memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for December 2023

This month, Microsoft released a scant 33 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.

Of the new patches released today, four are rated Critical and 29 are rated Important in severity. The December release is typically small, and this month is no exception. In fact, this is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with an impactful bug in the MSHTML engine:

-       CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability
This patch corrects a bug that could allow a remote, unauthenticated attacker to execute arbitrary code on affected systems just by sending a specially crafted e-mail to the target. This usually means the Preview Pane is an attack vector, but that’s not the case here. Instead, the code execution occurs when Outlook retrieves and processes the mail, which occurs BEFORE the Preview Pane. No doubt ransomware gangs will attempt to create a reliable exploit for this vulnerability. They may run into some problems as exploitation does require memory-shaping techniques.

-       CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability
This is the highest-rated CVSS this month at 9.6 and acts more like a code execution bug than a spoofing bug. The vulnerability exists on the web server. However, if an affected system follows a specially crafted link, a malicious script will execute on the client’s browser. Microsoft also notified affected users of this bug via the Microsoft 365 Admin Center. If you’re running the Admin Center, be sure to read the bulletin for full details.

-       CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability
This Outlook bug does not have a Preview Pane attack vector. However, if exploited, the vulnerability allows the disclosure of NTLM hashes. These hashes could be used to spoof other users and gain further access within an enterprise. Earlier this year, Microsoft called a similar bug Elevation of Privilege (EoP) rather than Info Disclosure. Regardless of how you categorize it, threat actors find these types of bugs enticing and use them frequently.  

Here’s the full list of CVEs released by Microsoft for December 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-36019 † Microsoft Power Platform Connector Spoofing Vulnerability Critical 9.6 No No Spoofing
CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability Important 2.5 No No Info
CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2023-36006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36011 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35631 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35622 Windows DNS Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2023-35635 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21740 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35644 Windows Sysmain Service Elevation of Privilege Important 7.8 No No EoP
CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-20588 * AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice Important N/A Yes No Info
CVE-2023-6508 * Chromium: CVE-2023-6508 Use after free in Media Stream High N/A No No RCE
CVE-2023-6509 * Chromium: CVE-2023-6509 Use after free in Side Panel Search HIgh N/A No No RCE
CVE-2023-6510 * Chromium: CVE-2023-6510 Use after free in Media Capture Medium N/A No No RCE
CVE-2023-6511 * Chromium: CVE-2023-6511 Inappropriate implementation in Autofill Low N/A No No SFB
CVE-2023-6512 * Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI Low N/A No No SFB
CVE-2023-35618 * Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate 9.6 No No EoP
CVE-2023-36880 * Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low 6.5 No No Info
CVE-2023-38174 * Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low 4.3 No No Info

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

There are only two other Critical-rated bugs to discuss, and both deal with the Internet Connection Sharing (ICS) service. This isn’t enabled by default and is rarely used, but if you are using it, code execution could occur when a network-adjacent attacker sends a specially crafted packet to an affected server.

Moving on to the other code execution bugs, two require connecting to a malicious SQL server to gain code execution. Two of the other RCE bugs are much more interesting. The bug in the USBHUB requires physical access, even though Microsoft lists this as a Remote Code Execution bug. It reads like plugging in a specially crafted USB driver could result in code execution. The vulnerability in the Bluetooth driver requires the attacker to be in close physical proximity but only requires the attacker to send and receive radio transmissions to exploit.

There are 10 EoP patches in this month’s release, and all but two of them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. The bug in the Telephony server is only slightly different as it results in code execution at “NT AUTHORITY\Network Service” level. The vulnerability in the Azure Connected Machine Agent requires several preconditions – mainly a non-admin local user with the privileges to create symlinks. An attacker who exploits this bug could add symlinks and cause arbitrary file deletions as SYSTEM.

Looking at the information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. The bug in the Azure Machine Learning Compute Instance is an exception as it discloses Azure Machine Learning (ML) training data associated with user accounts. The final information disclosure bug resides in Word and could allow an attacker to read data from the file system.

This month also brings three fixes for Spoofing bugs. The fix for Outlook for Mac addresses a bug that could allow a user to mistakenly trust a signed e-mail message as if it came from a legitimate user. The vulnerability in Windows DPAPI requires a machine-in-the-middle (MitM), between a domain controller and the target, but Microsoft doesn’t detail what sort of spoofing an attacker could do if they are in the correct position to intercept the transmission. Microsoft also provides no details about the spoofing vulnerability in the Windows DNS server, but considering the importance of DNS, I certainly wouldn’t ignore this fix.

There are only five DoS bugs in the release, and Microsoft provides no additional details about four of them. The DoS vulnerability in the Windows kernel will crash the OS if an authenticated user opens a specially crafted file or browses to that file on a network share while on an affected system.

Finally, the December release is rounded out by a single cross-site scripting (XSS) bug in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The first Patch Tuesday of 2024 will be on January 9, and I’ll return with details and patch analysis then. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!

Looking Back at the ZDI Activities from 2023

4 January 2024 at 17:14

We’ve successfully orbited our star once more and are full throttle into the new year. Before we roll too fast into 2024, let’s pause for a moment and look back at some of the highlights of the past year.

A Year of Pwn2Own Competitions

Back in January, we announced our first-ever Pwn2Own Automotive competition in Tokyo, and now we’re just a couple of weeks from that event. We already have several registrations, so I can’t wait to see what exploits researchers put on display.

In February, we held Pwn2Own Miami, which focuses on industrial control systems (ICS) and SCADA targets. During that event, we saw the debut of ChatGPT in the competition. We also awarded over $150,000 for 27 unique 0-day vulnerabilities.

In March, we returned to Vancouver for the original edition of Pwn2Own. The highlight of the event saw the team from Synacktiv exploit the Tesla Model 3 head unit on their way to winning $350,000 (and the Tesla Model 3 itself). We used the head unit instead of the car itself because we were concerned the exploits may cause the vehicle to move uncontrollably. Safety first.  In total, we awarded $1,035,000 during the three-day contest.

In October, Pwn2Own Toronto turned its attention to devices commonly found in homes and small offices. We added wired and Wi-Fi cameras to the event this year to see what security problems they may have, and our contestants did not disappoint our curiosity. One team hacked a camera by showing it a QR code. Another was able to exploit any camera provided he knew the MAC address. Probably most impressively, the Synacktiv team returned to target the cameras with a remote attack over Wi-Fi that exploited a kernel buffer overflow. They just needed to be within range of a vulnerable camera to completely control it. We awarded $938,250 in total during the event.

Combine those events, and you’ll find we paid out $2,126,750 for Pwn2Own competitions during 2023. With the Automotive event looking like it will be an exciting show, we’ll likely pay out even more in 2024.

A Few Bugs of Renown

There were so many good bugs in 2023, that it’s hard to narrow it down to just a few. I would if I didn’t mention the Activation Context Cache Poisoning privilege escalation discovered by ZDI researcher Simon Zuckerbraun. It won a Pwnie Award for Most Under-Hyped Research. There was also ZDI-23-233/CVE-2023-27350. That PaperCut exploit showed why patch management is so important as it caused quite a bit of damage – after the patch was available. But perhaps my favorite bug of the year was found in the Schneider Electric APC Easy UPS Online. ZDI-23-444/CVE-2023-29411 is an authentication bypass. The “system” RMI interface exposes the method `updateManagerPassword(String managerPassword)` which allows an unauthenticated user to update the administrative password without requiring a password. Neat!

By the Numbers

In 2023, the ZDI published 1,913 advisories – the most ever in the history of the program. This is the fourth year in a row that eclipsed our previous record. While it’s unlikely we’ll keep up a record-breaking pace for a fifth year in a row, it does speak to the overall health of the program. Of course, I said that last year as well. While we do work with people from around the world, our own researchers had their busiest year ever, too. Just over 49.4% of all published advisories were reported by ZDI vulnerability analysts. Here’s how those numbers of advisories stack up year-over-year. 

Coordinated disclosure of vulnerabilities continues to be a priority for our program, and it continues to be a success as well. While 2020 saw our largest percentage of 0-day disclosures, the number declined over the next two years. However, this year saw an increase to 198 cases – just over 10% of the total disclosures.

Here’s a breakdown of advisories by vendor. The top vendors should not surprise many, but it is interesting to see Adobe that far ahead of everyone else. If you exclude the XSS bugs patched in December, our program is responsible for over 78% of Adobe bugs fixed last year. Not too shabby. Of course, Microsoft remains a popular target for our researchers as well. Just over 20% of the bugs patched by the Redmond giant came through the ZDI. D-Link stormed up the charts in 2023 with 176 advisories. And PDF parsing remains a security challenge for vendors beyond just Adobe. Foxit, Kofax, and PDF-XChange all had a significant number of file parsing bugs reported by ZDI.

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2023, we did just that. A total of 73% of these vulnerabilities were rated Critical or High severity.

When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2023:

It’s interesting to see deserialization bugs crack the top 10. It’s also interesting to see stack-based buffer overflows rank above OOB Write bugs.

Looking Ahead

Moving into the new year, we anticipate staying just as busy – especially in the first quarter. We currently have more than 500 bugs reported to vendors awaiting disclosure. We have Pwn2Own Automotive and Pwn2Own Vancouver just on the horizon. Don’t worry if you can’t attend in person. We’ll be streaming and posting videos of the event to just about every brand of social media available.

We’re also looking to update our website and blog at some point this year. I know – I said that last year as well. When that occurs, I promise you’ll be able to choose between a light and dark theme. We’re aware our website doesn’t look the best on certain platforms. We’ll also be expanding our video offerings, too. I’ll continue offering the Patch Report on Patch Tuesdays and hope to tweak the format a bit in the coming year.

As always, we look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem. In other words, 2024 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on TwitterMastodonLinkedIn, or Instagram for the latest updates from the ZDI. 

The January 2024 Security Update Review

9 January 2024 at 18:32

Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Adobe Patches for January 2024

For January, Adobe released a single patch addressing six CVEs in Substance 3D Stager. All six bugs are rated Important with the most severe allowing arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for January 2024

This month, Microsoft released 49 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; and Internet Explorer. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 53.

Of the new patches released today, two are rated Critical and 47 are rated Important in severity. This release is coincidentally the same number of CVEs addressed in both the January 2019 and January 2020 releases.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a security feature bypass in Kerberos:

-       CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability
This is the highest-rated CVSS for this month and one of the two Critical-rated patches. The bug would allow an unauthenticated attacker to perform a machine-in-the-middle (MitM) that spoofs a Kerberos server. An affected client would receive what they believe to be authentic messages from the Kerberos authentication server. While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly.

-       CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability
This is the other Critical-rated patch for January, although “remote” in this case actually means network adjacent. Microsoft doesn’t provide much of a description beyond that, so it’s not clear how the code execution would occur. However, they do note that neither authentication nor user interaction is required, which makes this vulnerability quite juicy to exploit writers. Although winning a race condition is required for successful exploitation, we’ve seen plenty of Pwn2Own winners use race conditions in their exploits.

-       CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Besides being a mouthful of a title, this SFB bug could allow an MITM attacker to decrypt, read, or modify TLS traffic between an affected client and server. If you happen to be using these data providers, you’ll also need to take additional steps to be fully protected. The bulletin lists the additional NuGet packages you’ll need to load to completely resolve this vulnerability. Microsoft links to an article that claims to provide further information on the steps admins need to take to be protected, but as of now, that link leads nowhere. I’ll update the blog once they update the link to something relevant. Note: Microsoft has updated the link to point to the article here.

CVE Title Severity CVSS Public Exploited Type
CVE-2024-20700 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-20674 Windows Kerberos Security Feature Bypass Vulnerability Critical 9 No No SFB
CVE-2024-0057 .NET and Visual Studio Framework Security Feature Bypass Vulnerability Important 8.4 No No SFB
CVE-2024-20672 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21312 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21319 Microsoft Identity Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2024-20676 Azure Storage Mover Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20666 BitLocker Security Feature Bypass Vulnerability Important 6.6 No No SFB
CVE-2024-21305 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2024-20652 Internet Explorer Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-20687 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21306 Microsoft Bluetooth Driver Spoofing Vulnerability Important 5.7 No No Spoofing
CVE-2024-20653 Microsoft Common Log File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20692 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-20661 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-20660 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20664 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-21314 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20654 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20677 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20655 Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2024-21318 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-20658 Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-0056 † Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability Important 8.7 No No SFB
CVE-2022-35737 * MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow Important 7.5 No No RCE
CVE-2024-21307 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20683 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20686 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21310 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20694 Windows CoreMessaging Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21311 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-20682 Windows Cryptographic Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20657 Windows Group Policy Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-20699 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-20698 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21309 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20696 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20697 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20680 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20663 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20690 Windows Nearby Sharing Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-20662 Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability Important 4.9 No No Info
CVE-2024-21316 Windows Server Key Distribution Service Security Feature Bypass Important 6.1 No No SFB
CVE-2024-20681 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2024-20691 Windows Themes Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2024-21325 Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21320 Windows Themes Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-0222 * Chromium: CVE-2024-0222 Use after free in ANGLE High N/A No No RCE
CVE-2024-0223 * Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE High N/A No No RCE
CVE-2024-0224 * Chromium: CVE-2024-0224 Use after free in WebAudio High N/A No No RCE
CVE-2024-0225 * Chromium: CVE-2024-0225 Use after free in WebGPU High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

Moving on to the other code execution bugs, most are of the “open and own” variety, where an attacker must convince a user to open a malicious file or browse to a specially crafted site to get arbitrary code execution. However, there are a couple of fixes that stand out. The first is an RCE in Office through FBX files. Microsoft is taking the unusual step of disabling that file type from being embedded within Office documents. However, they note “3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.” Here are some additional details about this change. According to Microsoft, you may not need the fix for the Printer Metadata Troubleshooter if you’ve already installed the tool listed in KB5034510. I would still apply the update to ensure the problem is fully addressed. There’s a fix for an RCE in RDP, but it’s in the client, not the server so that greatly reduces the threat of exploitation. The one Azure-related code execution bugs require specific privileges to be exploited. The SharePoint bug requires authentication, but anyone on the SharePoint site has the privileges needed to exploit this bug and take over the system. The bug in ODBC requires connecting to a malicious database. The bugs in Libarchive require the attacker to be authenticated as a guest user on the target system. The final RCE fix is found in OCSP. This bug requires an authenticated user to be assigned the “manage online responder” permission, which is typically reserved for privileged users. Still, now may be a good time to audit your domain to confirm which users have this permission.

There are only ten elevation of privilege (EoP) patches in this month’s release, and all but oneof them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. These types of bugs are usually paired with a code execution bug in the wild to take over a system. The lone exception to this is the bug in the Virtual Hard Disk, which could allow an attack to escalate privileges when processing “.vhdx” files in the kernel.

Looking at the 11 different information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. There are only two notable exceptions. The first is in Local Security Authority Subsystem Service (LSASS) and could allow an attacker to gain network secrets when an affected client connects to an AD Domain Controller. Microsoft notes this could be done by either sniffing traffic on a network or by running a malicious script. I don’t expect to see a lot of exploitation of this vulnerability, but it would be an interesting method of lateral movement after an initial compromise. The bug in TCP/IP requires an MITM attacker, but successful exploitation could lead to revealing unencrypted contents of IPsec packets from other sessions on a server.

In addition to the two I’ve already mentioned, there are five additional SFB patches released this month. The patch for .NET Framework and Visual Studio fixes a bug that could allow attackers to improperly validate X.509 certificates. That’s similar to the bug in the Windows Server Key Distribution Service. The bug in Hypervisor-Protected Code Integrity (HVCI) is specific to certain Microsoft Surface devices. The vulnerability incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with HVCI enabled. As expected, the bypass for BitLocker allows an attacker to bypass BitLocker protections. And you may have thought it was completely gone, but there’s a patch for Internet Explorer that addresses a bug that could allow bypassing zone restrictions.

The January release includes six fixes for denial-of-service (DoS) bugs, but Microsoft does not provide any real information for most of them. The bug in Hyper-V could allow a guest OS to somehow impact other guest OSes on the same hypervisor. 

Lastly, there are four spoofing bugs receiving fixes this month. The bug in the Nearby Sharing feature could be triggered by an attacker with a similarly-named machine. I would love to see additional details on this one and find out how close the machine names need to be. The bug in the Azure Stack requires clicking a specially crafted URL. User interaction is also required for the Themes bug, but Microsoft notes you can disable NTLM as a mitigation. You’re not actually using NTLM, are you? You can also add a group policy to restrict outgoing NTLM traffic to remote servers. The bug in Bluetooth requires the attacker to both be in close proximity to a target and have a paired Bluetooth device.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on February 13, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Pwn2Own Vancouver 2024: Bringing Cloud-Native/Container Security to Pwn2Own

16 January 2024 at 14:52

If you just want to read the contest rules, click here. These rules have been updated as of March 1, 2024, to clarify the registration process and to further define the guest operating systems available in the Virtualization category.

Even though we’re a week out from our first ever Pwn2Own Automotive, it’s time to start thinking ahead to the original Pwn2Own event, which takes place at CanSecWest in Vancouver on March 20-22, 2024. We’re always excited to return to Vancouver for the event, but we are cognizant of the evolution of the event as well. The contest began with a single Mac Book, but over the years, it grew to include web browsers, enterprise applications, virtualization solutions, and an automotive category. Last year, we awarded over $1,000,000 in cash and prizes – including a Tesla Model 3. This year, we evolved again by simplifying the Automotive category and adding a Cloud-Native/Container category.

We introduced the Virtualization category back in 2016 because we wanted to see what the state-of-the-art in exploits targeting hypervisors looked like. Many cloud services rely on virtualization, and that was the beginning of bringing “The Cloud™” into Pwn2Own. Since that time, the industry has adopted other cloud-native technologies and made containers a central part of enterprise deployments. Of course, that just makes them a great choice to include in Pwn2Own, and we’re excited to see what exploits contestants bring for these targets.

Of course, we’re also thrilled to have Tesla return as a partner for this year’s event. They continue to innovate and increase the security of their vehicles, and I’m sure they will take the learnings from Pwn2Own Automotive forward to the Vancouver event. We simplified the Automotive category by eliminating the multiple tiers. For this event, we’re focused simply on impact and getting code execution in a target component on the vehicle. For some targets, that may mean you need to get code execution in multiple systems on the way. And no, the awards aren’t cumulative. For example, you may need to exploit the infotainment system on the way to the Autopilot, but you’ll only get the award for the Autopilot.

In addition to the new categories, we’ve added Slack as a target within the Enterprise Communications category. This, along with all the other returning categories, means that we’ll again be offering more than $1,000,000 USD in cash and prizes at this year’s event. All-in-all, it should be a wonderful event with some cutting-edge exploitation on display. Here is a full list of the categories for this year’s event:

-- Web Browser Category
-- Cloud-Native/Container Category
-- Virtualization Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category

Of course, no Pwn2Own competition would be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each unique, successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.

Let's look at the details of the rules for this year's event.

Web Browser Category

While browsers are the “traditional” Pwn2Own target, we’re continuously tweaking the targets in this category to ensure they remain relevant. We re-introduced renderer-only exploits a couple of years ago, and their reward remains at $60,000. However, if you have that Windows kernel privilege escalation or sandbox escape, that will earn you up to $100,000 or $150,000 respectively. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $25,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant can compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $80,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox. Here’s a detailed look at the targets and available payouts:

Back to top

Cloud-Native/Container Category

We’re excited to have this new category for the contest, and we are hopeful our contestants bring their usual stellar research to the event. Of course, you can’t talk containers without mentioning Docker Desktop, and they’re the first target on the list. However, they aren’t alone. The containerd runtime is an industry standard and always popular. Firecracker is our third target as they are a common choice for creating and managing secure, multi-tenant container and function-based services.

For an attempt to be ruled a success against these three, the exploit must be launched from within the guest container/microVM and execute arbitrary code on the host operating system. The final target in this category is gRPC – a modern open-source high-performance Remote Procedure Call (RPC) framework that can run in any environment.  A success here must leverage a vulnerability in the gRPC code base to obtain arbitrary code execution. Here are the payouts for this category:

Back to top

Virtualization Category

Some of the highlights for each contest can be found in the Virtualization Category, and we’re thrilled to see what this year’s event could bring with it. As usual, VMware is the main highlight of this category as we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $80,000 respectively. Microsoft also returns as a target and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox rounds out this category with a prize of $40,000.

There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi), they can earn an additional $50,000 and 5 more Master of Pwn points. That could push the payout on a Hyper-V bug to $300,000. Here’s a detailed look at the targets and available payouts in the Virtualization category:

Back to top

Enterprise Applications Category

Enterprise applications also return as targets with Adobe Reader and various Office components on the target list once again. This year, we’re also allowing these applications to be run on an M-series MacBook. Prizes in this category run from $50,000 for a Reader exploit with a sandbox escape or a Reader exploit with a kernel privilege escalation and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. Microsoft Office-based targets will have Protected View enabled where applicable. Adobe Reader will have Protected Mode enabled where applicable. Here’s a detailed view of the targets and payouts in the Enterprise Application category:

Back to top

Server Category

The Server Category for 2024 is trimmed down a bit to focus on the server components we’re most interested in. These servers are often targeted by everyone from ransomware crews to nation/state actors, so we know there are exploits out there for them. The only question is whether we’ll see any of the competitors bring one of those exploits to Pwn2Own. SharePoint was recently exploited in the wild, and part of that exploit chain was demonstrated at last year’s event. Microsoft Exchange has been a popular target for some time, and it returns as a target this year as well with a payout of $200,000. This category is rounded out by Microsoft Windows RDP/RDS, which also has a payout of $200,000. Here’s a detailed look at the targets and payouts in the Server category:

Back to top

Local Escalation of Privilege Category

This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. A successful entry in this category must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop, Apple macOS, and Microsoft Windows 11 are the OSes available as targets in this category. 

Back to top

Enterprise Communications Category

We introduced this category in 2021 to reflect the importance of these tools in our modern, remote workforce, and we were thrilled to see both targets compromised during the contest. This year, we’re expanding the category to include the ever-popular Slack productivity platform with a $25,000 payout. A successful attempt in this category must compromise the target application by communicating with the contestant. Some example communication requests could be audio calls, video conferences, or messages. Both Zoom and Microsoft Teams have a $60,000 award available, so we’re hoping to see more great research in this category.

Back to top

Automotive Category

Since adding the Automotive Category in 2019, we’ve seen some amazing and creative research displayed – so much so that we expanded to holding a Pwn2Own Automotive event. Still, Vancouver is where this category began, and we’re happy to have Tesla return as a target. As previously mentioned, we’ve streamlined the rules for this category this year, but that doesn’t mean it’s any easier to win. We’ll have both the Tesla Model 3 (Ryzen-based) and Tesla Model S (Ryzen-based) as target, and we’ll also have the equivalent bench-top unit ready should it be needed. Last year, we conducted all tests on the bench-top unit as attempting the exploits on the actual vehicle could prove hazardous to bystanders and other vehicles in the area. Here are this year awards for the Automotive Category:

Back to top

Conclusion

The complete rules for Pwn2Own 2024 are found here. They were updated as of March 1, 2024. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have specific configuration or rule-related questions, email us. Questions asked over X (nee Twitter) or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration for onsite participation closes at 5 p.m. Pacific Time on March 14, 2024. If you plan on participating remotely, the registration deadline is 5 p.m. Pacific Time on March 12, 2024.

Be sure to stay tuned to this blog and follow us on TwitterMastodonLinkedIn, or Instagram for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a new car to drive home from this year’s Pwn2Own competition.

With special thanks to our Pwn2Own 2024 Partner Tesla

 

©2024 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

Pwn2Own Automotive 2024 - The Full Schedule

23 January 2024 at 09:20

Welcome to our very first Pwn2Own Automotive – coming to you live from Tokyo and the Automotive World conference. The number of entries has surpassed our expectations, so we expect to award more than $1,000,000 USD for the over 45 entries we have across all categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Japan Standard Time [GMT + 9:00]).

Note: All times subject to change

Wednesday, January 24 – 1100

Sina Kheirkhah (@SinSinology) targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

 Rob Blakely from Cromulence (@CromulenceLLC) targeting Automotive Grade Linux in the Operating System category

Wednesday, January 24 – 1130

 The PCAutomotive Team (@PC_Automotive) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1200

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1300

 The Synacktiv Team (@synacktiv) targeting the Tesla Modem in the Tesla category

Wednesday, January 24 – 1330

 Katsuhiko Sato (@goroh_kun) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1400

 Sina Kheirkhah (@SinSinology) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

 NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) category   

Wednesday, January 24 – 1500

 The Synacktiv Team (@synacktiv) targeting the Ubiquiti Connect EV Station in the Electric Vehicle Chargers category

RET2 Systems (@ret2systems) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Wednesday, January 24 – 1530

 Vudq16 (@vudq16) and Q5CA (@_q5ca) from u0K++ (@u0Kplusplus) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category 

Wednesday, January 24 – 1600

 The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category                 

 Wednesday, January 24 – 1700

 The Synacktiv Team (@synacktiv) targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

 Sina Kheirkhah (@SinSinology) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Wednesday, January 24 – Pwn2Own After Dark

The following attempts will occur after the Automotive World venue has closed. Results will be posted online as they occur.

 The Synacktiv Team (@synacktiv) targeting the JuiceBox 40 Smart EV Charging Station Electric Vehicle Chargers category

Gary Li Wang targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Connor Ford (@ByteInsight) of Nettitude targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category  

NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category    

Sina Kheirkhah (@SinSinology) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category      

The Synacktiv Team (@synacktiv) targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Sina Kheirkhah (@SinSinology) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) category

 

Thursday, January 25 – 1100

Team Tortuga targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category 

Thursday, January 25 – 1200

 Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Sina Kheirkhah (@SinSinology) targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Thursday, January 25 – 1300

 The Synacktiv Team (@synacktiv) targeting the Tesla Infotainment system with a Sandbox Escape in the Tesla category

Thursday, January 25 – 1330

 NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1400

 The PCAutomotive Team (@PC_Automotive) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Katsuhiko Sato (@goroh_kun) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1500

 Sina Kheirkhah (@SinSinology) targeting the EMPORIA EV Charger Level 2 in the Electric Vehicle Chargers category

 The Synacktiv Team (@synacktiv) targeting Automotive Grade Linux in the Operating System category

 Thursday, January 25 – 1530

 Le Tran Hai Tung (@tacbliw) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1600

RET2 Systems (@ret2systems) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category 

Thursday, January 25 – 1700

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Alex Olson (Ghada) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Thursday, January 25 – Pwn2Own After Dark

The following attempts will occur after the Automotive World venue has closed. Results will be posted online as they occur.

Sina Kheirkhah (@SinSinology) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting Automotive Grade Linux in the Operating Systems category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Friday, January 26 – 1100

 Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Connor Ford (@ByteInsight) of Nettitude targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category         

Friday, January 26 – 1200

 Katsuhiko Sato (@goroh_kun) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) system

The Synacktiv Team (@synacktiv) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Friday, January 26 – 1300

Sina Kheirkhah (@SinSinology) targeting the Ubiquiti Connect EV Station in the Electric Vehicle Chargers category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category 

Friday, January 26 – 1400

Connor Ford (@ByteInsight) of Nettitude targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category 

Friday, January 26 – 1500

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the EMPORIA EV Charger Level 2 in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Friday, January 26 – 1600

Final ceremony and Awarding the Master of Pwn Trophy

Pwn2Own Automotive 2024 - Day One Results

24 January 2024 at 03:00

Welcome to the first ever Pwn2Own Automotive: live from Tokyo January 24-26, 2024! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Japan Standard Time (GMT +9:00).


SUCCESS - Sina Kheirkhah was able to execute his attack against the ChargePoint Home Flex for $60,000 and 6 Master of Pwn Points.

COLLISION - Rob Blakely from Cromulence successfully executed his attack on Automotive Grade Linux. However, an n-day exploit was used in the attack. He still earns $47,500 and 3.75 Master of Pwn Points.

SUCCESS - The PCAutomotive Team successfully targeted the Alpine Halo9 iLX-F509 with a UAF exploit for $40,000 and 4 Master of Pwn Points.

SUCCESS - Tobias Scharnowski and Felix Buchmann of fuzzware.io executed their attack against the Sony XAV-AX5500 for $40,000 and 4 Master of Pwn Points.

SUCCESS - The Synacktiv Team successfully executed their 3-bug chain against the Tesla Modem. They win $100,000 and 10 Master of Pwn Points.

SUCCESS - Katsuhiko Sato executed his command injection attack against the Alpine Halo9 iLX-F509. As this was a second round win, he wins $20,000 and 4 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Sony XAV-AX5500 working in the time allotted.

SUCCESS - NCC Group EDG executed a 3-bug chain against the Pioneer DMH-WT7600NEX. They earn $40,000 and 4 Master of Pwn Points.

SUCCESS - The Synacktiv Team used a 2-bug chain against the Ubiquiti Connect EV Station. They earn $60,000 and 6 Master of Pwn Points.

SUCCESS - RET2 Systems executed a 2-bug chain against the Phoenix Contact CHARX SEC-3100. They earn $60,000 and 6 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team executed a stack-based buffer overflow against the Sony XAV-AX5500. They win $20,000 and 4 Master of Pwn Points.

SUCCESS - Vudq16 and Q5CA from u0K++ successfully executed a stack-based buffer overflow against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.

BUG COLLISION - The Synacktiv Team used a two-bug chain against the ChargePoint Home Flex. However, the exploit they used was previously known. They still earn $16,000 and 3 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS - Gary Li Wang used a stack-based buffer overflow against the Sony XAV-AX5500. He wins $20,000 and 4 Master of Pwn Points.

SUCCESS - Synacktiv executed a 2-bug chain against the JuiceBox 40 Smart EV Charging Station. They earn $60,000 and 6 Master of Pwn Points.

BUG COLLISION - Connor Ford of Nettitude executed his attack against the ChargePoint Home Flex. However, his 2-bug chain was previously known. He still earns $16,000 and 3 Master of Pwn Points.

BUG COLLISION - Chris Anastasio and Fabius Watson of Team Cluck successfully attacked the ChargePoint Home Flex. However, the bug they used was previously known. They still earn $16,000 and 3 Master of Pwn Points.

SUCCESS - NCC Group EDG used an improper input validation against the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.

SUCCESS - The Synacktiv team used a 2-bug chain to successfully exploit the Autel MaxiCharger AC Wallbox Commercial. In doing so, they earn $60,000 and 6 Master of Pwn points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the JuiceBox 40 Smart EV Charging Station working in the time allotted.

FAILURE - Unfortunately, Sina Kheirkhah was not able to get his exploit of the Pioneer DMH-WT7600NEX working in the time allotted.


That concludes Day 1 of Pwn2Own Automotive 2024. Check back here and across social media tomorrow for our second day of attempts!

Pwn2Own Automotive 2024 - Day Two Results

25 January 2024 at 02:48

Welcome to Day Two of the first ever Pwn2Own Automotive. We awarded $722,500 yesterday for 24 unique 0-days. Today’s attempts promise to be just as exciting, with another Tesla attempt at 1300 Japan Standard Time (GMT +9). As always, we’ll be updating this blog with results as we have them.


BUG COLLISION
-- Team Tortuga successfully used a 2-bug chain against the ChargePoint Home Flex. However, the exploit used was previously known. They still earn $15,000 and 3 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team used a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - Computest Sector 7 successfully executed their attack against the JuiceBox 40 Smart EV Charging Station. However, the bug they used was previously known. They still earn $15,000 and 3 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Autel MaxiCharger AC Wallbox Commercial working in the time allotted.

SUCCESS - The Synacktiv team used a 2-bug chain to attack the Tesla Infotainment System. They earn $100,000 and 10 Master of Pwn Points.

SUCCESS - NCC Group EDG successfully used a 2-bug chain against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.

FAILURE - PCAutomotive’s attempt to exploit the JuiceBox 40 Smart EV Charging Station was unsuccessful.

BUG COLLISION - Katsuhiko Sato successfully executed his attack against the Sony XAV-AX5500. However, the bug he used was previously known. He still earns $10,000 and 2 Master of Pwn Points.

SUCCESS - Synacktiv used a 3-bug chain to exploit Automotive Grade Linux. They earn $35,000 and 5 Master of Pwn Points.

SUCCESS - Le Tran Hai Tung used a 2-bug chain against the Alpine Halo9 iLX-F509. He earns $20,000 and 4 Master of Pwn Points.

WITHDRAWN - Sina Kheirkhah withdrew his entry against the EMPORIA EV Charger Level 2. Penalty: -3 Master of Pwn Points.

WITHDRAWN - Team Cluck withdrew their entry against Automotive Grade Linux. Penalty: -2.5 Master of Pwn Points.

SUCCESS / BUG COLLISION - Computest Sector 7’s 2-bug chain against the Autel MaxiCharger AC Wallbox Commercial was a success. However, one of the bugs used was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Alpine Halo9 iLX-F509 working in the time allotted.

FAILURE - Alex Olson was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS - fuzzware.io used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team used a stack-based buffer overflow to exploit the Autel MaxiCharger AC Wallbox Commercial. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - fuzzware.io used a 2-bug chain to successfully exploit the Alpine Halo9 iLX-F509. However, the exploits used were previously known. They still earn $10,000 and 2 Master of Pwn Points.

SUCCESS - RET2 Systems used a stack-based buffer overflow to exploit the JuiceBox 40 Smart EV Charging Station. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - fuzzware.io used a 2-bug chain to attack the Autel MaxiCharger AC Wallbox Commercial. However, both bugs were previously known. They still earn $15,000 and 3 Master of Pwn Points.


That’s a wrap for Day 2 of Pwn2Own Automotive. We’ve already awarded over $1,000,000 in prizes this week (¥150 million!) Tune back in tomorrow here or across social media for the final day of the contest!

Pwn2Own Automotive 2024 - Day Three Results

26 January 2024 at 02:08

Welcome to the final day of the first ever Pwn2Own Automotive! We’re already over $1 million in prizes awarded, and today’s attempts will keep the wins going. We’ll be updating this blog as well as social media with results in real time. All times are in Japan Standard Time (GMT +9).

SUCCESS - Computest Sector 7 used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.

FAILURE - Connor Ford was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS Synacktiv exploited the Sony XAV-AX5500. They earn $20,000 and 4 Master of Pwn Points.

FAILURE - Katsuhiko Sato was not able to get his exploit of the Pioneer DMH-WT7600NEX working in the time allotted.

SUCCESS - Sina Kheirkhah used a 2-bug chain to exploit the Ubiquiti Connect EV. He earns $30,000 and 6 Master of Pwn Points.

SUCCESS / BUG COLLISION - fuzzware.io used a 2-bug chain to exploit the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.

SUCCESS - Connor Ford of Nettitude used a stack-based buffer overflow in his exploit of the JuiceBox 40 Smart EV Charging Station. He earns $30,000 and 6 Master of Pwn Points.

SUCCESS / BUG COLLISION - Team Cluck used a 4-bug chain to exploit the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known. They still earn $26,250 and 5.25 Master of Pwn Points.

SUCCESS - fuzzware.io used a buffer overflow to exploit the EMPORIA EV Charger Level 2. They earn $60,000 and 6 Master of Pwn Points.


The first ever Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to Synacktiv, the Masters of Pwn! Stay with us here and across social media as we prepare for Pwn2Own Vancouver in March!

The February 2024 Security Update Review

12 February 2024 at 15:16

It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:

If you’d rather watch the full video recap covering the entire release, you can check out here:

Adobe Patches for February 2024

For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. A total of four of these bugs were reported through the ZDI program. If you need to prioritize, I would suggest starting with the update for Acrobat and Reader. The patch fixes five Critical-rated arbitrary code execution bugs that are often used in phishing and ransomware campaigns. The fix for Commerce also has a couple of Critical-rated code execution bugs being addressed. Considering this is an aptly named commerce platform, rolling patches quickly here also makes sense.

The updates for Substance 3D Painter and Substance 3D Designer address nine and one bug respectively. The most severe of these would result in arbitrary code execution, but they also require user interaction – something like opening a specially crafted file or browsing to a malicious URL. The patch for the FrameMaker Publishing Server (not to be confused with FrameMaker itself) fixes a security feature bypass (SFB) that’s rated at a CVSS 9.8. Although not specifically stated, that reads like either a complete authentication bypass or hard-coded credentials. The final patch for Adobe Audition corrects a single heap-based buffer overflow that could lead to arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2024

This month, Microsoft released 72 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 78. Two of these bugs were reported through the ZDI program, including one of the bugs under active attack.

Of the new patches released today, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a relatively typical volume of fixes for a February release, and so far, the number of fixes from Adobe and Microsoft is lower than last year over the same time. It will be interesting to see if this trend continues throughout 2024.

Two of these CVEs are listed as under active attack at the time of release, although neither is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the discovery made by the ZDI Threat Hunting team:

-       CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability
This is the bug found by Peter Girnus and the rest of the ZDI Threat Hunting team. I won’t go into great detail about the technical aspects of the bug because my colleagues at Trend Micro Research have already done that here. The video above also provides some context and a demonstration of the vulnerability. This bug is currently targeting forex traders with a remote access trojan through forum posts and responses, but we expect it to spread now that it is publicly known. Trend Micro customers are already protected by various filters and virtual patches, but everyone else should test and deploy this fix as soon as possible.

-       CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other actively exploited bug being patched this month, and it appears to be very similar to the previous ITW exploit. Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an untrusted location. SmartScreen bypasses in Windows Defender allow attackers to evade this inspection and run code in the background. Microsoft does not indicate how widespread these attacks may be but you should expect exploits to increase as threat actors add this to their toolkits. Again, test and deploy this update quickly.

-       CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild
It’s been a minute since we’ve had an Exchange Server patch, and this vulnerability doesn’t disappoint with a CVSS rating of 9.8. A remote, unauthenticated attacker could use this bug to relay NTLM credentials and impersonate other users on the Exchange server. Patching won’t be straightforward either – if there is such a thing as a straightforward patch for Exchange Server. You’ll need to make sure to install the Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure the Extended Protection for Authentication (EPA) feature is enabled. Microsoft has provided this article with additional information for Exchange administrators.

-       CVE-2024-21413 – Microsoft Outlook Remote Code Execution Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild - then they changed the bulletin again and said it wasn’t

This is an intriguing bug that allows an attacker to bypass the Office Protected View and open a file in editing mode rather than protected mode. Not only does this somehow allow code execution to occur, but it could also occur in the Preview Pane. This vulnerability also rates a CVSS of 9.8, so the severity isn’t being overstated. Also, users of the 32- and 64-bit versions of Office 2016 will need to install multiple updates to fully address this vulnerability. Be sure to close all running Office apps when installing these fixes to help avoid a reboot, which is listed as a “Maybe” for the Office 2016 patches.

Here’s the full list of CVEs released by Microsoft for February 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Important 8.1 No Yes SFB
CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability Moderate 7.6 No Yes SFB
CVE-2024-21410 † Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 9.8 No Yes EoP
CVE-2024-21413 † Microsoft Outlook Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability Critical 8 No No Info
CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-21386 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21404 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21329 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-20667 Azure DevOps Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20679 Azure Stack Hub Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-21394 Dynamics 365 Field Service Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21396 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21328 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21348 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21349 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21381 † Microsoft Azure Active Directory B2C Spoofing Vulnerability Important 6.8 No No Spoofing
CVE-2024-21397 Microsoft Azure File Sync Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2024-21403 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-21376 † Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2024-21315 Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21395 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 8.2 No No XSS
CVE-2024-21389 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21393 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21327 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21401 † Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2024-21354 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21355 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21405 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21363 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21347 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-21384 Microsoft Office OneNote Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20673 † Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21402 Microsoft Outlook Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21378 Microsoft Outlook Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-21374 Microsoft Teams for Android Information Disclosure Important 5 No No Info
CVE-2024-21353 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21350 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21352 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21358 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21360 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21361 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21366 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21369 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21375 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21420 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21359 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21365 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21367 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21368 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21370 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21391 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-50387 * MITRE: CVE-2023-50387 DNS RRSIGs and DNSKEYs validation can be abused to remotely consume DNS server resources Important N/A No No DoS
CVE-2024-20695 Skype for Business Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-21304 Trusted Compute Base Security Feature Bypass Vulnerability Important 4.1 No No SFB
CVE-2024-21346 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21406 Windows Device Metadata Retrieval Client (DMRC) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21342 Windows DNS Client Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21377 Windows DNS Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21340 Windows Kernel Information Disclosure Vulnerability Important 4.6 No No Info
CVE-2024-21341 Windows Kernel Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21362 Windows Kernel Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-21356 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21343 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21344 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21372 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21339 Windows USB Generic Parent Driver Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2024-21364 Microsoft Azure Site Recovery Elevation of Privilege Vulnerability Moderate 9.3 No No EoP
CVE-2024-21399 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 8.3 No No RCE
CVE-2024-1059 * Chromium: CVE-2024-1059 Use after free in WebRTC High N/A No No RCE
CVE-2024-1060 * Chromium: CVE-2024-1060 Use after free in Canvas High N/A No No RCE
CVE-2024-1077 * Chromium: CVE-2024-1077 Use after free in Network High N/A No No RCE
CVE-2024-1283 * Chromium: CVE-2024-1283: Heap buffer overflow in Skia High N/A No No RCE
CVE-2024-1284 * Chromium: CVE-2024-1284: Use after free in Mojo High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical-rated bugs, the fix for Dynamics Business Central stands out as it could lead to a threat actor accessing other tenants’ applications and content. The attacker must be authenticated, but successful exploitation would grant them read, write, and delete functionality. You don’t see Critical-rated DoS bugs often, but the patch for Hyper-V deserves the rating as a guest OS could impact the Hyper-V host. The vulnerability in Pragmatic General Multicast (PGM) is serious but less likely to be exploited as it requires the attacker to be network adjacent. Multicast messages aren’t routable beyond a single network segment.

Moving on to the other code execution bugs, SQL clients are having a moment with 18 different patches. Thankfully, each of these bugs requires an affected client to connect to a malicious SQL Server, so practical exploitation is unlikely without significant social engineering. It’s the same scenario for the bug in ActiveX, too. The more concerning bugs are in Word and Outlook and have the Preview Pane as an attack vector. Word bugs are typically open-and-own, but having one that hits in the Preview Pane is definitely a rarity. The other RCEs in Office components are more traditional, but CVE-2024-20673 also requires users of the 32- and 64-bit versions of Office 2016 to install multiple updates to be protected. Speaking of extra steps, there are additional actions required to address the bug in the Azure Kubernetes Service. As stated by Microsoft in the bulletin:


Customers who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Customers who are running versions prior to 0.3.3 need to update by executing az extension update -n confcom. For more information, see https://learn.microsoft.com/en-us/cli/azure/extension?view=azure-cli-latest#az-extension-update and Confidential computing plugin for Confidential VMs.


The bug in Azure DevOps requires attackers to have Queue Build permissions. The bug in Microsoft Message Queuing (MSMQ) is written as an “open and own” style bug. This could mean opening an application that uses MSMQ could trigger the bug, but it’s not clear. It’s also not clear how an attacker would get RCE through the USB driver or Windows kernel. One can assume plugging in a malicious USB drive for the former, but the latter is definitely more opaque. Kernel bugs tend to either be privilege escalations or info disclosures. Maybe this is something through SMB?

There are a total of 14 different elevation of privilege (EoP) patches in this month’s release, and most simply result in an authenticated attacker executing code at SYSTEM on a target. There are some notable exceptions, starting with the CVSS 9.8 bug in Entra Jira SSO plugin. A remote, unauthenticated attacker could fully update Entra ID SAML metadata and info for the plugin. The attacker could then change the authentication of the application to their tenant as needed. Patching this requires the admin to download and install version 1.1.2 of the plugin either from the Microsoft Download Center or from Atlassian Marketplace. You also need to take the same steps to address the bug in the Azure Kubernetes Service as are listed above. The escalation in Azure File Sync allows attackers to create files in directories where they shouldn’t have access. They wouldn’t be able to modify or delete existing files. The Moderate-rated (yet somehow CVSS 9.3) bug in Azure Site Recovery could allow an attacker to obtain the MySQL root password – allowing even further compromise. Not sure how that ended up as “Moderate”, but I would treat it as critical if you are running Azure Site Recovery. Finally, the privilege escalation in Outlook simply yields code execution at the level of the user running the application.

There are only a few information disclosure bugs receiving fixes in this month’s release. The bugs in the Windows kernel and DNS server only result in info leaks consisting of unspecified memory contents. The vulnerability in Skype for Business (remember it?) would allow an attacker to view file contents. Microsoft doesn’t specify what information can be disclosed by the bug in Teams for Android, but they do note user interaction is required. You’ll also need to get the update directly from the Android Play Store to be protected from this vulnerability.

In addition to the two I’ve already mentioned, there are two additional SFB patches released this month. The SFB in the kernel allows attackers to bypass the Windows Code Integrity Guard (CIG). The final SFB in Trusted Compute Base could allow some to bypass – you guessed it – secure boot.

In addition to those already documented, the February release includes fixes for just over a half dozen denial-of-service (DoS) bugs. However, Microsoft provides no real information or details for them. If I were to guess, I would put the DNS and LDAP bugs at the top of my severity rankings due to their role in the enterprise.

This month’s release also includes six fixes for spoofing bugs. Three of these are in Dynamics 365 and would allow an attacker to modify the content of a link on an affected system to redirect the victim to a malicious site. There’s a fix for the Device Metadata Retrieval Client (DMRC) that fixes a vulnerability triggered when a remote attacker sends a specially crafted packet to an affected system. The final two spoofing bugs are both in Azure. The bug in Azure Stack Hub requires a user to click on a link. The bug in Azure Active Directory requires an attack to intercept traffic (MitM), but servicing goes beyond just installing a patch. Microsoft rolled out a fix already that includes Proof Key for Code Exchange (PKCE) as outlined here. However, not all customers may have received the update. If you were notified directly via Azure Service Health Alerts under Tracking ID: XXXXXX, you will need to take additional actions.

Finally, there are four cross-site scripting (XSS) bugs in Microsoft Dynamics receiving patches. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on March 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The March 2024 Security Update Review

12 March 2024 at 17:29

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for March 2024

For March, Adobe released six patches addressing 56 vulnerabilities in Adobe Experience Manager, Premiere Pro, ColdFusion, Adobe Bridge, Lightroom, and Adobe Animate. Two of these bugs were submitted through the ZDI Program. The largest is the update for Experience Manager, which addresses 44 CVEs. However, all but two of these are simple cross-site scripting (XSS) bugs. The fix for Adobe Animate corrects four CVEs. Only one of these CVEs is rated Critical and could lead to arbitrary code execution if a user opens a specially crafted file on an affected system. The other three bugs are all memory leaks resulting from Out-of-Bounds (OOB) Read bugs. The patch for Premiere Pro fixes two Critical-rated bugs that also require user interaction to gain code execution.

For those still running ColdFusion, there’s a single Critical-rated arbitrary file system read bug getting fixed. Adobe also recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. The fix for Adobe Bridge addresses three Critical rated and one Important severity bug. The worst could lead to code execution when opening a specially crafted file. The final patch fixes a single code execution bug in Lightroom. Adobe also made the odd decision to stop tweeting when its patches become available and limiting communication to just email subscriptions. Let’s hope they reverse that decision as many people (myself included) rely on the twitter feed for notifications.

And with this release, anyone targeting Adobe Reader at next week’s Pwn2Own Vancouver event can breathe a sigh of relief. It seems your exploits won’t be patched before the event.  

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2024

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; Skype; Microsoft Components for Android; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 64. One of these bugs was reported through the ZDI program.

Of the new patches released today, two are rated Critical, and 57 are rated Important in severity. This is a relatively low volume for March, especially considering this is the last patch cycle before the Pwn2Own contest next week. Vendors usually try to patch as much as possible knowing we update all targets to the latest release. Considering Microsoft has several targets in the contest, it’s interesting to see such a small release.

None of the CVEs released today are listed as publicly known or under active attack, but that could change. After the February release, Microsoft revised multiple updates to indicate they were being actively exploited. For now, nothing is listed as in the wild. I’ll update this blog should that change.

Let’s take a closer look at some of the more interesting updates for this month, starting with a Critical-rated Hyper-V bug:

-       CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability
This is one of the two Critical-rated bugs for this month, and this is the only one that could result in code execution. This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS. This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server. It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000. Maybe next year.

-       CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability
It seems there are Exchange patches almost every month now, and March is no different. This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I’ll update this blog should Microsoft change its mind (again).

-       CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
This bug rates the highest CVSS rating for this release with a 9.8. It would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet. It’s not clear how many of these systems are reachable through the Internet, but it’s likely a significant number. Microsoft gives this an “Exploitation less likely” rating, but considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon.

-       CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
This bug allows an unauthenticated attacker to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers. Successful exploitation would allow the attacker to steal credentials and affect other resources. While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of “az confcom” and Kata Image. The bulletin contains additional information on the commands needed. Be sure to check it out.

Here’s the full list of CVEs released by Microsoft for March 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability Critical 5.5 No No DoS
CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2024-21392 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-21421 † Azure SDK Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-28746 * Intel: CVE-2023-28746 Register File Data Sampling (RFDS) Important N/A No No Info
CVE-2024-21438 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21400 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21419 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26190 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21426 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21448 † Microsoft Teams for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21434 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21446 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21330 Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21334 Open Management Infrastructure (OMI) Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2024-21411 † Skype for Consumer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21418 Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability Important 6.5 No No Tampering
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21436 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-26181 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26173 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26176 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26178 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21443 Windows Kernel Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-26174 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26177 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21435 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26197 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21439 Windows Telephony Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability Important 5.7 No No RCE
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21442 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21445 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26167 Microsoft Edge for Android Spoofing Vulnerability Unknown 4.3 No No Spoofing
CVE-2024-2173 * Chromium: CVE-2024-2173 Out of bounds memory access in V8 High N/A No No RCE
CVE-2024-2174 * Chromium: CVE-2024-2174 Inappropriate implementation in V8 High N/A No No RCE
CVE-2024-2176 * Chromium: CVE-2024-2176 Use after free in FedCM High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

The only other Critical-rated bug is a Denial-of-Service (DoS) vulnerability in Hyper-V Server. Microsoft does not indicate how extensive the DoS is or if the system automatically recovers, but considering its rating, the bug likely shuts down the entire system.

Moving on to the other remote code execution bugs, as we saw last month, there are many impacting SQL clients that would require connecting to a malicious SQL server. Practical exploitation is unlikely without significant social engineering. That’s not the case for the bug in Django Backend for SQL Server. This vulnerability is a classic SQL injection via unsanitized parameters. There’s also a DLL loading bug for Windows OLE. The RCE bug in SharePoint requires user interaction in that the threat actor needs to convince the user to open a specially crafted file. Social engineering will also be required for the Skype for Consumer vulnerability. You’ll also need to manually download the latest version of Skype here as there doesn’t seem to be an automated upgrade option. The final two RCE bugs are a bit rare in that they require physical access to the target system. Both vulnerabilities rely on the attacker plugging a device into an open USB port. It’s uncommon to see patches for bugs with this physical attack vector, but it’s good to see Microsoft is willing to make updates for these types of issues.

Speaking of rarities, there is a single patch for a Tampering bug in the Windows compressed folder component. Microsoft doesn’t give any indication of how the vulnerability would manifest other than to say it requires a user to open a specially crafted file. After that, it’s not clear what is actually being tampered with, although the inclination is to believe an attacker could change file contents with this bug.

There are more than 20 elevation of privilege (EoP) patches in this month’s release. In most cases, a local attacker would need to run specially crafted code to elevate to SYSTEM. The bug in the telephony component would lead to the similar (but distinctly different) “NT AUTHORITY\Network Service” privilege. The bug in the Azure Data Studio would only elevate to the permission level of the user running the application. Another reminder to not do daily tasks with administrative privileged accounts. The bug in the Microsoft Intune Linux Agent bypasses compliance checks when using custom compliance scripts, thus altering the results. The bug in the Authenticator app sounds quite bad as it could bypass 2FA, but it requires a fair bit of user interaction to succeed. An attacker needs to be already executing code on the target and have the user close and re-open the Authenticator application. The vulnerability in the Windows Installer would allow an attacker to delete files. We recently blogged about a similar bug in the .NET framework. The bug in OMI is interesting in that an attacker could exploit it to communicate as Root with an OMI server. The final EoP patch for March affects the Software for Open Networking in the Cloud (SONiC) component. Successful exploitation would allow an attacker to escalate to Root in the Border Gateway Protocol (BGP) container and perform specific actions that enable them to escape the container.

There are three separate Security Feature Bypass (SFB) patches in this month’s release with the most impactful affecting Windows Defender. The good news is that you’ll likely need to take no action as the Defender engine automatically updates itself. The bad news is that if you’re in an isolated environment or have Defender disabled, you’ll likely need to manually verify the Defender version. Given that this bug allows attackers to prevent Defender from starting, it’s best to make sure you have that patch applied. The bug in the hypervisor-protected code integrity (HVCI) could allow an attacker to bypass code integrity protections, but it requires administrator-level permissions. Another rarity, as exploits that begin with admin permissions rarely get fixed. The final SFB update fixes a bug in Kerberos that could lead to impersonating other users.  

The March release includes five information disclosure bugs, but unusually, only one leaks unspecified memory contents. The two bugs in the kernel could allow an attacker to view registry keys they would otherwise not be able to access. The bug in Teams for Android would allow the reading of files from the private directory of the app. You’ll also need to manually get this update from the Google Play Store. That’s also the case for Outlook for Android. That bug allows attackers to view the ineffable “file contents”. In addition to the one already documented, the March release includes fixes for five different denial-of-service (DoS) bugs in various. However, Microsoft provides no real information or details for them.

There are two spoofing bugs receiving patches this month, and the Microsoft Edge for Android is a strange one. It was actually published earlier this month but without an actual fix. Instead, it notes, “The security update for Edge for Android is not immediately available.” It seems odd that Microsoft would choose to publish information about the bug without also pushing a fix for the bug. Perhaps it will be updated soon. The other spoofing bug is in the Azure SDK, and you may or may not need to take extra steps to be fully protected. If you are running a deployment created before October 19, 2023, you will need to manually upgrade Azure-core to Azure Core Build 1.29.5 or higher. If you have a deployment from after October 19, you should receive the patch automatically.

There is one new advisory for this month as Microsoft announces the deprecation of Oracle’s libraries within Exchange. This is a long time coming and a welcome change, as Exchange was essentially 0-day’ed every time Oracle updated their libraries.

Finally, there is a single cross-site scripting (XSS) bug in Microsoft Dynamics fixed this month.

Looking Ahead

Be sure to look out for updates from Pwn2Own Vancouver, and if you’re at the CanSecWest conference, please stop by to say hello. I like it when people say hello. The next Patch Tuesday of 2024 will be on April 9, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Pwn2Own Vancouver 2024 - The Full Schedule

20 March 2024 at 00:13

Welcome to Pwn2Own Vancouver 2024! This year’s event promises to be the largest-ever Vancouver event - both in terms of entries and potential prizes. If everything hits, we will end up paying out over $1,300,000 in cash and prizes - including a Tesla Model 3. We’ve got two full days of exciting competition ahead. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Pacific Daylight Time [UTC - 7:00]).

Note: All times subject to change

Day One

Wednesday, March 20 – 0930              

AbdulAziz Hariri of Haboob SA targeting Adobe Reader in the Enterprise Applications category.

Wednesday, March 20 – 1000              

DEVCORE Research Team targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Wednesday, March 20 – 1030              

STAR Labs SG targeting Microsoft SharePoint in the Server category.

Wednesday, March 20 – 1100              

Seunghyun Lee (@0x10n) of KAIST Hacking Lab targeting Google Chrome in the Web Browser category.

Wednesday, March 20 – 1200              

Theori targeting VMware Workstation with an additional Windows Kernel LPE vulnerability in the Virtualization category.

Wednesday, March 20 – 1230              

DEVCORE Research Team targeting Ubuntu Desktop in the Local Privilege Escalation category.

Wednesday, March 20 – 1300              

Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) targeting Oracle VirtualBox with an additional Windows Kernel LPE vulnerability in the Virtualization category.

Wednesday, March 20 – 1430              

Synacktiv targeting Tesla ECU with Vehicle (VEH) CAN BUS Control in the Automotive category.

Wednesday, March 20 – 1500              

Kyle Zeng from ASU SEFCOM targeting Ubuntu Desktop in the Local Privilege Escalation category.

Wednesday, March 20 – 1530              

Cody Gallagher targeting Oracle VirtualBox in the Virtualization category.

Wednesday, March 20 – 1600              

Manfred Paul (@_manfp) targeting Apple Safari in the Web Browser category.

Wednesday, March 20 – 1700              

STAR Labs SG targeting VMware ESXi in the Virtualization category.

Wednesday, March 20 – 1800              

Team Viettel targeting Oracle VirtualBox in the Virtualization category.

Wednesday, March 20 – 1830              

Manfred Paul (@_manfp) targeting Google Chrome with Double Tap addon in the Web Browser category.

Day Two 

Thursday, March 21 – 0930   

Marcin Wiązowski targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1000   

STAR Labs SG targeting VMware Workstation in the Virtualization category.

Thursday, March 21 – 1030   

ColdEye targeting Oracle VirtualBox in the Virtualization category.

Thursday, March 21 – 1100   

Manfred Paul (@_manfp) targeting Mozilla Firefox with Sandbox Escape in the Web Browser category.

Thursday, March 21 – 1200   

Gabriel Kirkpatrick (gabe_k of exploits.forsale) targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1230   

STAR Labs SG targeting Ubuntu Desktop in the Local Privilege Escalation category.

Thursday, March 21 – 1300   

Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks targeting Google Chrome with Double Tap addon in the Web Browser category.

Thursday, March 21 – 1430   

HackInside targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1500   

STAR Labs SG targeting Docker Desktop in the Cloud Native / Container category.

Thursday, March 21 – 1530   

Seunghyun Lee (@0x10n) of KAIST Hacking Lab targeting Microsoft Edge (Chromium) with Double Tap Addon in the Web Browser category.

Thursday, March 21 – 1630   

Valentina Palmiotti with IBM X-Force targeting Microsoft Windows 11 in the Local Privilege Escalation category.

Thursday, March 21 – 1700   

Theori targeting Ubuntu Desktop in the Local Privilege Escalation category. 

We’ll be publishing results live on the blog as the contest unfolds. We’ll also be posting brief video highlights to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.

Pwn2Own Vancouver 2024 - Day One Results

20 March 2024 at 15:39

Welcome to the first day of Pwn2Own Vancouver 2024! We have two amazing days of research planned, including every browser, SharePoint, and Tesla. We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Pacific Daylight Time (GMT -7:00).


And we’re done with Day One of Pwn2Own Vancouver 2024. We awarded $732,500 USD for 19 unique 0-days. See below for the details of each event. Here are the Master of Pwn standings after the first day:

SUCCESS - AbdulAziz Hariri of Haboob SA was able to execute their code execution attack against Adobe Reader. He combined an an API Restriction Bypass and a Command Injection bug. He earns himself $50,000 and 5 Master of Pwn points.

SUCCESS - The DEVCORE Research Team was able to execute their LPE attack against Windows 11. They combined a couple of bugs, including a somewhat risky TOCTOU race condition. They earn $30,000 and 3 Master of Pwn points.

FAILURE - The Starlabs SG team was unable to get their exploit of Microsoft SharePoint working within the time allotted.

SUCCESS - Seunghyun Lee (@0x10n) of KAIST Hacking Lab was able to execute their exploit of the Google Chrome web browser using a single UAF bug. They earn $60,000 and 6 Master of Pwn points.

SUCCESS - Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) from Theori (@theori_io) combined an uninitiallized variable bug, a UAF, and a heap-based buffer overflow to escape VMware Workstation and then execute code as SYSTEM on the host Windows OS. This impressive feat earns them $130,000 and 13 Master of Pwn points.

BUG COLLISION - The DEVCORE Team was able to execute their LPE attack against Ubuntu Linux. However, the bug they used was previously known. They still earn $10,000 and 1 Master of Pwn points.

SUCCESS - Bruno PUJOS and Corentin BAYET from REverse Tactics (@Reverse_Tactics) combined two Oracle VirtualBox bugs - including a buffer overflow - along with a Windows UAF to escape the guest OS and execute code as SYSTEM on the host OS. This fantastic research earns them $90,000 and 9 Master of Pwn points.

SUCCESS - The Synacktiv (@synacktiv) team used a single integer overflow to exploit the Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!).

SUCCESS - Kyle Zeng from ASU SEFCOM used an ever tricky race condition to escalate privileges on Ubuntu Linux desktop. This earns him him $20,000 and 20 Master of Pwn points.

SUCCESS - Cody Gallagher used a single OOB Write bug to exploit Oracle VirtualBox. His first ever Pwn2Own attempt results in him winning $20,000 (second round win) and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) gets RCE on the Apple Safari browser with an integer underflow bug plus a PAC bypass using a weakness in Apple Safari. He wins himself $60,000 and 6 Master of Pwn points.

FAILURE - STAR Labs SG could not get their exploit of VMware ESXi working within the time allotted.

SUCCESS - Dungdm (@_piers2) of Viettel Cyber Security used two bugs, including the ever-risky race condition, to exploit Oracle VirtualBox. As a round 3 winner, they receive $20,000 and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) executed a double-tap exploit on both Chrome and Edge browsers with the rare CWE-1284 Improper Validation of Specified Quantity in Input. His Round 2 win earns him $42,500 and 15 Master of Pwn points.


That’s a wrap on Day One of Pwn2Own Vancouver 2024. We awarded $732,500 for 19 unique bugs. Tune in tomorrow to see if Synacktive can hold on to their Master of Pwn lead or if Manfred Paul is able to overtake them.

Pwn2Own Vancouver 2024 - Day Two Results

21 March 2024 at 15:58

Welcome to the second and final day of Pwn2Own Vancouver 2024! We saw some amazing research yesterday, including a Tesla exploit and a single exploit hitting both Chrome and Edge. So far, we have paid out $723,500 for the event, and we’re poised to hit $1,000,000 again. Today looks to be just as exciting with more attempts in virtualization, browser sandbox escapes, and the Pwn2Own’s first ever Docker escape, so stay tuned for all of the results!


And that’s a wrap! Pwn2Own Vancouver 2024 has come to a close. In total, we awarded $1,132,500 for 29 unique 0-days. We’re also happy to award Manfred Paul with the title of Master of Pwn. He won $202,500 and 25 points total. Combining the last three events (Toronto, Automotive, and Vancouver), we’ve awarded $3,494,750 for this year’s Pwn2Own events. Here’s how the Top 10 of this event added up:

Congratulations to all the winners. We couldn’t hold this event without the hard work of the contestants. And thanks to the vendors as well. They now have 90 days to fix these vulnerabilities. Special thanks to Tesla for their sponsorship and support. For details of each of today’s exploits, see the entries below.


SUCCESS - Marcin Wiązowski used an improper input validation bug to escalate privileges on Windows 11. He earns $15,000 and 3 Master of Pwn points.

SUCCESS - STAR Labs SG's exploit of VMware Workstation used two bugs. One is an uninitialized variable, but the other was previously known. They still win $30,000 and 6 Master of Pwn points.

SUCCESS - ColdEye used two bugs, including a UAF, to exploit Oracle VirtualBox. He even managed to leave the guest OS intact. His guest-to-host escape earns him $20,000 and 4 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) used an OOB Write for the RCE and an exposed dangerous function bug to achieve his sandbox escape of Mozilla Firefox. He earns another $100,000 and 10 Master of Pwn points, which puts him in the lead with 25.

SUCCESS - First time Pwn2Own contestant Gabriel Kirkpatrick (gabe_k of exploits.forsale) used an always tricky race condition to escalate privileges on #Windows 11. He earns $15,000 and 3 Master of Pwn points.

SUCCESS - Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer. They were able to exploit Chrome and Edge with the same bugs, earning $42,500 and 9 Master of Pwn points.

BUG COLLISION - STAR Labs SG successfully demonstrated their privilege escalation on Ubuntu desktop. However, they used a bug that was previously reported. They still earn $5,000 and 1 Master of Pwn point.

BUG COLLISION - Although the Hackinside Team was able to escalate privileges on Windows 11 through an integer underflow, the bug was known by the vendor. They still earn $7,500 and 1.5 Master of Pwn points.

SUCCESS -Seunghyun Lee (@0x10n) of KAIST Hacking Lab used a UAF to RCE in the renderer on both Microsoft Edge and Google Chrome. He earns $85,000 and 9 Master of Pwn points. That brings his contest total to $145,000 and 15 Master of Pwn points.

SUCCESS - The first Docker desktop escape at Pwn2Own involved two bugs, including a UAF. The team from STAR Labs SG did great work in the demonstration and earned $60,000 and 6 Master of Pwn points.

SUCCESS - Valentina Palmiotti (@chompie1337) with IBM X-Force used an Improper Update of Reference Count bug to escalate privileges on Windows 11. She nailed her first #Pwn2Own event and walks away with $15,000 and 3 Master of Pwn points.

BUG COLLISION - The final entry of Pwn2Own Vancouver 2024 ends as a collision as Theori used a bug that was previously know to escalate privileges on Ubuntu desktop. He still wins $5,000 and 1 Master of Pwn point.

❌
❌