Detection and Response

Patch Tuesday - June 2023

|Last updated on Aug 29, 2024|1 min read
LinkedInFacebookX
Patch Tuesday - June 2023

It’s June, and it’s Patch Tuesday. The volume of fixes this month is typical compared with recent history: 94 in total (including Edge-on-Chromium). For the first time in a while, Microsoft isn’t offering patches for any zero-day vulnerabilities, but we do get fixes for four critical Remote Code Execution (RCE) vulnerabilities: one in .NET/Visual Studio, and three in Windows Pragmatic General Multicast (PGM). Also patched: a critical SharePoint Elevation of Privilege vulnerability.

SharePoint: Critical EoP via JWT spoofing

SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely.

The FAQ provided with Microsoft’s advisory suggests that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable. So far so good for SharePoint 2019, but there is a lack of clarity around a patch for SharePoint 2016.

Initially, neither the advisory nor the SharePoint 2016 Release history listed a relevant patch for SharePoint 2016. Microsoft has since updated both the SharePoint 2016 release history to include a link to the June security update for SharePoint Enterprise Server 2016; however, the link incorrectly points to the May advisory, and should instead point to the June 2023 security update for SharePoint 2016 KB5002404.

Complicating matters further, KB5002404 does not mention CVE-2023-29357, and the advisory for CVE-2023-29357 still does not mention any patch for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow developments here closely; on present evidence, the only safe assumption is that there is no patch yet which addresses CVE-2023-29357 for SharePoint 2016.

Microsoft also mentions that there may be more than one patch listed for a particular version of SharePoint, and that every patch for a particular version of SharePoint must be installed to remediate this vulnerability (although order of patching doesn’t matter).

Windows PGM: Critical RCE

This is the third month in a row where Patch Tuesday features at least one critical RCE in Windows PGM, and June adds three to the pile. Microsoft hasn’t detected exploitation or disclosure for any of these, and considers exploitation less likely, but a trio of critical RCEs with CVSS 3.1 base score of 9.8 will deservedly attract a degree of attention.

All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

As with previous similar vulnerabilities, Windows Message Queueing Service (MSMQ) must be enabled for an asset to be exploitable, and MSMQ isn’t enabled by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine. With several prolific researchers active in this area, we should expect further PGM vulnerabilities in the future.

.NET & Visual Studio: Critical RCE

Rounding out this month’s critical RCE list is CVE-2023-24897: a flaw in .NET, .NET Framework and Visual Studio. Exploitation requires an attacker to convince the victim to open a specially-crafted malicious file, typically from a website.

Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years. Somewhat unusually for this class of vulnerability, Microsoft doesn’t give any indication of filetype. However, the Arbitrary Code Execution (ACE) boilerplate qualifier is present: “remote” refers here to the location of the attacker, rather than the attack, since local user interaction is required.

Exchange: Important RCEs; Exploitation More Likely

After a brief reprieve last month, Exchange admins will want to patch a pair of RCE vulnerabilities this month. While neither CVE-2023-28310 nor CVE-2023-32031 quite manages to rank as critical vulnerabilities, either via CVSSv3 base score, or via Microsoft’s proprietary severity scale, they’re not far off. Only the requirement that the attacker has previously achieved an authenticated role on the Exchange server prevents these vulnerabilities from scoring higher – but that’s just the sort of issue that exploit chains are designed to overcome.

Microsoft expects to see exploitation for both of these vulnerabilities. Successful exploitation will make use of PowerShell remoting sessions to achieve remote code execution.

Azure DevOps: spoofing, information disclosure

A vulnerability in Azure DevOps server could lead to an attacker accessing detailed data such as organization/project configuration, groups, teams, projects, pipelines, boards, and wiki. CVE-2023-21565 requires an attacker to have existing valid credentials for the service, but no elevated privilege is required. The advisory lists  patches for 2020.1.2, 2022 and 2022.0.1.

Summary Charts

image.pngimage-1.pngimage-2.pngimage-3.png

Summary Tables

Browser vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-33143Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityNoNo7.5
CVE-2023-33145Microsoft Edge (Chromium-based) Information Disclosure VulnerabilityNoNo6.5
CVE-2023-29345Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityNoNo6.1
CVE-2023-3079Chromium: CVE-2023-3079 Type Confusion in V8NoNoN/A
CVE-2023-2941Chromium: CVE-2023-2941 Inappropriate implementation in Extensions APINoNoN/A
CVE-2023-2940Chromium: CVE-2023-2940 Inappropriate implementation in DownloadsNoNoN/A
CVE-2023-2939Chromium: CVE-2023-2939 Insufficient data validation in InstallerNoNoN/A
CVE-2023-2938Chromium: CVE-2023-2938 Inappropriate implementation in Picture In PictureNoNoN/A
CVE-2023-2937Chromium: CVE-2023-2937 Inappropriate implementation in Picture In PictureNoNoN/A
CVE-2023-2936Chromium: CVE-2023-2936 Type Confusion in V8NoNoN/A
CVE-2023-2935Chromium: CVE-2023-2935 Type Confusion in V8NoNoN/A
CVE-2023-2934Chromium: CVE-2023-2934 Out of bounds memory access in MojoNoNoN/A
CVE-2023-2933Chromium: CVE-2023-2933 Use after free in PDFNoNoN/A
CVE-2023-2932Chromium: CVE-2023-2932 Use after free in PDFNoNoN/A
CVE-2023-2931Chromium: CVE-2023-2931 Use after free in PDFNoNoN/A
CVE-2023-2930Chromium: CVE-2023-2930 Use after free in ExtensionsNoNoN/A
CVE-2023-2929Chromium: CVE-2023-2929 Out of bounds write in SwiftshaderNoNoN/A

Developer Tools vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-24936.NET, .NET Framework, and Visual Studio Elevation of Privilege VulnerabilityNoNo8.1
CVE-2023-24897.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-24895.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-29326.NET Framework Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-33141Yet Another Reverse Proxy (YARP) Denial of Service VulnerabilityNoNo7.5
CVE-2023-29331.NET, .NET Framework, and Visual Studio Denial of Service VulnerabilityNoNo7.5
CVE-2023-32030.NET and Visual Studio Denial of Service VulnerabilityNoNo7.5
CVE-2023-33126.NET and Visual Studio Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-33128.NET and Visual Studio Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-33135.NET and Visual Studio Elevation of Privilege VulnerabilityNoNo7.3
CVE-2023-29337NuGet Client Remote Code Execution VulnerabilityNoNo7.1
CVE-2023-32032.NET and Visual Studio Elevation of Privilege VulnerabilityNoNo6.5
CVE-2023-33139Visual Studio Information Disclosure VulnerabilityNoNo5.5
CVE-2023-29353Sysinternals Process Monitor for Windows Denial of Service VulnerabilityNoNo5.5
CVE-2023-33144Visual Studio Code Spoofing VulnerabilityNoNo5
CVE-2023-29012GitHub: CVE-2023-29012 Git CMD erroneously executes doskey.exe in current directory, if it existsNoNoN/A
CVE-2023-29011GitHub: CVE-2023-29011 The config file of connect.exe is susceptible to malicious placingNoNoN/A
CVE-2023-29007GitHub: CVE-2023-29007 Arbitrary configuration injection via git submodule deinitNoNoN/A
CVE-2023-25815GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged placeNoNoN/A
CVE-2023-25652GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file writeNoNoN/A
CVE-2023-27911AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or priorNoNoN/A
CVE-2023-27910AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or priorNoNoN/A
CVE-2023-27909AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or priorNoNoN/A

Developer Tools Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-21565Azure DevOps Server Spoofing VulnerabilityNoNo7.1
CVE-2023-21569Azure DevOps Server Spoofing VulnerabilityNoNo5.5

ESU Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-29363Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityNoNo9.8
CVE-2023-32014Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityNoNo9.8
CVE-2023-32015Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityNoNo9.8
CVE-2023-29362Remote Desktop Client Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-29372Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-29373Microsoft ODBC Driver Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-29351Windows Group Policy Elevation of Privilege VulnerabilityNoNo8.1
CVE-2023-29365Windows Media Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-29358Windows GDI Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-29371Windows GDI Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-29346NTFS Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-32017Microsoft PostScript Printer Driver Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-29359GDI Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-32011Windows iSCSI Discovery Service Denial of Service VulnerabilityNoNo7.5
CVE-2023-29368Windows Filtering Platform Elevation of Privilege VulnerabilityNoNo7
CVE-2023-29364Windows Authentication Elevation of Privilege VulnerabilityNoNo7
CVE-2023-32016Windows Installer Information Disclosure VulnerabilityNoNo5.5
CVE-2023-32020Windows DNS Spoofing VulnerabilityNoNo3.7

Exchange Server vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-32031Microsoft Exchange Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-28310Microsoft Exchange Server Remote Code Execution VulnerabilityNoNo8

Microsoft Dynamics vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-24896Dynamics 365 Finance Spoofing VulnerabilityNoNo5.4
CVE-2023-32024Microsoft Power Apps Spoofing VulnerabilityNoNo3

Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-29357Microsoft SharePoint Server Elevation of Privilege VulnerabilityNoNo9.8
CVE-2023-33131Microsoft Outlook Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-33146Microsoft Office Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-32029Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-33137Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-33133Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-33130Microsoft SharePoint Server Spoofing VulnerabilityNoNo7.3
CVE-2023-33142Microsoft SharePoint Server Elevation of Privilege VulnerabilityNoNo6.5
CVE-2023-33129Microsoft SharePoint Denial of Service VulnerabilityNoNo6.5
CVE-2023-33140Microsoft OneNote Spoofing VulnerabilityNoNo6.5
CVE-2023-33132Microsoft SharePoint Server Spoofing VulnerabilityNoNo6.3

Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-32009Windows Collaborative Translation Framework Elevation of Privilege VulnerabilityNoNo8.8
CVE-2023-29367iSCSI Target WMI Provider Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-29360Windows TPM Device Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-32008Windows Resilient File System (ReFS) Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-29370Windows Media Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-32018Windows Hello Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-29366Windows Geolocation Service Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-32022Windows Server Service Security Feature Bypass VulnerabilityNoNo7.6
CVE-2023-32021Windows SMB Witness Service Security Feature Bypass VulnerabilityNoNo7.1
CVE-2023-29361Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityNoNo7
CVE-2023-32010Windows Bus Filter Driver Elevation of Privilege VulnerabilityNoNo7
CVE-2023-29352Windows Remote Desktop Security Feature Bypass VulnerabilityNoNo6.5
CVE-2023-32013Windows Hyper-V Denial of Service VulnerabilityNoNo6.5
CVE-2023-24937Windows CryptoAPI Denial of Service VulnerabilityNoNo6.5
CVE-2023-24938Windows CryptoAPI Denial of Service VulnerabilityNoNo6.5
CVE-2023-29369Remote Procedure Call Runtime Denial of Service VulnerabilityNoNo6.5
CVE-2023-32012Windows Container Manager Service Elevation of Privilege VulnerabilityNoNo6.3
CVE-2023-29355DHCP Server Service Information Disclosure VulnerabilityNoNo5.3
CVE-2023-32019Windows Kernel Information Disclosure VulnerabilityNoNo4.7

Related blog posts