Exposure Management

Patch Tuesday - October 2023

|Last updated on Oct 13, 2023|1 min read
LinkedInFacebookX
Patch Tuesday - October 2023

Microsoft is addressing 105 vulnerabilities this October Patch Tuesday, including three zero-day vulnerabilities, as well as 12 critical remote code execution (RCE) vulnerabilities, and one republished third-party vulnerability.

WordPad: zero-day NTLM hash disclosure

Another Patch Tuesday, another zero-day vulnerability offering NTLM hash disclosure, this time in WordPad. The advisory for CVE-2023-36563 describes two possible attack vectors:

  1. enticing the user to open a specially crafted malicious file delivered via email, IM, or some other means, or;
  2. by causing a custom application to run.

The advisory itself doesn’t give much more detail, but to take full advantage, the attacker would either need prior access to the system, or some means of exfiltrating the NTLM hash as part of the attack. Microsoft has published further detail on the attack mechanism under KB5032314, as well as mitigation strategies. WordPad is vulnerable due to its use of the OleConvertOLESTREAMToIStorage and OleConvertOLESTREAMToIStorageEx Windows API functions, so the same is presumably true of other applications which make use of those functions.

It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.

Skype for Business server: zero-day info disclosure

Defenders responsible for a Skype for Business server should take note of an exploited-in-the-wild information disclosure vulnerability for which public exploit code exists. Successful exploitation of CVE-2023-41763 via a specially crafted network call could result in the disclosure of IP addresses and/or port numbers. Although Microsoft does not specify what the scope of the disclosure might be, it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends.

ASP.NET Kestrel web server: zero-day denial of service

Rounding out this month’s trio of exploited-in-the-wild vulnerabilities: the cross-platform Kestrel web server for ASP.NET Core receives a fix for CVE-2023-44487, a denial of service vulnerability.

CVE-2023-44487 is perhaps of less concern to defenders, unless the Kestrel instance is internet-facing. Dubbed "HTTP/2 rapid reset", the vulnerability is not specific to Microsoft, but is inherent to HTTP/2. Exploitation involves abuse of the lack of bounds on HTTP/2 request cancellation to bring about severe load on the server for a very low cost to the attacker.

In the advisory, Microsoft provides essentially no information about attack vector beyond the fact that the vulnerability is specific to HTTP/2 , but does suggest two potential workarounds:

  1. Disabling the HTTP/2 protocol via a Windows Registry modification; and/or
  2. Restricting protocols offered each Kestrel endpoint to exclude HTTP/2.

Downgrading to HTTP/1.1 is likely to lead to a significant degradation in performance. Microsoft advises timely patching, whether or not workarounds are applied.

N.B. In the Microsoft advisory, a hyperlink attached to the word “workarounds” does not resolve to anything specific, and Kestrel is misspelled as “Kestral” more than once, although these issues will likely be resolved soon.

Layer 2 Tunneling Protocol: lots of critical RCEs

Twelve critical RCE vulnerabilities seems like a lot, and it is. Fully three-quarters of these are in the same Windows component — the Layer 2 Tunneling Protocol — which has already received fixes for a significant number of critical RCEs in recent months. Exploitation of each of the Layer 2 Tunneling Protocol critical RCEs this month — CVE-2023-41765 CVE-2023-41767 CVE-2023-41768 CVE-2023-41769 CVE-2023-41770 CVE-2023-41771 CVE-2023-41773 CVE-2023-41774 and CVE-2023-38166 — is via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.

If there is a silver lining here, it’s that the acknowledgements for almost all of these vulnerabilities cite Microsoft’s Network Security and Containers (NSC) team; a reasonable inference is that Microsoft is directing significant resources towards security research and patching in this area. Since CVEs are typically assigned sequentially, and there are gaps in the sequence, another reasonable inference here is that other similar as-yet-unpublished vulnerabilities have probably been identified and reported to MSRC.

Windows MSMQ: critical RCEs

CVE-2023-35349 describes an RCE vulnerability in the Message Queueing Service. Microsoft does not describe the attack vector, but other similar vulnerabilities require that the attacker send specially crafted malicious MSMQ packet to a MSMQ server. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, and the Message Queueing Service is not installed by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.

Another MSMQ RCE vulnerability also receives a patch this month: CVE-2023-36697 has a lower CVSS score than its sibling, both because valid domain credentials are required, and because exploitation requires that a user on the target machine connects to a malicious server. Alternatively, Microsoft suggests that an attacker could compromise a legitimate MSMQ server host and make it run as a malicious server to exploit this vulnerability, although it’s not immediately clear how the attacker could do that without already having significant control over the MSMQ host.

Microsoft vTPM: container escape

The final constituent of this month’s dozen patched critical RCE vulnerabilities is rather more exotic: CVE-2023-36718 describes a vulnerability in the Microsoft Virtual Trusted Platform Module (vTPM), which is a TPM 2.0-compliant virtualized version of a hardware TPM offered as a feature of Azure confidential VMs. Successful exploitation could lead to a container escape. The attacker would first need to access the vulnerable VM, and the advisory notes that exploitation is possible when authenticated as a guest mode user. On the bright side, Microsoft evaluates attack complexity as High, since ​​successful exploitation of this vulnerability would rely upon complex memory shaping techniques to attempt an attack.

Exchange (as is tradition): RCE

Exchange administrators should note the existence of CVE-2023-36778, a same-network RCE vulnerability in all current versions of Exchange Server. Successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell remoting session. By default, PowerShell Remoting only allows connections from members of the Administrators group, and the relevant Windows Firewall rule for connections via public networks rejects connections from outside the same subnet. Defenders may wish to review these rules to ensure that they have not been loosened beyond the default.

Office: LPE

Microsoft Office receives a patch for CVE-2023-36569, a local privilege escalation (LPE) vulnerability. Successful exploitation could lead to SYSTEM privileges, but Microsoft states that the Preview Pane is not a vector. The advisory doesn’t provide much more information; patches are available for Office 2019, 2021, and Apps for Enterprise. Office 2016 is not listed, which might signify that it isn’t vulnerable, or could mean that patches will be provided later.

Server 2012 & Server 2012 R2: end of support, unless you pay for ESU

Today is the final Patch Tuesday for Windows Server 2012, and Windows Server 2012 R2. The only way to receive security updates for these versions of Windows from now on is to subscribe to Microsoft’s last-resort Extended Security Update (ESU) program. In all cases, both Microsoft and Rapid7 recommend upgrading to a newer version of Windows as soon as possible.

Windows 11 21H2: end of support, mostly

Windows 11 21H2 Home, Pro, Pro Education, Pro for Workstations, and SE also move past the end of support. No ESU program is available for Windows 11 client OS, so Windows 11 21H2 assets for the editions listed above are insecure-by-default from now on. However, Windows 11 21H2 Enterprise and Education remain in general support until 2024-10-08. If you find this confusing, you are not alone.

Summary Charts

image.pngimage-1.pngimage-2.pngimage-3.png

Summary Table

Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36415Azure Identity SDK Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-36414Azure Identity SDK Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-36419Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege VulnerabilityNoNo8.8
CVE-2023-36418Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36737Azure Network Watcher VM Agent Elevation of Privilege VulnerabilityNoNo7.8

Azure Developer Tools vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36561Azure DevOps Server Elevation of Privilege VulnerabilityNoNo7.3

Browser vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-5346Chromium: CVE-2023-5346 Type Confusion in V8NoNoN/A

ESU vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36790Windows RDP Encoder Mirror Driver Elevation of Privilege VulnerabilityNoNo7.8

Exchange Server vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36778Microsoft Exchange Server Remote Code Execution VulnerabilityNoNo8

Microsoft Dynamics vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36433Microsoft Dynamics 365 (On-Premises) Information Disclosure VulnerabilityNoNo6.5
CVE-2023-36429Microsoft Dynamics 365 (On-Premises) Information Disclosure VulnerabilityNoNo6.5
CVE-2023-36566Microsoft Common Data Model SDK Denial of Service VulnerabilityNoNo6.5
CVE-2023-36416Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityNoNo6.1

Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36569Microsoft Office Elevation of Privilege VulnerabilityNoNo8.4
CVE-2023-36789Skype for Business Remote Code Execution VulnerabilityNoNo7.2
CVE-2023-36786Skype for Business Remote Code Execution VulnerabilityNoNo7.2
CVE-2023-36780Skype for Business Remote Code Execution VulnerabilityNoNo7.2
CVE-2023-36565Microsoft Office Graphics Elevation of Privilege VulnerabilityNoNo7
CVE-2023-36568Microsoft Office Click-To-Run Elevation of Privilege VulnerabilityNoNo7
CVE-2023-41763Skype for Business Elevation of Privilege VulnerabilityYesYes5.3

SQL Server vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36417Microsoft SQL ODBC Driver Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36730Microsoft ODBC Driver for SQL Server Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36785Microsoft ODBC Driver for SQL Server Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36420Microsoft ODBC Driver for SQL Server Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36728Microsoft SQL Server Denial of Service VulnerabilityNoNo5.5

Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36704Windows Setup Files Cleanup Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36711Windows Runtime C++ Template Library Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36725Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36723Windows Container Manager Service Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-41772Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36557PrintHTML API Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36729Named Pipe File System Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36718Microsoft Virtual Trusted Platform Module Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36701Microsoft Resilient File System (ReFS) Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36603Windows TCP/IP Denial of Service VulnerabilityNoNo7.5
CVE-2023-36720Windows Mixed Reality Developer Tools Denial of Service VulnerabilityNoNo7.5
CVE-2023-36709Microsoft AllJoyn API Denial of Service VulnerabilityNoNo7.5
CVE-2023-36605Windows Named Pipe Filesystem Elevation of Privilege VulnerabilityNoNo7.4
CVE-2023-36902Windows Runtime Remote Code Execution VulnerabilityNoNo7
CVE-2023-38159Windows Graphics Component Elevation of Privilege VulnerabilityNoNo7
CVE-2023-36721Windows Error Reporting Service Elevation of Privilege VulnerabilityNoNo7
CVE-2023-36717Windows Virtual Trusted Platform Module Denial of Service VulnerabilityNoNo6.5
CVE-2023-36707Windows Deployment Services Denial of Service VulnerabilityNoNo6.5
CVE-2023-36596Remote Procedure Call Information Disclosure VulnerabilityNoNo6.5
CVE-2023-36576Windows Kernel Information Disclosure VulnerabilityNoNo5.5
CVE-2023-36698Windows Kernel Security Feature Bypass VulnerabilityNoNo3.6

Windows Developer Tools vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-38171Microsoft QUIC Denial of Service VulnerabilityNoNo7.5
CVE-2023-36435Microsoft QUIC Denial of Service VulnerabilityNoNo7.5
CVE-2023-44487MITRE: CVE-2023-44487 HTTP/2 Rapid Reset AttackYesNoN/A

Windows ESU vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36434Windows IIS Server Elevation of Privilege VulnerabilityNoNo9.8
CVE-2023-35349Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo9.8
CVE-2023-36577Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-41765Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41767Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41768Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41769Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41770Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41771Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41773Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-41774Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-38166Layer 2 Tunneling Protocol Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-36710Windows Media Foundation Core Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36436Windows MSHTML Platform Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36712Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36726Windows Internet Key Exchange (IKE) Extension Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36594Windows Graphics Component Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-41766Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36732Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36731Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36743Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36598Microsoft WDAC ODBC Driver Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36593Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36702Microsoft DirectMusic Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-36438Windows TCP/IP Information Disclosure VulnerabilityNoNo7.5
CVE-2023-36602Windows TCP/IP Denial of Service VulnerabilityNoNo7.5
CVE-2023-36567Windows Deployment Services Information Disclosure VulnerabilityNoNo7.5
CVE-2023-36606Microsoft Message Queuing Denial of Service VulnerabilityNoNo7.5
CVE-2023-36581Microsoft Message Queuing Denial of Service VulnerabilityNoNo7.5
CVE-2023-36579Microsoft Message Queuing Denial of Service VulnerabilityNoNo7.5
CVE-2023-36431Microsoft Message Queuing Denial of Service VulnerabilityNoNo7.5
CVE-2023-36703DHCP Server Service Denial of Service VulnerabilityNoNo7.5
CVE-2023-36585Active Template Library Denial of Service VulnerabilityNoNo7.5
CVE-2023-36592Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36591Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36590Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36589Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36583Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36582Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36578Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36575Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36574Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36573Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36572Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36571Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36570Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo7.3
CVE-2023-36776Win32k Elevation of Privilege VulnerabilityNoNo7
CVE-2023-36697Microsoft Message Queuing Remote Code Execution VulnerabilityNoNo6.8
CVE-2023-36564Windows Search Security Feature Bypass VulnerabilityNoNo6.5
CVE-2023-29348Windows Remote Desktop Gateway (RD Gateway) Information Disclosure VulnerabilityNoNo6.5
CVE-2023-36706Windows Deployment Services Information Disclosure VulnerabilityNoNo6.5
CVE-2023-36563Microsoft WordPad Information Disclosure VulnerabilityYesYes6.5
CVE-2023-36724Windows Power Management Service Information Disclosure VulnerabilityNoNo5.5
CVE-2023-36713Windows Common Log File System Driver Information Disclosure VulnerabilityNoNo5.5
CVE-2023-36584Windows Mark of the Web Security Feature Bypass VulnerabilityNoNo5.4
CVE-2023-36722Active Directory Domain Services Information Disclosure VulnerabilityNoNo4.4

Updates

  • 2023-10-11: added detail about CVE-2023-36563 vulnerability location.
  • 2023-10-11: expanded discussion of CVE-2023-44487 mechanism and risk.

Download Rapid7's 2023 Mid-Year Threat Report ▶︎

Related blog posts