WARNING: MICROSOFT PATCH TUESDAY SEPTEMBER 2023 PATCHES 61 VULNERABILITIES( 5 CRITICAL, 2 0-DAY, 2 ACTIVELY EXPLOITED)
Microsoft patched 61 CVEs in its September 2023 Patch Tuesday release, 5 rated as critical and 55 rated as important and 1 as moderate.
Number of CVE's per type
- Remote Code Execution (RCE): 27
- Elevation of Privileges (EoP): 17
- Information Disclosure: 9
- Spoofing: 5
- Denial of Service (DoS) 3
- Security Feature Bypass: 3
Microsoft indicates two vulnerabilities are actively exploited in the wild.
Sources
Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2023-Sep
Risks
This month’s Patch Tuesday includes 5 critical and 55 important vulnerabilities for a wide range of Microsoft products, impacting Microsoft Server and Workstations. Since two vulnerabilities are exploited in the wild urgent patching is advised.
Description
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday”, and contain security fixes for Microsoft devices and software. This month’s release covers 61 vulnerabilities. 5 vulnerabilities are marked as critical and 55 as important. It includes 1 vulnerability which was made public prior to patch Tuesday. Two of the patched vulnerabilities are actively exploited. Microsoft considers 12 of these vulnerabilities are more likely to be exploited in the near future thus urgent patching is advised.
The CCB would like to point your attention to following vulnerabilities:
- CVE-2023-36761 is an important Microsoft Word information disclosure vulnerability. It received a CVSSv3.1 score of 6.2. According to Microsoft, it has been exploited in the wild as a zero-day and was publicly disclosed prior to a patch being available. Exploitation of this vulnerability requires the user to open a crafted malicious file. Microsoft indicates the Preview Pane is an attack vector. Exploiting this vulnerability could allow the disclosure of NTLM hashes. These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the involved account.
- CVE-2023-36802 is an important Microsoft Streaming Service Proxy Elevation of Privilege (EoP) vulnerability. It received a CVSSv3.1 score of 7.8. According to Microsoft, it has been exploited in the wild as a zero-day. An authenticated local attacker who successfully exploits this vulnerability could gain SYSTEM privileges. A security researcher has indicated full technical details including exploitation code will be published in the near future.
- CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796 are three critical Remote Code Execution (RCE) vulnerabilities affecting Microsoft Visual Studio. These three vulnerabilities received a CVSSv3.1 score of 7.8. Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. Note the word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
- CVE-2023-29332 is a critical Elevation of Privilege (EoP) vulnerability affecting Microsoft Azure Kubernetes Service. It received a CVSSv3.1 score of 7.5. An unauthenticated remote attacker who successfully exploits this vulnerability could gain Cluster Administrator privileges. Microsoft also indicates the attacker does not require significant prior knowledge of the cluster/system and can achieve repeatable success when attempting to exploit this vulnerability.
- CVE-2023-38148 is a critical Remote Code Execution (RCE) vulnerability affecting Internet Connection Sharing (ICS). It received a CVSv3.1 score of 8.8. An unauthorized attacker on the same network segment could exploit this vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service.
- CVE-2023-36744, CVE-2023-36745, CVE-2023-36756 are three important Remote Code Execution (RCE) vulnerabilities affecting Microsoft Exchange. These three vulnerabilities received a CVSSv3.1 score of 8.0. An authenticated attacker on the same network segment as the Exchange server could trigger malicious code in the context of the server's account through a network call.. These vulnerabilities have been reported by a security researcher but Microsoft considers exploitation of these vulnerabilities in the near future to be more likely.
Recommended Actions
The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
References
Tenable - https://www.tenable.com/blog/microsofts-september-2023-patch-tuesday-add...
SANS ISC - https://isc.sans.edu/diary/Microsoft%20September%202023%20Patch%20Tuesday/30214
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2023-patch-tuesday-fixes-2-zero-days-59-flaws/