Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software. This month’s release covers 70 vulnerabilities. 6 vulnerabilities are marked as critical and 62 as important. It does not include vulnerabilities which were made public prior to patch Tuesday. None of the patched vulnerabilities are actively exploited. Microsoft considers 8 of these vulnerabilities are more likely to be exploited in the near future, urgent patching is advised.

The CCB would like to point your attention to the following vulnerabilities:

• CVE-2023-29357 is a critical EoP vulnerability affecting Microsoft SharePoint Server 2019. CVE-2023-29357 has a CVSSv3.1 score of 9.8. An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action.
  • UPDATE 2023-12-19: A proof-of-concept exploit chain has been released for CVE-2023-29357 and CVE-2023-24955 Microsoft SharePoint Server Vulnerabilities. These vulnerabilities can be used to achieve remote code execution (RCE).
• CVE-2023-32013 is a critical DoS vulnerability affecting Windows Hyper-V. It received a CVSSv3.1 score of 6.5. Since successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability, Microsoft considers attack complexity to be high.
• CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are three critical RCE vulnerabilities affecting the Pragmatic General Multicast (PGM) protocol. On Windows, the implementation of this protocol is referred to as reliable multicast. All three vulnerabilities received a CVSSv3.1 score of 9.8. When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft considers exploitation less likely.
• CVE-2023-24897 is a critical RCE vulnerability affecting .NET, .NET Framework, and Visual Studio. It received a CVSSv3.1 score of 7.8. User interaction such as downloading and opening a specially crafted file from a website is required for successful exploitation.
• CVE-2023-32031 is an important RCE vulnerability affecting Microsoft Exchange Server. It received a CVSSv3.1 score of 8.8. A remote authenticated attacker could attempt to trigger malicious code in the context of the server's account through a network call.