Microsoft Patch Tuesday – July 2023

This month, Microsoft has fixed 130 vulnerabilities, including 5 zero-days + 9 criticals. It’s more than the last two months, so let’s briefly review them, because patching is waiting πŸ™‚

CVE-2023-36884Office and Windows HTML Remote Code Execution Vulnerability

We starting with the most important CVE this month, at least in my opinion. Microsoft states they are aware of targeted exploits using this bug in specially crafted Office documents to get code execution on targeted systems. Even though this one is marked as Important only, Microsoft release CVE without a patch, which seems to be quite odd. They released some guidance on the blog, but the main recommendations for that specific CVE are:

  • Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit this CVE
  • In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
  • Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.
Screenshot of settings for the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key to prevent exploitation of CVE-2023-36884

CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability

The second CVE is also exploited in the wild, but as usual, Microsoft provides no information on how broadly these attacks are spread. We only know that the attacker would be able to bypass the Microsoft Outlook Security Notice prompt after opening by the user a specially crafted URL link. Outlook should pop a warning dialog, but this vulnerability evades that user prompt. As it’s related to Outlook… patch ASAP.

CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability

Similar to the previous one, the bug in SmartScreen allows attackers to evade warning dialog prompts. Again, a user would need to click a link or otherwise take action to open a file for an attacker to use this. Also observed in the wild.

CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability

An additional bug which listed as under active attack this month. To elevate to administrative privileges, an attacker would need to have access to a user account with the ability to create folders and performance traces on the target system, which is not a default permissions set. If you allowing that for standard users, please consider patching.

CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability

The last zero-day bug, but it’s not a straightforward privilege escalation. Instead of granting the attacker SYSTEM privileges, it only elevates to the level of the user running the affected application. It still requires a user to click a link or open a file, so remain wary of suspicious-looking attachments or messages.

CVE-2023-32057 – Microsoft Message Queuing Remote Code Execution Vulnerability

And here we have not zero-day, but a highly rated Critical bug (9.8) which is very similar to CVE-2023-21554 from April. This bug could allow a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. And again, you can block TCP port 1801 as mitigation, but the better choice is to test and deploy the update quickly. You can also check on which server the Message Queuing service is enabled using a script from the past month.

CVE-2023-35365 / CVE-2023-35366 / CVE-2023-35367 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

These 3 CVEs are also rated as 9.8 and all we know is to exploit this vulnerability, an attacker would need to send specially crafted packets to a server configured with the Routing and Remote Access Service running. If you are using RRAS, patch ASAP.

CVE-2023-33157 / CVE-2023-33160 – Microsoft SharePoint Remote Code Execution / Microsoft SharePoint Server Remote Code Execution Vulnerabilities

In both cases, the attacker could perform a remote attack that could enable access to the victim’s information and the ability to alter information but must be authenticated to the target site as at least a Site Member. Successful exploitation could also potentially cause downtime for the targeted environment. The difference is in the first case, the attacker with Manage List permissions could execute code remotely on the SharePoint Server. When in the second case, the attacker could leverage vulnerable APIs through the deserialization of unsafe data input vulnerability. It requires user access to susceptible API on an affected version of SharePoint with specially-formatted input.

CVE-2023-35315 – Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability

An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a Windows Server configured as a Layer-2 Bridge, but the successful exploitation requires access to the restricted network before running an attack. However, it’s still treated as Critical.

CVE-2023-35352 – Windows Remote Desktop Security Feature Bypass Vulnerability

This server-side issue is still rated as Critical, and Microsoft assesses that it is more likely to be exploited in the next 30 days. An attacker who successfully exploited the vulnerability could bypass certificate or private key authentication when establishing a remote desktop protocol session.

Summary

Below you can see the most important CVEs released by Microsoft in July 2023 (zero-days, criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in ODBC driver, PostScript and PCL6 Class Printer Driver, RPC, USB Audio Class System Driver, WDS, Windows Kernel, Windows Admin Center, Dynamics 365, Visual Studio, .NET, and other SharePoint and Office vulnerabilities.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2023-36884Office and Windows HTML Remote Code Execution VulnerabilityImportant (8.3)NetworkHighNoneRequiredExploited & PublicWindows 10+
Windows Server 2008+
Word 2013, 2016
Office 2019
Office LTSC 2021
CVE-2023-35311Microsoft Outlook Security Feature Bypass VulnerabilityImportant (8.8)NetworkLowNoneRequiredExploitedOutlook 2013, 2016
Office 2019
Office LTSC 2021
Microsoft 365
CVE-2023-32049Windows SmartScreen Security Feature Bypass VulnerabilityImportant (8.8)NetworkLowNoneRequiredExploitedWindows 10+
Windows Server 2016+
CVE-2023-36874Windows Error Reporting Service Elevation of Privilege VulnerabilityImportant (7.8)LocalLowLowNoneExploitedWindows 10+
Windows Server 2008+
CVE-2023-32046Windows MSHTML Platform Elevation of Privilege VulnerabilityImportant (7.8)LocalLowNoneRequiredExploitedWindows 10+
Windows Server 2008+
CVE-2023-32057Microsoft Message Queuing Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35365Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35366Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35367Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-33157Microsoft SharePoint Remote Code Execution VulnerabilityCritical (8.8)NetworkLowLowNoneUnprovenSharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2023-33160Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical (8.8)NetworkLowLowNoneUnprovenSharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2023-35315Windows Layer-2 Bridge Network Driver Remote Code Execution VulnerabilityCritical (8.8)AdjacentLowNoneNoneUnprovenWindows 10+
Windows Server 2019+
CVE-2023-35297Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical (7.5)AdjacentHighNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35352Windows Remote Desktop Security Feature Bypass VulnerabilityCritical (7.5)NetworkHighNoneNoneUnproven
Windows Server 2012+
CVE-2023-33150Microsoft Office Security Feature Bypass VulnerabilityImportant (9.6)NetworkLowNoneRequiredUnprovenWord 2013, 2016
Office 2019
Office LTSC 2021
CVE-2023-32038Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35302Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2012+
CVE-2023-33134Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2023-33159Microsoft SharePoint Server Spoofing VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenSharePoint Enterprise Server 2016,
SharePoint Server 2019,
SharePoint Server Subscription Edition
CVE-2023-35300Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35303USB Audio Class System Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-35322Windows Deployment Services Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows Server 2008+
CVE-2023-35364Windows Kernel Elevation of Privilege VulnerabilityImportant (8.8)LocalLowLowNoneUnprovenWindows 10+
Windows Server 2019+
CVE-2023-29347Windows Admin Center Spoofing VulnerabilityImportant (8.7)NetworkLowLowRequiredUnprovenWindows Admin Center
CVE-2023-35335Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityImportant (8.2)NetworkLowNoneRequiredUnprovenMicrosoft Dynamics 365 (on-premises) version 9.0+
CVE-2023-33127.NET and Visual Studio Elevation of Privilege VulnerabilityImportant (8.1)NetworkHighNoneNonePoC.NET 6.0, 7.0
Visual Studio 2022 17.0+
CVE-2023-33170ASP.NET Core Security Feature Bypass VulnerabilityImportant (8.1)NetworkHighNoneNonePoC.NET 6.0, 7.0
Visual Studio 2022 17.0+

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top