Today’s Patch Tuesday brings us 69 new CVEs which contain 6 criticals. Not that bad, so let’s briefly review them!
CVE-2023-29363 / CVE-2023-32014 / CVE-2023-32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
We’re starting hard. 3 vulnerabilities in Windows Pragmatic General Multicast with CVSS = 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running. In the past months (April, May) we already noticed similar bugs, and it starting to be quite common in Patch Tuesdays. PGM is not enabled by default but also isn’t an uncommon configuration. So far the exploitation is not detected, but better to be prepared before vacation.
Below you can find a script that can help you to find machines running the message queuing service:
# Set the target OU distinguished name
$ouDN = "OU=servers,DC=domain,DC=com"
# Get all servers from the specified OU
$servers = Get-ADComputer -Filter * -SearchBase $ouDN | Select-Object -ExpandProperty Name
# Initialize an empty array to store the results
$results = @()
# Initialize counters for progress tracking
$totalServers = $servers.Count
$checkedServers = 0
# Create a progress bar
$progressBar = New-Object -TypeName System.Management.Automation.ProgressRecord -ArgumentList (1, "Checking Servers", "Checking Servers Progress")
$progressBar.PercentComplete = 0
# Iterate through each server
foreach ($server in $servers) {
Write-Host "Checking server: $server"
# Update the progress bar
$checkedServers++
$progressBar.StatusDescription = "Checked $checkedServers/$totalServers servers"
$progressBar.PercentComplete = ($checkedServers / $totalServers) * 100
Write-Progress -Id 1 -Activity $progressBar.Activity -Status $progressBar.StatusDescription -PercentComplete $progressBar.PercentComplete
# Get the operating system version
try {
$osVersion = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $server -ErrorAction Stop | Select-Object -ExpandProperty Caption
} catch {
$osVersion = "Cannot retrieve OS version"
}
Write-Host "OS version: $osVersion"
# Try to check the service status
try {
# Dummy check if status of lsass can be read
$lsass = Get-Service -ComputerName $server -Name Netlogon -ErrorAction Stop
try {
$service = Get-Service -ComputerName $server -Name MSMQ -ErrorAction Stop
if ($service) {
if ($service.Status -eq 'Running') {
$status = "Running"
Write-Host "Message Queuing service is running."
} else {
$status = "Stopped"
Write-Host "Message Queuing service is NOT running."
}
}
} catch {
$status = "Service NOT exists"
Write-Host "Service does not exist"
}
} catch {
# If the server is not reachable, report status as "Cannot check"
$status = "Cannot check"
Write-Host "Cannot check"
}
# Create a custom object with the server name, OS, service enabled/disabled status, and service status
$result = [PSCustomObject]@{
ServerName = $server
OS = $osVersion
ServiceStatus = $status
}
# Add the result to the results array
$results += $result
}
# Complete the progress bar
Write-Progress -Id 1 -Activity $progressBar.Activity -Status "Completed" -Completed
# Export the results to a CSV file
$results | Export-Csv -Path "C:\Temp\MSMQ.csv" -NoTypeInformation
CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability
This SharePoint bug can be used to execute a network attack that bypasses authentication (due to a flaw within the ValidateTokenIssuer method) and allows to gain access to the privileges of an authenticated user. Microsoft states that the AMSI integration and Microsoft Defender on SharePoint Server farm(s) are protecting from this vulnerability, but I would treat that more like mitigation. The best option will be to deploy the patch as soon as possible.
CVE-2023-24897 – .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
I’m referring here to only one CVE related to .NET, but there is a bunch of them and they exist in all supported versions of .NET, .NET Framework, and Visual Studio. The mentioned bug can be used to convince a victim to download and open a specially crafted file from a website that leads to a local attack on their computer (most probably without any warning). Treat these bugs seriously.
CVE-2023-32013 – Windows Hyper-V Denial of Service Vulnerability
The last Critical rated CVE in June is a Denial-of-Service (DoS) bug in the Hyper-V server. A guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition. If you are using Hyper-V in a production environment, definitely test and deploy the patch.
CVE-2023-32031 / CVE-2023-28310 – Microsoft Exchange Server Remote Code Execution Vulnerability
These 2 Exchange bugs are not rated as Critical, but in my opinion, they are at least “almost critical”. The first one – CVE-2023-32031 is a bypass of both CVE-2022-41082 and CVE-2023-21529, which the first one was listed as being under active exploit in November 2022.
The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. The attacker has to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.
There second one – CVE-2023-28310 allows network adjacent authenticated attackers to achieve RCE via a PowerShell remoting session. As we are talking about the Exchange – patch ASAP.
CVE-2023-29351 – Windows Group Policy Elevation of Privilege Vulnerability
This one might be quite interesting as well, as this could allow a standard domain user to delete arbitrary files and folders with system privileges. This could be achieved when “Folder preference – delete” is configured and the user has to write access, allowing them to set a reparse point. So, potentially could allow an attacker to delete data that results in the service being unavailable.
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
Please be aware that updates released on or after 13 June 2023, will remove the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.
Summary
Below you can see the most important CVEs released by Microsoft in June 2023 (criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in ODBC driver, WDAC OLE DB provider, Remote Desktop Client, and Collaborative Translation Framework.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2023-29363 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-32014 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Microsoft SharePoint Server 2019 |
CVE-2023-24897 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | Critical (7.8) | Local | Low | None | Required | Unproven | .NET 6.0, 7.0 Visual Studio 2022 17.0, 17.2, 17.4, 17.6 Visual Studio 2019 16.11- Visual Studio 2017 15.9- Visual Studio 2015 U3 Visual Studio 2013 U5 .NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11 .NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2019 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2016 .NET Framework 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2 / 2012 / 2012 R2 .NET Framework 4.6.2 on Windows Server 2008 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 / 4.8.1 on Windows 10 |
CVE-2023-32013 | Windows Hyper-V Denial of Service Vulnerability | Critical (6.5) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2019+ |
CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Exchange Server 2016 Cumulative Update 23 Exchange Server 2019 Cumulative Update 12 / 13 |
CVE-2023-28310 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.0) | Adjacent | Low | Low | None | Unproven | Exchange Server 2016 Cumulative Update 23 Exchange Server 2019 Cumulative Update 12 / 13 |
CVE-2023-29373 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-29372 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-32009 | Windows Collaborative Translation Framework Elevation of Privilege Vulnerability | Important (8.8) | Local | Low | Low | None | Unproven | Windows 10+ Windows Server 2008 R2+ |
CVE-2023-29351 | Windows Group Policy Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-24936 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | Important (8.1) | Network | High | None | None | Unproven | .NET 6.0, 7.0 Visual Studio 2022 17.0, 17.2, 17.4, 17.6 Visual Studio 2019 16.11- Visual Studio 2017 15.9- Visual Studio 2015 U3 Visual Studio 2013 U5 .NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11 .NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2019 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2016 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2012 / 2012 R2 .NET Framework 3.5.1 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2 .NET Framework 2.0 SP2 / 3.0 SP2 / 4.6.2 on Windows Server 2008 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 / 4.8.1 on Windows 10 |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023