Microsoft Patch Tuesday – June 2023

Today’s Patch Tuesday brings us 69 new CVEs which contain 6 criticals. Not that bad, so let’s briefly review them!

CVE-2023-29363 / CVE-2023-32014 / CVE-2023-32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

We’re starting hard. 3 vulnerabilities in Windows Pragmatic General Multicast with CVSS = 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running. In the past months (April, May) we already noticed similar bugs, and it starting to be quite common in Patch Tuesdays. PGM is not enabled by default but also isn’t an uncommon configuration. So far the exploitation is not detected, but better to be prepared before vacation.

Below you can find a script that can help you to find machines running the message queuing service:

# Set the target OU distinguished name
$ouDN = "OU=servers,DC=domain,DC=com"

# Get all servers from the specified OU
$servers = Get-ADComputer -Filter * -SearchBase $ouDN | Select-Object -ExpandProperty Name

# Initialize an empty array to store the results
$results = @()

# Initialize counters for progress tracking
$totalServers = $servers.Count
$checkedServers = 0

# Create a progress bar
$progressBar = New-Object -TypeName System.Management.Automation.ProgressRecord -ArgumentList (1, "Checking Servers", "Checking Servers Progress")
$progressBar.PercentComplete = 0

# Iterate through each server
foreach ($server in $servers) {
    Write-Host "Checking server: $server"

    # Update the progress bar
    $checkedServers++
    $progressBar.StatusDescription = "Checked $checkedServers/$totalServers servers"
    $progressBar.PercentComplete = ($checkedServers / $totalServers) * 100
    Write-Progress -Id 1 -Activity $progressBar.Activity -Status $progressBar.StatusDescription -PercentComplete $progressBar.PercentComplete

    # Get the operating system version
    try {
        $osVersion = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $server -ErrorAction Stop | Select-Object -ExpandProperty Caption
    } catch {
        $osVersion = "Cannot retrieve OS version"
    }
    Write-Host "OS version: $osVersion"    

    # Try to check the service status
    try {
        # Dummy check if status of lsass can be read
        $lsass = Get-Service -ComputerName $server -Name Netlogon -ErrorAction Stop
        try {
            $service = Get-Service -ComputerName $server -Name MSMQ -ErrorAction Stop
            if ($service) {
                if ($service.Status -eq 'Running') {
                    $status = "Running"
                    Write-Host "Message Queuing service is running."
                } else {
                    $status = "Stopped"
                    Write-Host "Message Queuing service is NOT running."
                }
            }
        } catch {
            $status = "Service NOT exists"
            Write-Host "Service does not exist"
        }
    } catch {
        # If the server is not reachable, report status as "Cannot check"
        $status = "Cannot check"
        Write-Host "Cannot check"
    }

    # Create a custom object with the server name, OS, service enabled/disabled status, and service status
    $result = [PSCustomObject]@{
        ServerName = $server
        OS = $osVersion
        ServiceStatus = $status
    }

    # Add the result to the results array
    $results += $result
}

# Complete the progress bar
Write-Progress -Id 1 -Activity $progressBar.Activity -Status "Completed" -Completed

# Export the results to a CSV file
$results | Export-Csv -Path "C:\Temp\MSMQ.csv" -NoTypeInformation

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

This SharePoint bug can be used to execute a network attack that bypasses authentication (due to a flaw within the ValidateTokenIssuer method) and allows to gain access to the privileges of an authenticated user. Microsoft states that the AMSI integration and Microsoft Defender on SharePoint Server farm(s) are protecting from this vulnerability, but I would treat that more like mitigation. The best option will be to deploy the patch as soon as possible.

CVE-2023-24897 – .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

I’m referring here to only one CVE related to .NET, but there is a bunch of them and they exist in all supported versions of .NET, .NET Framework, and Visual Studio. The mentioned bug can be used to convince a victim to download and open a specially crafted file from a website that leads to a local attack on their computer (most probably without any warning). Treat these bugs seriously.

CVE-2023-32013 – Windows Hyper-V Denial of Service Vulnerability

The last Critical rated CVE in June is a Denial-of-Service (DoS) bug in the Hyper-V server. A guest OS could potentially shut down the host OS, or at least cause some form of a DoS condition. If you are using Hyper-V in a production environment, definitely test and deploy the patch.

CVE-2023-32031 / CVE-2023-28310 – Microsoft Exchange Server Remote Code Execution Vulnerability

These 2 Exchange bugs are not rated as Critical, but in my opinion, they are at least “almost critical”. The first one – CVE-2023-32031 is a bypass of both CVE-2022-41082 and CVE-2023-21529, which the first one was listed as being under active exploit in November 2022.
The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. The attacker has to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

There second one – CVE-2023-28310 allows network adjacent authenticated attackers to achieve RCE via a PowerShell remoting session. As we are talking about the Exchange – patch ASAP.

CVE-2023-29351 – Windows Group Policy Elevation of Privilege Vulnerability

This one might be quite interesting as well, as this could allow a standard domain user to delete arbitrary files and folders with system privileges. This could be achieved when “Folder preference – delete” is configured and the user has to write access, allowing them to set a reparse point. So, potentially could allow an attacker to delete data that results in the service being unavailable.

KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967

Please be aware that updates released on or after 13 June 2023, will remove the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.

Summary

Below you can see the most important CVEs released by Microsoft in June 2023 (criticals, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also info about bugs in ODBC driver, WDAC OLE DB provider, Remote Desktop Client, and Collaborative Translation Framework.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2023-29363Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-32014Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-32015Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-29357Microsoft SharePoint Server Elevation of Privilege VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenMicrosoft SharePoint Server 2019
CVE-2023-24897.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityCritical (7.8)LocalLowNoneRequiredUnproven.NET 6.0, 7.0
Visual Studio 2022 17.0, 17.2, 17.4, 17.6
Visual Studio 2019 16.11-
Visual Studio 2017 15.9-
Visual Studio 2015 U3
Visual Studio 2013 U5
.NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11
.NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2019
.NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2016
.NET Framework 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2 / 2012 / 2012 R2
.NET Framework 4.6.2 on Windows Server 2008
.NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 / 4.8.1 on Windows 10
CVE-2023-32013Windows Hyper-V Denial of Service VulnerabilityCritical (6.5)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2019+
CVE-2023-32031Microsoft Exchange Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenExchange Server 2016 Cumulative Update 23
Exchange Server 2019 Cumulative Update 12 / 13
CVE-2023-28310Microsoft Exchange Server Remote Code Execution VulnerabilityImportant (8.0)AdjacentLowLowNoneUnprovenExchange Server 2016 Cumulative Update 23
Exchange Server 2019 Cumulative Update 12 / 13
CVE-2023-29373Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-29372Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2008+
CVE-2023-29362Remote Desktop Client Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Windows Server 2016+
CVE-2023-32009Windows Collaborative Translation Framework Elevation of Privilege VulnerabilityImportant (8.8)LocalLowLowNoneUnprovenWindows 10+
Windows Server 2008 R2+
CVE-2023-29351Windows Group Policy Elevation of Privilege VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Windows Server 2008+
CVE-2023-24936.NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityImportant (8.1)NetworkHighNoneNoneUnproven.NET 6.0, 7.0
Visual Studio 2022 17.0, 17.2, 17.4, 17.6
Visual Studio 2019 16.11-
Visual Studio 2017 15.9-
Visual Studio 2015 U3
Visual Studio 2013 U5
.NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11
.NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2019
.NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2016
.NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2012 / 2012 R2
.NET Framework 3.5.1 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2
.NET Framework 2.0 SP2 / 3.0 SP2 / 4.6.2 on Windows Server 2008
.NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 / 4.8.1 on Windows 10

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top