This month, Microsoft released patches addressing 78 CVEs, including 3 zero-days + 2 publicly disclosed and 3 criticals. Let’s briefly review them!
CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
The first zero-day looks more like a bypass than a privilege escalation. An attacker can bypass Windows Defender SmartScreen checks and other prompts. This bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen, so the attack scenario might be a phishing campaign to evade user prompts that would prevent it.
CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
The second zero-day allows a privilege escalation through the Windows Desktop Manager (WDM). An attacker who uses this can gain SYSTEM privileges. No other details are known yet.
CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
The last zero-day is another privilege escalation bug, and like the previous one, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface.
CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
This critical bug, with 9.8 CVSS, would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. If you have the Windows message queuing service running in a PGM Server environment, you are affected. Test and apply ASAP.
CVE-2023-36400 – Windows HMAC Key Derivation Elevation of Privilege Vulnerability
The other Critical rated patch is a privilege escalation in the Windows Hash-based Message Authentication Code (HMAC) that could allow a guest on Hyper-V to execute code on the underlying host OS. Fortunately, this is a local-only attack. However, if one guest can take over the host, they could do anything they wanted to other guest OSes on that server.
CVE-2023-36052 – Azure CLI REST Command Information Disclosure Vulnerability
Info disclosure vulnerabilities rarely get a Critical rating, but using this one an attacker could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions. If you are using the affected CLI commands, you must update the Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability.
Summary
Below you can see the most important CVEs released by Microsoft in November 2023. Besides the vulnerabilities already mentioned, please focus a little on Exchange bugs, installing the patch isn’t enough, and post-install steps listed here to enable the Serialized Data Signing feature are needed.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2023-36025 | Windows SmartScreen Security Feature Bypass Vulnerability | Important (8.8) | Network | Low | None | Required | Exploited | Windows 10+ Windows Server 2008+ |
CVE-2023-36033 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | Required | Exploited | Windows 10+ Windows Server 2019+ |
CVE-2023-36036 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Exploited | Windows 10+ Windows Server 2008+ |
CVE-2023-36038 | ASP.NET Core Denial of Service Vulnerability | Important (8.2) | Network | Low | None | None | Publicly disclosed | ASP.NET Core 8.0 & .NET 8.0 Microsoft Visual Studio 2022 17.7- |
CVE-2023-36413 | Microsoft Office Security Feature Bypass Vulnerability | Important (6.5) | Network | Low | None | Required | Publicly disclosed | Office 2016 Office 2019 Office LTSC 2021 Microsoft 365 Apps |
CVE-2023-36397 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36400 | Windows HMAC Key Derivation Elevation of Privilege Vulnerability | Critical (8.8) | Local | Low | Low | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-36052 | Azure CLI REST Command Information Disclosure Vulnerability | Critical (8.6) | Network | Low | None | None | Unproven | Azure CLI |
CVE-2023-36028 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Important (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-36560 | ASP.NET Security Feature Bypass Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | .NET Framework 3.5 / 4.8 / 4.8.1 on Windows Server 2022 / Windows 11 .NET Framework 3.5 / 4.7.2 / 4.8 on Windows Server 2019 .NET Framework 3.5 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2012 / 2012 R2 / 2016 .NET Framework 3.5.1 / 4.6.2 / 4.7 / 4.7.1 / 4.7.2 / 4.8 on Windows Server 2008 R2 .NET Framework 2.0 SP2 / 3.0 SP2 / 4.6.2 on Windows Server 2008 .NET Framework 3.5 / 4.6 / 4.6.2 / 4.7.2 / 4.8 / 4.8.1 on Windows 10 |
CVE-2023-36437 | Azure DevOps Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Azure Pipelines Agent |
CVE-2023-38151 | Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Host Integration Server 2020 Microsoft OLE DB Provider for DB2 V7 |
CVE-2023-36402 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36017 | Windows Scripting Engine Memory Corruption Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008 R2+ |
CVE-2023-36719 | Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability | Important (8.4) | Local | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36425 | Windows Distributed File System (DFS) Remote Code Execution Vulnerability | Important (8.0) | Network | High | High | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36439 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.0) | Adjacent | Low | Low | None | Unproven | Exchange 2016 CU23 Exchange 2019 CU12+ |
CVE-2023-36035 | Microsoft Exchange Server Spoofing Vulnerability | Important (8.0) | Adjacent | Low | Low | None | Unproven | Exchange 2016 CU23 Exchange 2019 CU12+ |
CVE-2023-36039 | Microsoft Exchange Server Spoofing Vulnerability | Important (8.0) | Adjacent | Low | Low | None | Unproven | Exchange 2016 CU23 Exchange 2019 CU12+ |
CVE-2023-36050 | Microsoft Exchange Server Spoofing Vulnerability | Important (8.0) | Adjacent | Low | Low | None | Unproven | Exchange 2016 CU23 Exchange 2019 CU12+ |
CVE-2023-36021 | Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability | Important (8.0) | Network | Low | Low | Required | Unproven | On-Prem Data Gateway |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023