For October, Microsoft released patches for 103 CVEs, including 3 zero-days and 13 criticals. Let’s briefly review them!
CVE-2023-44487 – HTTP/2 Rapid Reset Attack
The first zero-day was reported as being under active attack across Google systems in August 2023, but Microsoft released a patch for their products right now. This vulnerability allows attackers to abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, You can find more details in this article.
CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability
This bug looks very similar to CVE-2023-36761 described in the previous month. Successful exploitation could lead to the disclosure of NTLM hashes, but this time the Preview Pane is not an attack vector, so user interaction is required. The exploitation has been detected in the wild.
CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
The last zero-day is more like information disclosure than the elevation of privilege. An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. Recommendation – get rid of Skype for Business as soon as possible, but patch earlier if needed.
CVE-2023-35349 / CVE-2023-36697 – Microsoft Message Queuing Remote Code Execution Vulnerability
Here we go again… This year we already observed a lot of Message Queuing bugs, but this month Microsoft released 20 patches for it! These 2 mentioned in the header are rated as critical, and the rest 18 are important. The first bug could allow a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. Again… you can block TCP port 1801 as mitigation, but the better choice is to test and deploy the update quickly. You can also check on which server the Message Queuing service is enabled using a script from June.
CVE-2023-38166 / CVE-2023-41765 / CVE-2023-41767 / CVE-2023-41768 / CVE-2023-41769 / CVE-2023-41770 / CVE-2023-41771 / CVE-2023-41773 / CVE-2023-41774 – Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
A remote, unauthenticated attacker could send malicious packets to a Routing and Remote Access Service (RRAS) server to get arbitrary code execution. All of these bugs require to win a race condition, but if you are using RAS in your environment, take it seriously.
CVE-2023-36718 – Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability
This one is related to the virtual TPM module on VMs and could lead to a contained execution environment escape.
Summary
Below you can see the most important CVEs released by Microsoft in October 2023. Besides the vulnerabilities already mentioned, you can find also info about bugs in Microsoft Common Data Model SDK, Azure Identity SDK, IIS Server, Azure HDInsight Apache Oozie Workflow Scheduler, WDAC OLE DB provider for SQL Server, Microsoft Office, and Microsoft Exchange Server.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2023-44487 | HTTP/2 Rapid Reset Attack | Important (8.8) | Adjacent | Low | None | None | Exploited | Windows 10+ Windows Server 2016+ ASP.NET Core 6.0 & .NET 6.0 ASP.NET Core 7.0 & .NET 7.0 Microsoft Visual Studio 2022 17.7- |
CVE-2023-36563 | Microsoft WordPad Information Disclosure Vulnerability | Important (6.5) | Network | Low | None | Required | Exploited | Windows 10+ Windows Server 2008+ |
CVE-2023-41763 | Skype for Business Elevation of Privilege Vulnerability | Important (5.3) | Network | Low | None | None | Exploited | Skype for Business Server 2015 CU13 Skype for Business Server 2019 CU7 |
CVE-2023-35349 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36697 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical (6.8) | Network | Low | High | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-38166 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41765 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41767 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41768 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41769 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41770 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41771 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41773 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-41774 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36718 | Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability | Critical (7.8) | Local | High | Low | None | Unproven | Windows 10+ Windows Server 2016+ |
CVE-2023-36566 | Microsoft Common Data Model SDK Denial of Service Vulnerability | Critical (6.5) | Network | Low | Low | None | Unproven | Microsoft Common Data Model SDK for C# Microsoft Common Data Model SDK for Java Microsoft Common Data Model SDK for Python Microsoft Common Data Model SDK for TypeScript |
CVE-2023-36434 | Windows IIS Server Elevation of Privilege Vulnerability | Important (9.8) | Network | Low | None | None | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36414 | Azure Identity SDK Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Azure Identity SDK for .NET |
CVE-2023-36415 | Azure Identity SDK Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Azure Identity SDK for .NET Azure Identity SDK for Java Azure Identity SDK for JavaScript Azure Identity SDK for Python |
CVE-2023-36419 | Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Azure HDInsight |
CVE-2023-36577 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Windows Server 2008+ |
CVE-2023-36569 | Microsoft Office Elevation of Privilege Vulnerability | Important (8.4) | Local | Low | None | None | Unproven | Office 2019 Office LTSC 2021 Microsoft 365 Apps |
CVE-2023-36778 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important (8.0) | Adjacent | Low | Low | None | Unproven | Exchange 2016 CU23 Exchange 2019 CU12+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023