The October 2023 Security Update Review

Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for October 2023

For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2023

This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.

Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below).  That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.

Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack.  Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability
This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.

-       CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.

-       CVE-2023-35349 - Microsoft Message Queuing Remote Code Execution Vulnerability
This is one of 20(!) Message Queuing patches this month and the highest CVSS (9.8) of the bunch. A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.

-       CVE-2023-36434 - Windows IIS Server Elevation of Privilege Vulnerability
Although labeled Important by Microsoft, it receives a CVSS 9.8 rating. An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly.

Here’s the full list of CVEs released by Microsoft for October 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability Important 6.5 Yes Yes Info
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability Important 5.3 Yes Yes EoP
CVE-2023-44487 * MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack Important 8.8 No Yes DoS
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2023-36585 Active Template Library Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36414

Azure Identity SDK Remote Code
Execution Vulnerability

Important 8.8 No No RCE
CVE-2023-36415

Azure Identity SDK Remote Code
Execution Vulnerability

Important 8.8 No No RCE
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36420 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36730 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36785 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36417 Microsoft SQL OLE DB Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36789 Skype for Business Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability Important Unknown No No EoP
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability Important 3.6 No No SFB
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 No No SFB
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability Important 7.4 No No EoP
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-5346 * Chromium: CVE-2023-5346 Type Confusion in V8 High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

A quick note about CVE-2023-44487 – this was reported as being under active attack across Google systems in August. They have provided a thorough write-up of the exploit, but at a high level, attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.

As I already mentioned, about 20% of this entire release impacts the Message Queuing service with a variety of remote code execution and DoS bugs. Unlike the previously mentioned bug, the other RCEs do require user interaction – typically by clicking a link on an affected system. The DoS bugs do not require user interaction. Microsoft doesn’t state if successful exploitation would simply stop the service or blue screen the entire system. They also don’t note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.

And yes, there is another Exchange bug being patched this month. It could allow an authenticated attacker on the same LAN to execute code through a PowerShell remoting connection. Last month’s “patch” ended up just being more CVEs being publicly documented in the August patch. We’ll what the Exchange team does with this one.

Moving on to the other Critical-rated patches, nine are for the Layer 2 Tunneling Protocol – all of which could lead to RCE. A remote, unauthenticated attacker could send malicious packets to an affected server to get arbitrary code execution. Microsoft rates this a bit lower since the attack involves exploiting a race condition, but I’d still take these seriously. The patch for the Virtual Trusted Platform Model addresses a container escape.

Looking at the other RCE fixes in this release, only a few really stand out. There are additional fixes for Skype for Business similar to the one under active attack. There are several patches for bugs that involve connecting to a malicious SQL server. The bugs in MSHTML and PrintHTML require user interaction – essentially open-and-own type attacks. There are also two updates for Azure Identity SDK that result from integer overflows. An attacker could use these to run arbitrary code with elevated privileges.

There are nearly 30 EoP bugs receiving patches this month, and the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. There are a couple of exceptions. The EoP in Azure DevOps server could reveal to secrets of the user of the affected application, which sounds like information disclosure to me. The bug in Azure HDInsight Apache Oozie Workflow Scheduler could lead to an attacker gaining cluster administrative privileges. And who names something “Oozie”? The bug in Azure Network Watcher seems intriguing. According to Microsoft, “An attacker who successfully exploited this vulnerability could route Packet Captures to a location in their control and perform file deletions that would limit the victim's troubleshooting and diagnostic capabilities.” Neat. The Office Click-to-Run vulnerability could allow an attacker to gain administrative privileges. The bug in Windows Runtime C++ Template Library could allow an attacker to delete arbitrary files. This has been known to lead to privilege escalation as explained in this blog by Simon Zuckerbraun.

There are just a few security feature bypass (SFB) vulnerabilities to discuss this month. The SFB in the kernel could allow an attacker to evade the Arbitrary Code Guard exploit protection feature. That would certainly help make other exploits more reliable. The bug in Mark-of-the-Web (MotW) could allow attackers to evade MotW detection. The bug in Search allows attackers to plant files without the MotW on affected systems.

Information disclosure bugs account for 12 fixes this month, including the one under active attack. As usual, the majority of these merely result in info leaks consisting of unspecified memory contents. There are also a few of these that disclose the ever enigmatic “sensitive information”. There’s a rare kernel info disclosure that isn’t random memory. It instead discloses device information such as resource IDs, SAS tokens, user properties, and other sensitive information. The bug in TCP/IP stack could allow an attacker to view the unencrypted contents of IPsec packets from other sessions on a server.

The October release contains fixes for around a dozen DoS bugs. Unfortunately, Microsoft doesn’t provide much information regarding these vulnerabilities. It would be nice to know if the DoS affected just the impacted component or the whole system. If you need to prioritize your testing, I suggest focusing on the TCP/IP and DHCP bugs as they have potentially the biggest impact on your enterprise.

Wrapping up this release, there is one cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Article Link: Zero Day Initiative — The October 2023 Security Update Review