Patch Tuesday July 2023 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, please watch the recorded July 2023 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884)
- Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2023-35311)
- Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2023-36874)
- Windows MSHTML Platform Elevation of Privilege Vulnerability (CVE-2023-32046)
- Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilities (CVE-2023-35366, CVE-2023-35367, and CVE-2023-35365)
- Third-party application vulnerabilities:
Welcome to the July 2023 Vulnerability Digest, a comprehensive review of the latest Patch Tuesday updates and third-party releases to enhance the security of your systems and workstations against cyber attacks.
This Patch Tuesday, Microsoft has released a significant number of updates, addressing a total of 142 vulnerabilities. This includes 132 new fixes and updates for 10 previously addressed issues, resulting in a record-breaking number of fixes for the year. Among these, there are nine critical vulnerabilities that have been resolved, along with an update for an older critical vulnerability. This month’s updates also cover six zero-day vulnerabilities, with one of them publicly disclosed, and an update for a previously patched zero-day. Additionally, one older vulnerability now has a Proof of Concept (PoC) available.
Now, let’s dive into the details of the most noteworthy critical updates.
Office and Windows HTML Remote Code Execution Vulnerability
Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) is an important zero-day vulnerability that impacts Office and Windows HTML. It possesses a network attack vector with high complexity, requiring user interaction but not elevated privileges. With a CVSS rating of 8.3, it is categorized as important, although it could potentially warrant an even higher severity if executed with user interaction and complexity. The vulnerability affects all versions of Windows Server from 2008 onwards, Windows 10, as well as Microsoft Word and Microsoft Office versions 2013 and later.
Exploiting this vulnerability entails an attacker creating a specially crafted Microsoft Office document capable of executing remote code in the victim’s context. However, it is important to note that convincing the victim to open the malicious file is a prerequisite for a successful attack.
Microsoft has outlined certain mitigation steps to address this issue. Within existing attack chains, implementing the “Block all Office applications from creating child processes” attack surface reduction rule can thwart the exploitation of this vulnerability. For organizations unable to leverage this protection, an alternative approach involves configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to prevent exploitation. It is worth noting that while these registry settings can mitigate the vulnerability’s exploitation, they may impact normal functionality in certain use cases associated with these applications. To implement this approach, add the application names listed as values of type REG_DWORD with data 1 to the registry key.
It is crucial to note that there is currently no fix available in the latest Patch Tuesday release, making mitigation steps the primary means of protection against the attack. We hope that Microsoft will address this vulnerability in the upcoming month’s release. However, considering Microsoft’s confirmation of active exploitation and the lack of an immediate patch, it becomes imperative to implement effective mitigation measures. Additionally, it is essential to prepare your employees to recognize and defend against potential phishing attacks associated with this vulnerability.
Microsoft Outlook Security Feature Bypass Vulnerability
Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2023-35311) is another important zero-day vulnerability impacting Microsoft Outlook. It utilizes a network attack vector with low attack complexity, requiring user interaction but not elevated privileges. With a CVSS rating of 8.8, it is considered a significant vulnerability, although its severity could have been higher if user interaction was not required. It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation. Therefore, attackers are likely to combine it with other exploits for a comprehensive attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards.
To compromise a user, the attacker would need the user to click on a specially crafted URL. Notably, the attacker can bypass the Microsoft Outlook security prompt even in preview mode.
Given that this vulnerability is already being exploited and can be used in conjunction with other exploits, it is strongly recommended to apply the available update promptly.
Windows Error Reporting Service Elevation of Privilege Vulnerability
Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2023-36874) is an important zero-day vulnerability that impacts the Windows Error Reporting Service. It can be exploited locally with low complexity and without requiring elevated privileges or user interaction. The vulnerability has a CVSS rating of 7.8, indicating its severity. However, it should be noted that this rating would be even higher if the vulnerability allowed remote attacks without requiring elevated privileges.
To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials. The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default. This vulnerability affects all versions of Microsoft Windows Server from 2008 onwards, as well as Windows 10 and later versions.
Successful exploitation of this vulnerability could grant the attacker administrative privileges, enabling them to escalate their privileges and perform various malicious actions.
Due to the ongoing exploitation of this vulnerability and its potential combination with other exploits, it is highly recommended to apply the available update as soon as possible.
Windows MSHTML Platform Elevation of Privilege Vulnerability
Windows MSHTML Platform Elevation of Privilege Vulnerability (CVE-2023-32046) is a critical zero-day security concern affecting the MSHTML platform in Windows. This vulnerability possesses a local attack vector with a low complexity of attack and does not require elevated privileges. However, user interaction is necessary for exploitation. It has received a CVSS rating of 7.8, indicating its severity. Note that the rating would have been higher if the vulnerability allowed remote attacks without requiring user interaction.
To exploit this vulnerability, a user must open a specifically crafted file. In an email attack scenario, an attacker may send the manipulated file to the user and deceive them into opening it. Similarly, in a web-based attack scenario, the attacker may host a website containing the specially crafted file intended to exploit the vulnerability.
It is crucial to understand that the attacker cannot compel users to visit the malicious website. Instead, they must convince users to click on a link, typically through enticing email messages or instant messages, and then persuade them to open the specifically crafted file.
It is important to note that the attacker would only acquire the rights of the user running the affected application. Therefore, if a user does not possess administrative rights on the computer, neither does the attacker.
Considering that this vulnerability is actively being exploited and has the potential to be combined with other exploits, it is strongly advised to promptly apply the available update.
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilities
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilities (CVE-2023-35366, CVE-2023-35367, and CVE-2023-35365) have been identified as critical security risks and have been addressed by Microsoft. These vulnerabilities share similar characteristics, including a network attack vector, low complexity of attack, no privileges required, and no user interaction.
The vulnerabilities have received a high CVSS rating of 9.8, indicating their severity. However, it is important to note that these vulnerabilities would only pose a significant threat if Windows Routing and Remote Access Service role was installed on a Windows Server. Fortunately, this role is not installed and configured by default.
Exploiting these vulnerabilities requires an attacker to send specifically crafted packets to a server that has the Routing and Remote Access Service running. It is worth reiterating that the Windows Server must have the Routing and Remote Access Service (RRAS) role installed and configured, which is not the default configuration.
Although Microsoft states that these vulnerabilities are unlikely to be exploited in the wild, it is imperative to apply the update if you have the RRAS role installed on your server. These vulnerabilities affect all Windows servers from 2008 onwards and Windows 10.
Therefore, it is strongly recommended to update your system if you have the RRAS role configured, despite the low likelihood of active exploitation in real-world scenarios.
The recent cyber-attack on US agencies is extremely concerning due to its reliance on dangerous zero-day vulnerabilities that attackers exploited before developers were aware of them. It is alarming to note that the developers only disclosed critical SQL injection vulnerabilities affecting all versions of MOVEit Transfer after numerous Progress Software customers had already fallen victim to the Clop ransomware, which was made possible by the 0-day vulnerability (CVE-2023-34362) in MOVEit Transfer for Managed File Transfer (MFT). These vulnerabilities allow unauthenticated attackers to infiltrate servers that are accessible on the Internet. The incident occurred on May 31.
In response, MOVEit Transfer customers were advised to promptly install the patch, which was released on June 9.
Horizon3 researchers have recently released a Proof of Concept (PoC) for the dangerous Remote Code Execution (RCE) bug that the ransomware gang is exploiting in data theft attacks. According to the researchers, the PoC exploits SQL injection to gain token access to the system administrator’s API and then utilizes that access to exploit a deserialization call, allowing for remote code execution.
On June 15, a new zero-day vulnerability (CVE-2023-35708 with CVSS Base Score 9.8) was discovered in MOVEit Transfer. Customers of MOVEit Transfer should take immediate action to restrict all HTTP access to their environments.
The newly discovered SQL injection vulnerability in MOVEit Transfer has the potential to result in privilege escalation and unauthorized access to the environment. Progress Software has not yet provided specific details. However, it is known that this vulnerability is distinct from any previous ones and has its own unique attack vector.
Although a patch is not currently available, the developer is actively testing one and intends to release it as soon as possible. In the meantime, Progress Software recommends implementing a temporary workaround by modifying firewall rules to deny HTTPS and HTTP traffic for MOVEit Transfer on ports 80 and 443.
While the developer is actively searching for and addressing new vulnerabilities in its solution, the ransomware gang, having successfully exploited one of the vulnerabilities, has begun extorting victims who use MOVEit by disclosing the names of companies on their data leak site (DLS). If the ransom demand is not met, the attackers will start leaking the stolen data on June 21.
It is crucial for any company utilizing MOVEit to install the latest patches provided by the vendor, temporarily restrict or whitelist HTTP/HTTPS traffic on the affected servers using firewall ACLs, and await further security patches. Failure to take these precautions poses a high risk of compromise and encryption of all files.
If you’re struggling to identify vulnerable endpoints in your network, Action1 has recently released a free tool to assist you. Leverage it to easily identify compromised instances of MOVEit, gain complete visibility into vulnerable MOVEit installations within your network, and seamlessly remove compromised files while applying necessary patches across affected servers using automated scripts.
Mozilla has recently released Firefox 115, which addresses a dozen vulnerabilities, including two significant ones.
The first high-severity issue, identified as CVE-2023-37201, involves a use-after-free bug affecting WebRTC. WebRTC facilitates real-time communication in browsers and mobile applications through APIs. An attacker could exploit this vulnerability when establishing a WebRTC connection over HTTPS.
The second critical vulnerability, CVE-2023-37202, also relates to a use-after-free flaw and impacts the SpiderMonkey WebAssembly engine. Additionally, memory vulnerabilities in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 (CVE-2023-37211 and CVE-2023-37212) that could result in remote code execution (RCE) have also been resolved.
Furthermore, Firefox 115 includes fixes for eight moderate vulnerabilities that could allow RCE, spoofing, tracker placement, URL spoofing, unauthorized sending of sensitive data to malicious sites, and downloading files containing malicious code. The updated versions of Firefox ESR 102.13 and Thunderbird 102.13 address five vulnerabilities, including a high-risk use-after-free exploit and memory vulnerabilities.
Google has recently rolled out the July security update for Android, introducing patches for a total of 46 vulnerabilities. Notably, three of these vulnerabilities, namely CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136, are actively being exploited in targeted attacks.
CVE-2023-26083 is a medium severity memory leak vulnerability in the Arm Mali driver for Bifrost, Avalon, and Valhall chips. It was exploited in a spyware campaign against Samsung devices back in December 2022.
On the other hand, CVE-2021-29256 is a high severity vulnerability, scoring 8.8 out of 10 in the CVSS rating. This vulnerability affects certain versions of the Bifrost and Midgard Arm Mali GPU kernel drivers and allows for information disclosure and root elevation.
The third vulnerability, tracked as CVE-2023-2136, holds a critical threat level of 9.6 out of 10. It is an integer overflow issue in Skia, Google’s open-source multiplatform 2D graphics library, which is also utilized in Chrome.
One of the most critical vulnerabilities addressed in this update is CVE-2023-21250, which affects an OS system component and carries a critical severity rating. This vulnerability impacts Android versions 11, 12, and 13, and its exploitation can lead to remote code execution (RCE) without user interaction or additional run-time privileges.
The update follows the standard release system, featuring two patch levels: one (2023-07-01) for core Android components (framework) and another (2023-07-05) for kernel and closed-source components.
While the Android security update is applicable to Android 11, 12, and 13, it’s important to note that depending on the scope of the fixes, vulnerabilities may also impact older versions of the OS that are no longer supported. In such cases, manufacturers recommend either upgrading to a newer device model or installing a third-party Android distribution that implements security updates for older devices, albeit with some delay.
Cisco has issued a warning to its customers regarding a significant vulnerability that poses a threat to traffic encryption. Tracked as CVE-2023-20185, this vulnerability was discovered in the ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series data center switches.
It is important to note that this vulnerability specifically affects Cisco Nexus 9332C, 9364C, and 9500 switches operating in ACI mode within a multi-site topology, with CloudSec encryption enabled, and firmware version 14.0 or later installed.
The vulnerability stems from the flawed implementation of ciphers utilized by the CloudSec encryption feature on these vulnerable switches. If successfully exploited, unauthenticated attackers can remotely read or modify encrypted traffic exchanged between sites. Although there is no evidence to suggest that the vulnerability has been actively targeted or exploited, Cisco’s Product Security Incident Response Team (PSIRT) has not found any proof of concept (PoC) targeting the bug or evidence of attacks exploiting it.
Regrettably, Cisco has not yet released a software update to address CVE-2023-20185. Consequently, customers using the affected switches are strongly advised to disable the vulnerable feature and reach out to Cisco’s support for alternative solutions. However, given the current environment, this recommendation may not provide immediate assistance.
Researchers Max Corbridge and Tom Ellson from Jumpsec have discovered an attack method that enables the delivery of malware via Microsoft Teams using an account external to the target organization, despite the application’s restrictions on files from external sources. Microsoft Teams, a widely used collaboration platform with over 280 million active users, is part of the Microsoft 365 cloud services.
The attack leverages the default configuration of Microsoft Teams, which allows communication with accounts outside the organization. In addition to its broad social engineering and phishing capabilities, this method is particularly potent as it enables the direct delivery of malicious payloads to the target’s mailbox. To bypass the client-side protection in Microsoft Teams, which blocks file delivery from external client accounts, the Jumpsec Red Team modified the internal and external recipient ID in the message POST request, tricking the system into perceiving the external user as an internal user.
When such a payload is sent, it is actually hosted in the Sharepoint domain, and the target unwittingly downloads it from there. However, it appears in the inbox as a file rather than a link. This attack circumvents existing security measures, making it relatively straightforward for attackers to infect organizations utilizing Microsoft Teams with the default configuration. Furthermore, if the attacker registers a domain similar to the target organization, their messages can appear as though they originate from within the organization, further increasing the likelihood of the target downloading the file.
However, Microsoft has not publicly shared the researchers’ findings, despite confirming the vulnerability. Consequently, the company does not consider the vulnerability significant enough to warrant immediate attention and sees little urgency in addressing it.
Nevertheless, the researchers recommend that Microsoft Teams users disable the external access feature if it is not required, or alternatively, assign separate domains in the permissions list to mitigate the risk of exploitation. By taking these precautions, organizations can enhance their security posture and reduce the potential impact of this vulnerability.
A critical kernel configuration vulnerability has been disclosed in Linux versions 6.1 through 6.4, identified as CVE-2023-3269 and named StackRot. This vulnerability has the potential to compromise the kernel and allow for privilege escalation with minimal effort.
The discovery of this vulnerability is credited to researcher Ruihan Lee, who outlined its impact on the kernel’s memory management subsystem. This subsystem is responsible for implementing virtual memory and on-demand swapping.
On June 15, a security advisory was issued to developers, and a patch addressing the vulnerability was made available on July 1.
StackRot is categorized as a use-after-free (UAF) issue and arises due to the way the Linux kernel handles stack expansion within its memory management subsystem, specifically in relation to virtual memory area management (VMA). The vulnerability is found in maple trees, which are part of the new data structure system for VMA introduced in the Linux kernel 6.1. Maple trees replaced red-black trees and relied on the RCU (Read-Copy Update) mechanism.
While exploiting StackRot presents challenges, it may be the first instance of a theoretically exploitable post-RCU (UAFBR) vulnerability. The researcher, Ruihan Lee, has announced intentions to release full technical details and a proof-of-concept (PoC) by the end of July. As a result, users are advised to verify the kernel version running on their Linux distribution and upgrade to a version that is unaffected by StackRot or to an updated version that incorporates the necessary fix.
OpenAI, the creator of the ChatGPT chatbot, has taken the decision to temporarily disable the bot’s web search function. This action was prompted by the discovery that the service was bypassing paywalls, granting free access to content from news outlets and bloggers that would typically require a subscription.
The feature in question, called “Browse with Bing” and available to ChatGPT Plus subscribers, allowed the bot to connect to the Internet via the Bing search engine. However, users noticed that the bot not only retrieved publicly accessible content but also obtained private content from Bing. Specifically, if a user requested the full text of a particular URL, the bot would retrieve it, even if the page contained paid content. OpenAI deemed this behavior, which circumvented the subscription systems of information services, to be unacceptable.
As a result, OpenAI has temporarily disabled the “Browse with Bing” feature until the issue can be resolved. This action ensures that the rights of content owners are protected and appropriate measures are put in place to prevent unauthorized access to paid content.
Despite Fortinet releasing an update nearly a month ago, it has been discovered that at least 330,000 FortiGate firewalls remain unpatched and vulnerable to CVE-2023-27997, a critical vulnerability that is actively being exploited in the wild.
These concerning numbers have been highlighted in a report by Bishop Fox researchers. Their analysis revealed the existence of approximately 490,000 open Fortinet SSL VPN interfaces on the Internet, with a staggering 69% of them found to be vulnerable.
The vulnerability, known as XORtigate and assigned CVE-2023-27997, carries a CVSS rating of 9.8. It stems from a heap buffer overflow issue within the FortiOS operating system, which serves to integrate Fortinet’s network components into their Security Fabric platform.
Exploiting CVE-2023-27997 allows an unauthenticated attacker to remotely execute code on susceptible devices that have an SSL VPN interface exposed to the Internet. Fortinet addressed this vulnerability on June 11, prior to its public disclosure, by releasing patched versions of FortiOS firmware (6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5). The company acknowledged that targeted attacks exploiting the vulnerability have already impacted the public sector, manufacturing, and critical infrastructure sectors.
Research indicates that out of the identified devices, only 153,414 have been updated to a patched version of FortiOS. Unfortunately, many of the publicly accessible Fortinet devices have not been updated in the past eight years, still running outdated FortiOS versions 5 and 6. As a result, these devices are not only susceptible to multiple critical vulnerabilities with publicly available proof-of-concepts (PoCs), but their support has also long expired, leaving them even more exposed.
VMware has taken measures to address several critical security vulnerabilities in vCenter Server that could potentially lead to code execution and authentication bypass on vulnerable systems. These vulnerabilities were identified in the implementation of the DCE/RPC protocol, which enables the seamless collaboration of multiple systems in creating a unified virtual computing environment.
The identified vulnerabilities include a heap overflow (CVE-2023-20892), use-after-free (CVE-2023-20893), out-of-bounds read (CVE-2023-20895), and out-of-range write (CVE-2023-20894). The first two vulnerabilities (CVE-2023-20892 and CVE-2023-20893) can be leveraged by unauthenticated attackers with network access to execute code. These attacks can be highly complex and do not require user interaction. Exploiting CVE-2023-20895 enables an attacker to trigger excessive reads and memory corruption to bypass authentication on unauthenticated vCenter Server devices.
Additionally, there is a fifth vulnerability, CVE-2023-20896, which involves a read-over-border issue in vCenter Server. This vulnerability can be remotely exploited in Denial-of-Service (DoS) attacks, targeting multiple VMware services on the host, such as vmcad, vmdird, and vmafdd.
Apple has recently released a series of updates for its iOS, iPadOS, macOS, watchOS, and Safari browser, addressing a range of issues that are actively being exploited in the wild. The primary focus of these updates revolves around two critical zero-day vulnerabilities that have been associated with a spyware campaign discovered by researchers at Kaspersky Lab.
The first vulnerability, known as CVE-2023-32434, is an integer overflow flaw in the kernel. It can be exploited by a malicious application with kernel privileges to achieve remote code execution (RCE). The second vulnerability, identified as CVE-2023-32435, resides in WebKit and leads to memory corruption and RCE when processing specially crafted web content. Additionally, Apple has also patched a zero-day WebKit vulnerability (CVE-2023-32439) reported by an anonymous researcher, which could allow attackers to execute arbitrary code through a type confusion issue on unpatched devices.
In total, the list of affected devices is quite extensive, including both older and newer models. Apple has released updates for various operating systems, including macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1, iPadOS 16.5.1, iOS 15.7.7, iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1. These updates include improvements in verification, input validation, and status management to address the identified vulnerabilities. In total, Apple has resolved nine zero-day vulnerabilities that have been exploited to compromise iPhones, Macs, and iPads since the beginning of the year.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.