Patch Tuesday June 2023 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
Protect your systems from potential cyber threats and ensure the smooth functioning of your endpoints. For even more information, please attend the June 2023 Vulnerability Digest webinar on June 14 at 12 PM EST / 9 AM PST and visit our Patch Tuesday Watch page.
In this issue, you will learn about patches for:
- Microsoft vulnerabilities from Patch Tuesday:
- Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerabilities (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363)
- Microsoft SharePoint Server Elevation of Privilege Vulnerability (CVE-2023-29357)
- Remote Desktop Client Remote Code Execution Vulnerability (CVE-2023-29362)
- Microsoft Exchange Server Remote Code Execution Vulnerabilities (CVE-2023-32031 and CVE-2023-28310)
- Windows Protected Process Light
- Third-party application vulnerabilities:
Welcome to the June 2023 Vulnerability Digest, a comprehensive review of the latest Patch Tuesday updates and third-party releases to enhance the security of your systems and workstations against cyber attacks.
This Patch Tuesday, Microsoft has resolved a total of 78 new vulnerabilities and provided eight updates for previous fixes, resulting in a total of 86 fixes. This is a significant increase compared to May. Among them, there are six critical vulnerabilities that have been fixed, along with an update for an old critical vulnerability. This exceeds the number of critical updates from the previous month. Moreover, this month brings updates for two previously fixed zero-day vulnerabilities that were publicly disclosed.
Now, let’s dive into the details of the most noteworthy critical updates.
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerabilities
Microsoft has recently addressed critical vulnerabilities in Windows Pragmatic General Multicast (PGM) – CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363. PGM is a protocol used for reliable multicast data delivery in Windows operating systems, commonly used for applications like video streaming and online gaming.
These vulnerabilities have a high CVSS rating of 9.8 and pose a serious risk. They can be exploited over the network without requiring privileges or user interaction. Affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.
If the Windows Message Queuing Service is running in a PGM Server environment, an attacker could send a specially crafted file to achieve remote code execution.
To mitigate this vulnerability, consider checking if the Message Queuing service is running on TCP port 1801 and disable it if not needed. However, be cautious as this may impact system functionality. It is generally recommended to install the available patch instead of relying solely on mitigation strategies.
Microsoft SharePoint Server Elevation of Privilege Vulnerability
Microsoft SharePoint Server Elevation of Privilege Vulnerability (CVE-2023-29357) is a critical vulnerability affecting Microsoft SharePoint 2019. This vulnerability has a high CVSS rating of 9.8, indicating its severity. Exploitation of this vulnerability requires a network attack, with low complexity and no user interaction or privileges required.
An attacker who gains access to spoofed JWT authentication tokens can exploit this vulnerability to bypass authentication and gain unauthorized access to the privileges of authenticated users, without requiring any privileges or actions from the user.
Customers using Microsoft Defender and the AMSI integration feature in their SharePoint Server farm(s) are protected against this vulnerability. While there are no confirmed cases of exploitation yet, Microsoft warns that the likelihood of exploitation is high. It is essential for organizations using SharePoint 2019 to apply the patch to mitigate this serious vulnerability.
Remote Desktop Client Remote Code Execution Vulnerability
The Remote Desktop Client Remote Code Execution Vulnerability, identified as CVE-2023-29362, is an interesting and significant vulnerability. It has a network attack vector, low complexity of attack, and requires user interaction. With a CVSS rating of 8.8, it poses a considerable risk, although the likelihood of exploitation is currently low.
This vulnerability can be exploited when a victim connects to a remote desktop server controlled by an attacker using a vulnerable remote desktop client. It has the potential to enable remote code execution (RCE) and could be used in phishing attacks to compromise the victim’s system. It is crucial to install the patch to mitigate this risk.
Microsoft Exchange Server Remote Code Execution Vulnerabilities
Microsoft has addressed two remote code execution (RCE) vulnerabilities in Microsoft Exchange Server, known as CVE-2023-32031 and CVE-2023-28310. These vulnerabilities have distinct characteristics.
CVE-2023-32031 has a network attack vector, low complexity of attack, low privileges required, and no user interaction. Although it has a high CVSS rating of 8.8, the attacker needs to be authenticated on the system to exploit this vulnerability. By targeting server accounts, an authenticated user could attempt arbitrary or remote code execution through a network call.
CVE-2023-28310, on the other hand, has an adjacent attack vector, low complexity of attack, low privilege requirements, and no user interaction. With a CVSS rating of 8.0, the attacker must be authenticated to the system and on the same intranet as the Exchange server. Through a PowerShell remoting session, an authenticated attacker within the intranet can achieve remote code execution.
Although no proven cases have been reported, Microsoft considers both vulnerabilities highly likely. It’s important to note that all Microsoft Exchange servers from 2016 onwards are vulnerable to these exploits.
Exchange administrators are strongly advised to treat these vulnerabilities seriously and promptly update their servers to mitigate potential risks.
Windows Protected Process Light
Elastic researcher Gabriel Landau has recently disclosed new details about two attacks, known as PPLFault and GoldFault, which exploit a vulnerability found in Windows Protected Process Light (PPL).
PPL is a protective mechanism that safeguards antivirus software and critical Windows services from unauthorized access. This mechanism is established through Windows Code Integrity (CI), ensuring that PPL processes only execute code with special signatures from Microsoft or trusted vendors. PPLFault and GoldFault are regarded as successors to PPLDump, a previously exposed vulnerability that Microsoft addressed only last year.
It is worth noting that Microsoft considers PPL to be a defense-in-depth measure rather than a formal security boundary. As a result, these vulnerabilities are deemed unpatchable, making them especially intriguing for attackers seeking to bypass security measures. PPLFault can be employed to reset PPL process data, while GoldFault enables attackers to acquire administrator rights on Windows systems. Although Landau reported these attacks to Microsoft last year, the developer declined to address them.
Consequently, the researcher decided to share their findings, allowing security vendors to implement measures for mitigating such attacks. Additionally, Landau presented two tools: a user-mode PPL process dumper, similar to PPLDump, and a second tool that demonstrates how this vulnerability effectively provides complete read and write access to physical memory.
Microsoft has not issued a fix for the Windows PPL vulnerability.
Google Chrome 113
Google has recently released an update for Chrome 113, addressing a total of 12 vulnerabilities, including a critical use-after-free vulnerability. One of the issues, identified as CVE-2023-2721, involves a use-after-free bug in navigation. Exploiting this vulnerability requires a remote attacker to create a specially crafted HTML page that can lead to heap corruption when accessed by a user. Successful exploitation could result in memory corruption, potentially allowing arbitrary code execution, denial of service, data corruption, or even bypassing the browser sandbox.
Additionally, the latest Chrome update addresses three other high-severity use-after-free bugs affecting the browser’s autocomplete interface, DevTools, and guest browsing components.
Google Chrome 114
Google has released the 114th version of its browser, which addresses seven vulnerabilities. These include buffer overflows in the rewrite_1d_image_coordinate and set_stream_out_varyings functions, use-after-free memory access in the vrend_draw_bind_abo_shader and sampler_state functions, a race condition in the amdgpu_ttm_tt_get_user_pages function, a bypass of wireless debugging restrictions in the adb utility, and the ability to run unverified digitally signed code by downloading a modified version of the RMA shim.
In addition, Google has issued an additional patch to address a zero-day vulnerability, CVE-2023-3079, which is the third vulnerability fixed this year. Type Confusion vulnerabilities pose a significant risk, allowing attackers to execute arbitrary code by exploiting weaknesses in memory object handling. Due to the severity of this vulnerability, Google has chosen to limit the disclosure of specific details and its exploitation. The company intends to provide more information once most browsers worldwide have been updated. The limited information available suggests the seriousness of the vulnerability. It is strongly recommended that users promptly update their browsers to mitigate any potential risks. Furthermore, Google’s latest release includes fixes for several minor bugs discovered through internal auditing, fuzzing, and proactive initiatives.
Alongside introducing new features, Firefox 114 also addresses 15 vulnerabilities. Among these, 14 vulnerabilities are classified as dangerous, with 13 of them (grouped as CVE-2023-34416 and CVE-2023-34417) stemming from memory handling issues, including buffer overflows and accessing freed memory regions. Exploiting these issues could potentially result in code execution when specially crafted pages are accessed. The remaining dangerous vulnerability, CVE-2023-34414, enables clickjacking of pages with malformed TLS certificates.
It is crucial to update endpoints using Firefox browser promptly to mitigate these vulnerabilities and ensure the security of your browsing experience.
GitLab has issued an emergency update to address a severe path traversal vulnerability (CVSS v3.1 score: 10.0), identified as CVE-2023-2825. This vulnerability affects GitLab Community Edition (CE) and Enterprise Edition (EE) version 16.0.0 but not older versions. Due to the critical nature of the issue and the timing of its discovery, specific details have not been disclosed by the vendor.
Exploiting this flaw allows an unauthenticated attacker to read arbitrary files on a server with an attachment in a public project, specifically in at least five groups. Successful exploitation of CVE-2023-2825 could result in the exposure of sensitive data, including proprietary software code, user credentials, tokens, files, and other personal information.
GitLab emphasizes the immediate application of the latest security update and provides instructions on the project update page.
It is important to note that the vulnerability can only be triggered under certain conditions, which may not apply to many GitLab projects on GitHub. Nevertheless, all users of GitLab 16.0.0 are strongly advised to upgrade to version 16.0.1 as soon as possible to mitigate the associated risks. Currently, no workarounds are available.
After a significant delay and multiple notifications from the tournament organizer ZDI, MikroTik has reportedly addressed the RouterOS vulnerability that was discovered during the Pwn2Own hacking contest in Toronto.
The vendor took more than five months to rectify this critical vulnerability, which only received attention after researchers publicly disclosed technical details.
According to MikroTik’s bulletin, the vulnerability, identified as CVE-2023-32154, impacts devices running RouterOS versions v6.xx and v7.xx with enabled IPv6 advertising reception. Exploiting this vulnerability allows an attacker on a nearby network to execute arbitrary code on vulnerable MikroTik RouterOS installations. Notably, no authentication is required to exploit the vulnerability.
Mobile Devices Fingerprint Vulnerability
Chinese researchers have demonstrated a concerning vulnerability affecting fingerprint-protected smartphones, highlighting that both Android and iOS devices are susceptible to this issue. The vulnerability stems from poor protection of biometric data, particularly the Serial Peripheral Interface (SPI).
The attack, known as BrutePrint, exploits zero-day vulnerabilities to intercept fingerprint images. Malware is utilized to search through the fingerprints until the device responds. Additionally, a CAMF vulnerability is leveraged to bypass authentication limitations that restrict the number of attempts.
The attack duration depends on the number of fingerprints registered on the device. If only one fingerprint is registered, the intrusion time can range from 3 to 14 hours. However, if multiple fingerprints are registered, the attack time is significantly reduced to approximately 40 minutes to 3 hours.
A fix for this vulnerability has not yet been provided.
Barracuda Email Gateway
According to network and email security firm Barracuda, a recently patched zero-day vulnerability was exploited for a period of seven months to distribute malware and extract data from Email Security Gateway (ESG) client devices.
Collaborating with Mandiant experts, an investigation led to the identification of CVE-2023-2868. This vulnerability was initially exploited in October 2022 to gain unauthorized access to ESG devices and establish backdoors, enabling continuous control over compromised systems. The vulnerability specifically affects Email Security Gateway devices running version 5.1.3.001-9.2.0.006 and is attributed to an incomplete input validation issue related to remote command injection through user-provided .tar files.
By formatting filenames in a specific manner, remote attackers could execute system commands via a Perl qx statement with the privileges of the Email Security Gateway product.
Barracuda became aware of the attacks on May 18 and promptly confirmed the presence of the new vulnerability the following day. A patch for ESG devices was released on May 20, and an additional script was provided by the vendor on May 21 to detect and address potential unauthorized access. Barracuda has committed to providing new virtual or hardware devices to all affected users.
Two vulnerabilities have been discovered in the free office suite LibreOffice, with the most critical one potentially allowing code execution when opening a specifically formatted document. The first vulnerability was publicly disclosed in the March 7.4.6 and 7.5.1 releases, while the second one was fixed in the May 7.4.7 and 7.5.3 updates of LibreOffice.
The first vulnerability, identified as CVE-2023-0950, enables the execution of malicious code when opening a spreadsheet containing specially modified formulas, such as AGGREGATE, which pass fewer parameters than expected. This issue arises from an array index underflow in the formula parsing code (ScInterpreter) used in spreadsheet processing. The second vulnerability, CVE-2023-2255, allows an attacker to create a specially crafted document that, when opened without warning or notification, loads external links, deviating from LibreOffice’s intended behavior of displaying a warning when loading linked content. The flaw stems from a weakness in the credential request code when using the floating frames mechanism, similar to iframes in HTML, which permits the dynamic inclusion of content from external files in the document.
It is highly recommended to promptly update your endpoints with LibreOffice installations in order to mitigate these vulnerabilities.
A new vulnerability in the Linux NetFilter kernel has been discovered, enabling unprivileged local users to gain superuser privileges. Tracked as CVE-2023-32233, this vulnerability arises due to netfilter nf_tables accepting invalid updates to its configuration, potentially leading to corruption of the subsystem’s internal state. The severity rating for this vulnerability has not yet been determined.
Netfilter is an integral packet filtering and network address translation (NAT) infrastructure incorporated within the Linux kernel, managed by interface utilities like IPtables and UFW.
Exploiting the vulnerability results in a use-after-free vulnerability, allowing arbitrary reads and writes to kernel memory. A Proof of Concept (PoC) demonstrating the exploitation process for CVE-2023-32233 is available, enabling unprivileged local users to execute a root shell on affected systems.
The bug affects multiple Linux kernel versions, including the current v6.3.1. However, exploiting the vulnerability requires local access to the device.
Furthermore, another vulnerability (CVE-2023-0386) has been identified in the OverlayFS subsystem of the Linux kernel, which already has a PoC exploit. Researchers have uncovered a previously undocumented strain of Linux malware named BPFdoor. This passive backdoor is designed to persist in compromised networks and environments for extended periods. The malware derives its name from its utilization of the Berkeley Packet Filter, a unique method that evades detection and bypasses firewall restrictions on incoming traffic. Researchers believe that a sophisticated Advanced Persistent Threat (APT) group, possibly the Chinese Red Menshen (also known as Red Dev 18), is responsible for this malware.
As fixes for these vulnerabilities are pending, they are considered true zero-days.
Apple has recently released patches to address three zero-day attacks that were utilized in hacks targeting iPhone, Mac, and iPad devices. These vulnerabilities were identified in the multi-platform WebKit browser engine and are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, as mentioned in the security bulletin.
The first vulnerability enables remote attackers to break out of the sandbox while browsing web content. The second vulnerability involves an out-of-bounds reading issue that could potentially grant an attacker access to sensitive information. The third vulnerability is a post-exploitation flaw that allows remote code execution on compromised devices.
Exploiting these vulnerabilities requires the victim to unwittingly download malicious web content.
The list of affected devices is extensive, encompassing both old and new models of iPhone, iPad, Mac, Apple Watch, and Apple TV.
Apple has acknowledged that the fixed zero-day vulnerability is already being actively exploited, but has not provided specific details about the attacks.
Owners of Apple devices are strongly advised to update to the latest versions, including macOS Ventura 13.4, iOS and iPadOS 16.5, tvOS 16.5, watchOS 9.5, and Safari 16.5 to protect against these vulnerabilities.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.