Microsoft Patch Tuesday, October 2023 Security Update Review

Microsoft Patch Tuesday, October 2023 Security Update Review

Qualys Security Blog 

Microsoft released its October edition of Patch Tuesday! In this month’s updates, Microsoft has addressed 105 vulnerabilities in different products, features, and roles. Let’s take a look at the updates in detail. 

Microsoft Patch Tuesday for October 2023 

Microsoft has addressed three zero-day vulnerabilities in this month’s updates. 13 of these 105 vulnerabilities are rated as Critical and 91 as Important. Microsoft has released patches to address one vulnerability related to Microsoft Edge (Chromium-based) in this month’s Patch Tuesday Edition.

Microsoft Patch Tuesday, October edition includes updates for vulnerabilities in Microsoft Office and Components, Windows RDP, Windows Message Queuing, Azure SDK, Microsoft Dynamics, SQL Server, Azure Real Time Operating System, Azure, Windows IKE Extension, Windows Win32K, Microsoft Exchange Server, Skype for Business, Windows Client/Server Runtime Subsystem, and more.

Microsoft has fixed several flaws in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.

The October 2023 Microsoft vulnerabilities are classified as follows:

Vulnerability CategoryQuantitySeveritiesSpoofing Vulnerability1Important: 1Denial of Service Vulnerability17Critical: 1
Important: 16Elevation of Privilege Vulnerability26Important: 26Information Disclosure Vulnerability12Important: 12Security Feature Bypass Vulnerability3Important: 4Remote Code Execution Vulnerability45Critical: 12
Important: 33

Zero-day Vulnerability Patched in October Patch Tuesday Edition

MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

Microsoft has addressed the new “HTTP/2 Rapid Reset” zero-day DDoS attack method, which has been extensively exploited since August. The vulnerability exists in the HTTP/2’s stream cancellation feature. An attacker may exploit this vulnerability to repeatedly send and cancel requests, resulting in a DDoS condition.

There is no “fix” for the method other than rate limiting or blocking the protocol, as the feature is part of the HTTP/2 standard. In the advisory, Microsoft has given a workaround to mitigate the vulnerability.

CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 31, 2023.

CVE-2023-41763: Skype for Business Elevation of Privilege Vulnerability

Skype for Business is an enterprise software application that is used for instant messaging and video calling. The software can be used with the on-premises Skype for Business Server software and a software-as-a-service version offered as part of the 365 suite.

An attacker could exploit this vulnerability by making a specially crafted network call to the target server. Successful exploitation of the vulnerability may allow an attacker to parse an HTTP request to an arbitrary address that may disclose IP addresses, port numbers, or both to the attacker. In some cases, successful exploitation may expose sensitive information that could provide access to internal networks.

CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 31, 2023.

CVE-2023-36563: Microsoft WordPad Information Disclosure Vulnerability

Microsoft WordPad is a basic text-editing app used to create and edit files, insert pictures, and add links to other files. The word processor software was included with Windows 95 and, later, until Windows 11.

An attacker must log on to the system and run a specially crafted application to exploit the vulnerability. An attacker must also convince a user to click a malicious link and open the specially crafted file.

Successful exploitation of this vulnerability could allow an attacker to disclose NTLM hashes. The NTLM hashes are encoded by converting the user’s password into a 16-byte key using an MD4 hash function. The key is divided into two halves of 8 bytes. The key is used as input to three rounds of DES encryption that generates a 16-byte output representing the NTLM hash.

CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 31, 2023.

Other Critical Severity Vulnerabilities Patched in October Patch Tuesday Edition 

CVE-2023-35349: Microsoft Message Queuing Remote Code Execution Vulnerability

Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages).

Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server.

CVE-2023-36697: Microsoft Message Queuing Remote Code Execution Vulnerability

To exploit this vulnerability, an attacker must convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server. Successful exploitation of this vulnerability could allow an authenticated domain user to execute code on the target server remotely.

CVE-2023-36718: Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability

The Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto processor that is intended to carry out cryptographic operations.

An attacker must perform complex memory-shaping techniques to attempt an attack. To escape the virtual machine, the attacker must be authenticated as a guest mode user. Successful exploitation of the vulnerability could lead to a contained execution environment escape.

CVE-2023-36566: Microsoft Common Data Model SDK Denial of Service Vulnerability

Microsoft Common Data Model is built upon a rich, extensible metadata definition system that allows users to describe and share semantically enhanced data types and structured tags. The tool also helps capture valuable business insight, which can be integrated with heterogeneous data to deliver actionable intelligence.

An authenticated attacker may trigger this vulnerability without any admin or other elevated privileges required.

CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, CVE-2023-41774, CVE-2023-38166 – Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

Layer 2 Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used mainly by Internet Service Providers and Virtual Private Networks (VPNs). L2TP is one of the protocols that help ensure security and privacy by enabling a tunnel for Layer 2 traffic over a Layer 3 network.

To exploit these vulnerabilities, an attacker is required to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server and perform remote code execution on the RAS server machine.

Other Microsoft Vulnerability Highlights

CVE-2023-36780 is a remote code execution vulnerability in Skype for Business. The vulnerability exists in PowerShell when exposed through Microsoft Exchange or Skype. To exploit this vulnerability, an attacker must be granted an administrative role in the Skype for Business Control Panel. Successful exploitation of the vulnerability would allow an attacker to perform remote code execution on the Skype for Business Server backend.

CVE-2023-36778 is a remote code execution vulnerability in Microsoft Exchange Server. An attacker must have LAN access and credentials for a valid Exchange user to exploit this vulnerability. An authenticated attacker who is on the same intranet as the Exchange server may perform remote code execution via a PowerShell remoting session.

CVE-2023-36713 is an information disclosure vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability would allow an attacker to read small portions of heap memory potentially.

CVE-2023-36594 and CVE-2023-38159 are elevation of privilege vulnerabilities in the Microsoft Graphics Component. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

CVE-2023-36731, CVE-2023-36732, CVE-2023-36743, CVE-2023-36776, and CVE-2023-41772 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows IIS, Microsoft QUIC, Windows HTML Platform, Windows TCP/IP, Azure DevOps, Microsoft WordPad, Microsoft Windows Search Component, Microsoft Common Data Model SDK, Windows Deployment Services, Windows Kernel, Microsoft WDAC OLE DB provider for SQL, Windows Mark of the Web (MOTW), Windows Active Template Library, Microsoft Graphics Component, Windows Remote Procedure Call, Windows Named Pipe File System, Windows Resilient File System (ReFS), Windows Microsoft DirectMusic, Windows DHCP Server, Windows Setup Files Cleanup, Windows AllJoyn API, Microsoft Windows Media Foundation, Windows Runtime C++ Template Library, Windows Common Log File System Driver, Windows TPM, Windows Virtual Trusted Platform Module, Windows Mixed Reality Developer Tools, Windows Error Reporting, Active Directory Domain Services, Windows Container Manager Service, Windows Power Management Service, Windows NT OS Kernel, Windows Layer 2 Tunneling Protocol, and Client Server Run-time Subsystem (CSRSS).

EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)

Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards such as CIS, DISA-STIG.

Qualys Policy Compliance team releases these exclusive controls based on vendor-suggested Mitigation/Workaround.

Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of exploitation of a vulnerability.

A workaround is sometimes used temporarily for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.

EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)

Qualys Custom Assessment and Remediation (CAR) can be leveraged to execute mitigation steps provided by MSRC on vulnerable assets.

The next Patch Tuesday falls on November 14, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patch’s webinar.’

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.

Join the webinar

This Month in Vulnerabilities & Patches

 Read More 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert