Greetings from hacker summer camp! Black Hat and DEFCON start this week, but let’s kick everything off with Patch Tuesday and the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for August 2023
For August, Adobe released four patches addressing 37 CVEs in Adobe Acrobat and Reader, Commerce, Dimension, and the Adobe XMP Toolkit SDK. A total of 28 of these CVEs came through the ZDI program. The update for Reader is the largest, clocking in with 30 CVEs. The most severe of these are rated Critical and would allow code execution when opening a specially crafted PDF. The update for Commerce fixes three CVEs, including an OS command injection bug rated at a CVSS 9.1. The update for Dimension also fixes three CVEs. Similar to reader, and attacker could gain code execution if an affected system opened a specially crafted file. The final patch for the Adobe XMP Toolkit SDK corrects a single Denial-of-Service (DoS) bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for August 2023
This month, Microsoft released 74 new patches and two new advisories addressing CVES in Microsoft Windows and Windows Components; Edge (Chromium-Based); Exchange Server; Office and Office Components; .NET and Visual Studio; ASP.NET; Azure DevOps and HDInsights; Teams; and Windows Defender. Three of these CVEs were reported through the ZDI program and based on our upcoming page, many others are coming in the near future. Once you include the 11 fixes from the Chromium group for Edge (Chromium-Based) and the fix for AMD, it brings the total number of CVEs to 86.
Of the new patches released today, six are rated Critical and 67 are rated Important in severity. This is on the lower side for an August release, but perhaps Microsoft was distracted by other security problems.
This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.
None of the CVEs released today are listed as being publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the fix that’s not a fix:
- ADV230003 - Microsoft Office Defense in Depth Update
This advisory does not provide a fix for CVE-2023-36884, but it does (allegedly) break the exploit chain currently being used in active attacks. Microsoft released an advisory last month providing some details about this bug, but not a patch to fix it. Surprisingly, there still isn’t a patch – just this mitigation. Hopefully, a full patch to thoroughly address this bug under exploit will be released soon.
[UPDATE] Microsoft has now revised CVE-2023-36844 to include patches for all 33 affected products. You should apply the patch and consider this advisory as a temporary fix only.
- CVE-2023-38181 - Microsoft Exchange Server Spoofing Vulnerability
This is a patch bypass of CVE-2023-32031, which itself was a bypass of CVE-2023-21529, which was a bypass of CVE-2022-41082, which was under active attack. This exploit does require authentication, but if exploited, an attacker could use this to perform an NTLM relay attack to authenticate as another user. It could also allow an attacker to get a PowerShell remoting session to the server. This is one of six CVEs fixed in Exchange this month, and each seems more severe than the next. Definitely take the time to test and deploy the cumulative update quickly.
- CVE-2023-35385/36910/36911 - Microsoft Message Queuing Remote Code Execution Vulnerability
All three of these are rated at a CVSS of 9.8 and could allow a remote anonymous attacker to execute their code on an affected server at the level of the Message Queuing service. There are 11 total bugs impacting Message Queuing getting fixed this month, and it’s clear that the research community is paying close attention to this service. While we haven’t detected active exploits targeting Message Queuing yet, it’s like just a matter of time as example PoCs exist. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly.
- CVE-2023-29328/29330 - Microsoft Teams Remote Code Execution Vulnerability
These bugs allow an attacker to gain code execution on a target system by convincing someone to a malicious Teams meeting set up by the attacker. Microsoft doesn’t specifically state what level the code execution occurs, but they do note the attacker could provide “access to the victim's information and the ability to alter information,” so that implies at the logged-on user level. We’ve seen similar exploits demonstrated at Pwn2Own, so don’t skip this update.
- CVE-2023-21709 - Microsoft Exchange Server Elevation of Privilege Vulnerability
I know I already brought up Exchange, but I couldn’t let this CVE pass without a mention. This vulnerability allows a remote, unauthenticated attacker to log in as another user. In this case, you’re elevating from no permissions to being able to authenticate to the server, which makes all of those post-authentication exploits (see above) viable. Although rated Important, I would consider this bug rated Critical and act accordingly.
Here’s the full list of CVEs released by Microsoft for August 2023:
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
There are only other Critical-rated patches being released today deals with Outlook. This is a bit odd since these types of open-and-own bugs are typically rated Important due to the needed user interaction. The exception is when the Preview Pane is an attack vector, but that’s not documented here. There’s clearly something that makes this bug stand out, but Microsoft offers no clues as to what that may be. Also note that if you use Outlook for Mac, you’ll have to wait for your update as Microsoft didn’t release it today.
Looking at the other remote code execution patches, many are the expected Important-rated Office bugs. There are additional Exchange RCEs as well, although they require the attacker to be network adjacent – meaning on the same LAN as the target. The concerning one is CVE-2023-38185, which does require authentication, but could allow an attacker to run elevated code through a network call. There are two separate bugs that require connecting to a malicious database. Also note that if you have installed Microsoft SQL Server 2022 for x64-based Systems (GDR) or Microsoft SQL Server 2019 for x64-based Systems (GDR), you are still vulnerable and need to apply this update. There’s a patch for LDAP that would allow an attacker to run code with the service’s permissions through a specially crafted LDAP call. The final RCE this month is a fix for Dynamics 365 that could be exploited by clicking a link in e-mail.
Moving on to the Elevation of Privilege (EoP) bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. The bug in Azure Arc-Enabled servers is somewhat interesting in that it affects both Linux and Windows servers. An attacker could elevate to root or administrator respectively. The bug in Windows Defender would allow an attacker to delete arbitrary files on a system. The Task Scheduler vulnerability also allows for the creation and deletion of files, but you wouldn’t be able to overwrite existing files – just delete them. The bug in .NET Framework would only yield the privileges on the application targeted. Lastly, the bug in Bluetooth would yield SYSTEM access, but only after you pair a Bluetooth device.
There are only four security feature bypass (SFB) fixes in this month’s release, and the most severe is likely the bug in the Windows Smart Card Resource Management Server. This flaw could allow an attacker to bypass the Fast Identity Online (FIDO) secure authentication feature, which effectively removes two-factor authentication. The SFB in HTML Platforms is similar to other bugs that have been exploited in the wild. An attacker could use this bug to have URLs map to the incorrect Security Zone. The SFB for Edge-Chromium is confusing as Microsoft states physical access and user interaction are required, but they don’t elaborate on either point. The bug in Group Policy would allow an attacker to read specific Group Policy configurations but not alter them.
In addition to the Exchange spoofing bug previously mentioned, there are 11 other spoofing fixes in the August release. The bugs in SharePoint act like cross-site scripting (XSS) bugs and require multiple patches to address. Be sure you install all applicable updates. The bug in Outlook could allow the disclosure of NetNTLMv2 hashes, which would allow an attacker to potentially authenticate as another user. Little information is available about the other fixes, although Microsoft notes user interaction is required for all of the other bugs. The Azure Apache cases (yes – that sounds odd to me too) require an administrator to open a malicious file.
The August release contains 10 total information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. One of the bugs in SharePoint could disclose the cryptically-named “sensitive information”. Thanks for narrowing that down. The other SharePoint bug could leak private property values. The bug in ASP.NET is interesting as it could be used to listen to any group or user with a specially crafted group/username. By exploiting this vulnerability, the attacker can now receive messages for group(s) that they are unauthorized to view. The Hyper-V bug could allow a guest to disclose info from the Hyper-V host, but no details on what information is available. Finally, the AMD return address predictor fix is also included in this release.
Wrapping things up, there are eight fixes for Denial-of-Service (DoS) bugs, with six of these being for the Message Queuing service. Microsoft notes user interaction is required for some of these bugs in that the bug is triggered “when a user on the target machine accesses message queuing.” However, users may not be aware which application use message queuing and unintentionally create a DoS condition on the system. No further information is available regarding the two ASP.NET DoS bugs.
The other new advisory (ADV230004) is a defense-in-depth update for the Memory Integrity System Readiness scan tool. Also known as the hypervisor-protected code integrity (HVCI), this tool for ARM64 and AMD64 processors checks for compatibility issues with memory integrity. The release update takes care of a publicly known bug. The latest servicing stack updates can be found in the revised ADV990001.
Looking Ahead
The next Patch Tuesday will be on September 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!