MR - stock.adobe.com
No zero-days for June Patch Tuesday, but plenty to chew over
On the face of it, Microsoft’s monthly round of updates is a lighter-than-usual load for security teams, with no zero-days in evidence, but there are still plenty of issues needing attention
Microsoft has released its monthly Patch Tuesday update, but in a departure from recent form does not appear to have uncovered any new zero days, no doubt bringing relief to security teams preoccupied with other matters.
However, this is not to say that there are no issues worthy of attention, with the June update containing fixes for a total of 85 vulnerabilities – of which several are updates from previous go-rounds, which seems to be a notable trend in the latest drop, as Ivanti security products vice president Chris Goettl explained.
Of particular note to security teams this month, said Goettl, is an ongoing series of security updates relating to Windows Kerberos and Netlogon, which are being released in a phased process.
The Windows Kerberos update relates to a security bypass vulnerability, CVE-2022-37967, which was disclosed in November 2022. Since then, there have been two updates, the first to add privileged attribute certificate (PAC) signatures to the Kerberos PAC buffer, and the second to put all devices into Audit mode by default but still allowing authentication. The latest update removes the ability to disable PAC signature addition, and more policy changes are expected in July and October.
The Netlogon update relates to CVE-2022-38023, an elevation of privilege (EoP) flaw also from November 2022. The first patch for this vulnerability implemented a default compatibility mode that removed the ability to disable remote procedure call (RPC) sealing. The latest moves to enforce this be default unless an admin has explicitly configured it otherwise. Another policy change is due in July.
“Microsoft is advancing phases for the changes to Kerberos and Netlogon that will require some additional research and testing to ensure you avoid near and long-term operational impacts,” said Goettl.
Goettl also flagged changes to documentation for two other vulnerabilities. The first, CVE-2023-24880, a security bypass flaw in Windows SmartScreen dating from March 2023, confirms exploitation and updates its CVSS score, which should be considered in defenders’ prioritisation.
The second change, which is to CVE-2021-34527, merely updates the list of vulnerable Windows editions, but will be of interest to some. “CVE-2021-34527 is a vulnerability in Windows Print Spooler that could allow remote code execution. Yes, this is a blast from the past known as PrintNightmare,” said Goettl.
Exchange vulnerabilities: Always a popular choice
Elsewhere, two RCE vulns in Microsoft Exchange Server – CVE-2023-32031 and CVE-2023-28310 – also warrant close attention.
The first of these vulnerabilities enables a malicious actor to trigger code in the context of the Exchange Server account via a network call. The second enables them to execute code via PowerShell. In both cases, the attack complexity is considered low and no user interaction is needed.
Although neither of these flaws have been publicly disclosed or are known to be being exploited in the wild, Exchange Server bugs attract a particularly “sophisticated” type of cyber criminal, so should not be left to linger too long.
“This pair of vulnerabilities…are standouts, as they closely mirror the vulnerabilities identified as part of ProxyNotShell exploits,” said Kev Breen, Immersive Labs director of cyber threat research.
Breen said that these vulnerabilities will likely be exploited via social engineering attacks with spear-phishing to gain access to a host.
“If an attacker were able to gain this level of access to an Exchange Server [they] could do a lot of damage to an organisation,” he said.
“With the ability to gain access to read every email that has been sent and received, or even to impersonate any given user, this could be advantageous for financially motivated criminals where business email compromise (BEC) attacks are no longer from spoofed accounts but from the legitimate email holder.”
Critical bugs could still sting
The June Patch Tuesday update contains a total of six critical vulnerabilities, which are, in CVE number order:
- CVE-2023-24897, a remote code execution (RCE) vulnerability in .NET, .NET Framework and Visual Studio;
- CVE-2023-29357, an EoP vulnerability in Microsoft SharePoint Server;
- CVE-2023-29363, an RCE vulnerability in Windows Pragmatic General Multicast (PGM);
- CVE-2023-32013, a denial of service (DoS) vulnerability in Windows Hyper-V;
- CVE-2023-32014, a second RCE vulnerability in Windows PGM;
- CVE-2023-32015, a third RCE vulnerability in Windows PGM.
Adam Barnett, Rapid7 lead software engineer, noted that this is the third month on the trot in which Microsoft has fixed RCE vulnerabilities in Windows PGM. While Microsoft has not detected exploitation of disclosure for any of these yet, their high CVSS base scores will likely attract the wrong kind of attention in short order.
“All three PGM critical RCEs require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset,” said Barnett.
“Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250,” he said.
“As with previous similar vulnerabilities, only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t enabled by default.”
However, as Rapid7 researchers have previously noted, a good number of applications, Microsoft Exchange among them, introduce MSMQ during their installation routine. With several prolific researchers active in this area, said Barnett, more PGM vulnerabilities will almost certainly be heading down the pipe in future.
Meanwhile, the EoP flaw in SharePoint, which gives attackers a short at gaining admin rights on the SharePoint host provided they have spoofed the right tokens, should also be addressed quickly, said Barnett, particularly if running SharePoint 2016.
“At time of writing, the FAQ provided with Microsoft’s advisory suggests that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, but neither the advisory nor the SharePoint 2016 Release history list any related patches for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency,” he said.
Finally, the RCE vulnerability in .NET, etc, which requires an attacker to convince the victim to open a specially-crafted malicious file, typically from a website, should also raise eyebrows.
“Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years,” said Barnett.
Read more about Patch Tuesday
- Applying the fix for a security bypass zero-day affecting the Windows Secure Boot feature will be a long process that will drag into 2024, but for good reason, says Microsoft.
- A zero-day in the Microsoft Common Log File System that has been abused by the operator of the Nokoyawa ransomware is among 97 vulnerabilities fixed in April’s Patch Tuesday update.
- A highly dangerous privilege escalation bug in Outlook is among 80 different vulnerabilities patched in Microsoft’s March Patch Tuesday update.