November Patch Tuesday heralds five new MS zero-days

Microsoft has issued fixes for a total of five zero-day vulnerabilities on the penultimate Patch Tuesday of 2023, three of them known to have already been exploited in the wild.

With a total of just over 60 issues resolved this month, the November Patch Tuesday drop is by no means the largest of recent months and ranges across a smaller number of products than is typically seen.

The three exploited zero-days are tracked as CVE-2023-36025, a security feature bypass in Windows SmartScreen; CVE-2023-36033, an elevation of privilege (EoP) vulnerability in Windows DWM Core Library; and CVE-2023-36036, an EoP vulnerability in Windows Cloud Files Mini Filter Driver. Out of these, an exploit has been publicly disclosed for the second, and all three have already made it into the CISA Known Exploited Vulnerabilities hall of fame.

The two other zero-days – which have been made public but not yet exploited – are CVE-2023-36038, a denial of service vulnerability in ASP.NET Core, and CVE-2023-36413, a security feature bypass in Microsoft Office.

Four out of the five carry CVSS scores of over 7, making them of high severity by that metric, while the Microsoft Office issue carries a lower score of 6.5, meaning it is considered of high severity.

There are also three critical bugs, although none of them disclosed or exploited yet. These are tracked as CVE-2023-36052, an information disclosure vulnerability in Azure CLI Rest Command; CVE-2023-36397 a remote code execution (RCE) vulnerability in Windows Pragmatic General Multicast; and CVE-2023-36400, an EoP vulnerability in Windows HMAC Key Derivation.

Running his eyes over the exploited zero-days, Adam Barnett, lead software engineer at Rapid7, said: “CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

“Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033…Exploitation leads to system privileges, but Microsoft does not provide any further guidance on the attack mechanism.”

Fewer details of the third exploited vulnerability, CVE-2023-36035, are known at this stage, although it too grants an attacker system level privileges, a frequent step along the route taken by attackers as they seek to disable security tools or run credential dumping tools – such as mimikatz – in the service of lateral movement.

Looking to the other zero-days, Mike Walters, Action1 co-founder and president, commented: “CVE-2023-36038 represents a significant vulnerability in ASP.NET Core, capable of causing denial of service. This vulnerability is noteworthy for its network attack vector, low attack complexity, and the fact that it doesn’t require any privileges or user interaction for exploitation.

“The vulnerability can be triggered when HTTP requests to .NET 8 RC 1, running on the IIS InProcess hosting model, are cancelled. This can lead to an increase in the number of threads and potentially cause an OutOfMemoryException. Successful exploitation of this vulnerability could lead to a complete loss of service availability.

Waters said this issue should be high on the list due to the risk of downtime for websites running the vulnerable library, which could easily become subject to a distributed denial-of-service (DDoS) attack as a result of it.

CVE-2023-36413, he explained could become a big problem in short order due to its high potential for exploitation: “It has a network attack vector and is characterised by low attack complexity. While it does not require high-level privileges, user interaction is necessary for exploitation.

“A key aspect of this vulnerability is that it allows attackers to circumvent Office’s protected view, causing documents to open in edit mode instead of the more secure protected mode. Although Microsoft has confirmed the existence of a proof of concept, there is currently no concrete evidence of this vulnerability being exploited in the wild. This nuanced understanding of the vulnerability’s potential impact is essential for prioritising security measures,” said Walters.