Akamai’s Perspective on December’s Patch Tuesday 2023
This is the last Patch Tuesday of the year, everyone — and it seems like Microsoft took off for the holidays as there are only 33 patched CVEs this month. Akamai, however, did not take off — a CVE from one of our own colleagues, Ben Barnea, is part of the patch.
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched. Of the 33 CVEs patched this month, four are critical (but only three can achieve remote code execution [RCE]), with the highest CVSS score being 9.6. There were no CVEs reported as publicly disclosed or exploited in the wild this month.
In this report, we’ll assess how critical the vulnerabilities really are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Windows MSHTML platform
This is a RCE vulnerability in the MSHTML component, found by Akamai researcher Ben Barnea.
MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.
As mentioned in Microsoft’s advisory, this vulnerability can be used against Outlook clients and can be triggered before the email is viewed. The vulnerability is an easy-to-trigger memory corruption vulnerability, yet exploitation is complex.
We will share more technical details, including information about an additional vector (other than email) that triggers this vulnerability in the upcoming weeks.
Microsoft Edge (Chromium-based)
Microsoft Edge is a proprietary cross-platform web browser. Although it was initially developed using proprietary tooling, Microsoft fully ported the browser to use Google's Chromium open source project in 2020.
There are three CVEs related to Microsoft Edge this month — two low-severity information disclosure vulnerabilities, CVE-2023-38174 and CVE-2023-36880, and a moderate-severity elevation of privilege (EoP) vulnerability, CVE-2023-35618. All vulnerabilities require the attacker to trick the user into visiting a web site or opening a link; i.e., to fall for phishing attacks.
Curiously, while the EoP vulnerability is ranked as moderate severity, its CVSS score is very high — 9.6. The reason for this disparity is the complexity required to trigger the vulnerability. According to Microsoft: To trigger the vulnerability, the attacker must trick the user into opening a web page or server that is hosting specially crafted content, and then trick them into opening a specially crafted file. This multistep process downgraded the severity, per Microsoft’s Bounty Program guidelines.
Microsoft Edge comes by default with the Windows operating system. From our observations, it is the most used browser in enterprise networks — used by 52% of machines that are running a browser.
Microsoft Power Platform connector
Microsoft Power Platform is a set of tools and products that help with business intelligence and app development. A connector is a proxy or an API wrapper that allows an underlying service to communicate with Power Platform products.
There is a single critical CVE this month, CVE-2023-36019, with a base score of 9.6. The CVE allows attackers to manipulate links, applications, or files to trick users into thinking they’re interacting with a legitimate application. Since the patch notes mention custom connectors (connectors you build yourself when there are no options available from Microsoft), we assume that’s where the vulnerability lies. The patch notes also mention that custom connectors need to be updated to receive a per-connector redirect URI.
Our hypothesis is that connectors were able to share their redirect URIs, which allowed attackers to spoof connectors or targets to trick users into connecting to the wrong place.
Microsoft said it reached out to affected customers via the Microsoft 365 Admin Center or via Service Health in the Azure Portal.
Internet Connection Sharing
Internet Connection Sharing (ICS) is a Windows service that enables an internet-connected computer to share its internet connection with other computers on the local network. The computer running the ICS service will provide Dynamic Host Configuration Protocol (DHCP) and network address translation (NAT) services for adjacent computers that use it.
There are three CVEs this month, two critical RCE vulnerabilities with an 8.8 CVSS score, and another denial-of-service vulnerability (CVE-2023-35642) with a CVSS score of 6.5 and important severity.
Both critical vulnerabilities are in the DHCP part of the ICS service. CVE-2023-35641 requires the attacker to send a specifically crafted DHCP packet to achieve RCE.
CVE-2023-35630 requires the attacker to modify an option length field in a DHCPv6 input message — DHCPV6_MESSAGE_INFORMATION_REQUEST. Both vulnerabilities allow for attackers to achieve RCE on the ICS service computer.
ICS is available by default on modern Windows installations (workstations and servers) and is usually set to be trigger start — that is, it would be started after an RPC connection to the IP NAT Helper RPC server interface.
You can use the following query in Akamai Guardicore Segmentation’s Insight feature to look for the ICS service and its status:
SELECT status, start_type FROM services WHERE name='SharedAccess'
In our observations, 27% of environments had an ICS service running in some of their machines. Usually, fewer than 1% of machines were running the ICS service in a single network.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
---|---|---|---|
Denial of service |
Network |
||
Denial of service |
Network |
||
Information disclosure |
|||
Remote code execution |
Network |
||
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.