Akamai’s Perspective on November’s Patch Tuesday 2023
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
We’re past Halloween but not that close to Hanukkah or Christmas, so what shall we do to entertain ourselves? Read patch notes, of course! Of the 57 CVEs patched this month, only three of them are critical. The highest CVE rating is 9.8, and there are two of those. There are also three vulnerabilities reported as exploited in the wild.
In this report, we’ll assess how critical the vulnerabilities really are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities exploited in the wild
CVE-2023-36025 — Windows SmartScreen (CVSS 8.8)
This is a security bypass vulnerability, which skips the SmartScreen security warning when opening internet shortcut files (.URL) or hyperlinks pointing to those files. The shortcut files have to be specifically crafted to trigger the vulnerability. This is not the first time SmartScreen bypass vulnerabilities have been actively exploited by threat actors. Google’s Threat Analysis Group (Google TAG) detected and reported that Magniber ransomware used a Windows SmartScreen bypass vulnerability in the past.
CVE-2023-36036 — Windows Cloud Files Mini Filter Driver (CVSS 7.8)
This is a privilege escalation vulnerability that allows attackers to gain SYSTEM privileges. The cloud files mini filter is part of the cloud sync engines, which provides WinAPI access to sync and work with cloud-based file systems. The filter driver is implemented in the cldflt.sys file.
CVE-2023-36033 — Windows DWM Core Library (CVSS 7.8)
This is another privilege escalation vulnerability, but this time in the Windows Desktop Window Manager (DWM). This is responsible for managing the visible windows on the screen. The DWM has been part of Windows since Windows Vista and it is implemented in the dwm.exe process. This vulnerability is specifically in the core library dwmcore.dll, which is loaded into that process.
Windows Pragmatic General Multicast
Windows Pragmatic General Multicast (PGM) is a protocol designed to deliver packets to multiple network members in a reliable manner. On Windows, the implementation of this protocol is referred to as reliable multicast programming. A critical remote code execution vulnerability in this protocol, with a CVSS score of 9.8, was fixed this Patch Tuesday.
Since Windows Server 2003, PGM has relied on Windows sockets. In user space, it is implemented in a library called wshrm.dll (Windows Sockets Helper DLL for PGM, where the “rm” stands for remote multicast). In kernel space, PGM is implemented through the driver rmcast.sys.
According to Microsoft’s mitigations on the CVEs, the Message Queuing service must be running for the vulnerability to be exploitable. The service is not installed by default; it must be added via the Features screen in the control panel.
In our observations, we noticed that approximately 50% of environments had servers with the Message Queuing service installed and running, and 25% had servers with PGM installed. Although in most data centers only a few machines had Message Queuing enabled, we noticed some environments in which multiple servers were running the service.
Since the attack complexity for all vulnerabilities is low, we recommend patching relevant servers as soon as possible. If patching is not possible — because of operational continuity or some other reason — then we recommend restricting access to the service by using network segmentation policies, at the very least.
Since the Message Queuing service is accessible over port 1801, but isn’t likely to be accessed by very many clients (as it’s mostly used by the enterprise application itself), we recommend restricting arbitrary network access to that port and service. Try to segment it using allowlist policies, granting access only to the machines that actually need it.
Microsoft Protected Extensible Authentication Protocol
The Protected Extensible Authentication Protocol (PEAP) is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within a TLS session. EAP is used to authenticate devices and connections to networks, and is also used in Wi-Fi network authentication.
Windows servers can be configured with an optional role called Network Policy Server (NPS), and the NPS can be used to authenticate and allow network connection requests with EAP and PEAP. This isn’t enabled by default — the NPS role must be manually installed and configured. From our observations, only 21% of networks had NPS servers.
Since the NPS is supposed to be central to the network, and is also supposed to process authentication requests, it might be problematic to apply segmentation policies on it. Instead, Microsoft says that a possible mitigation would be to block PEAP in protocol negotiations and provides two sources to do so.
This month, a critical remote code execution vulnerability (CVE-2023-36028) with a score of 9.8 was patched.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Remote code execution |
LAN access, authentication |
||
Remote code execution |
LAN access, authentication |
||
Spoofing |
|||
Denial of service |
Network |
||
Remote code execution |
Network, requires user to connect to malicious server |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.
