Akamai’s Perspective on August’s Patch Tuesday 2023
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
This month, there are 73 CVEs released, as well as 3 advisories. This is a bit more than half the amount as last month, which is good, because hacker summer camp is upon us, and who has time for patches, right? There are six critical CVEs in Microsoft Teams, Microsoft Message Queuing, and Microsoft Outlook. There is also a denial-of-service (DoS) vulnerability, CVE-2023-38180, in .NET Core and Visual Studio, reported as exploited in the wild, as well as a CVE from our very own Ben Barnea.
In this report, we’re focusing on the following areas in which bugs were patched:
Windows HTML platforms (reported by Akamai)
.NET Core and Visual Studio (exploited in the wild)
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are to provide a realistic perspective on the bugs that were fixed. You can also see a quick summary of the patch on our Twitter account. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we may add more information to it as our research progresses — stay tuned!
Vulnerability reported by an Akamai researcher
CVE-2023-35384 — Windows HTML platforms (CVSS 5.4)
Despite the low severity assigned to this vulnerability, it has quite an interesting background and consequences. Ben Barnea found it during his analysis of the May Patch Tuesday, and it was fixed this month.
Initially, Microsoft patched CVE-2023-23397 — a critical elevation of privilege (EoP) vulnerability in Outlook that had been exploited in the wild. This vulnerability allowed an attacker to send the victim an email, trigger an SMB connection to its own attacker-controlled server, and, as a result, intercept (and possibly crack or relay) NTLM credentials. This was a zero-click vulnerability that could be exploited by an unauthenticated attacker from anywhere on the internet.
The fix to CVE-2023-23397 added a check to classify a path as local, intranet, internet, etc. This check could be bypassed by supplying a specially crafted path, as we explained and demonstrated in a previous blog post.
This month’s CVE-2023-35384 is yet another bypass of Microsoft’s fix. Confused? Let’s put things in order:
Original critical EoP vulnerability in Microsoft Outlook |
Reported by the Ukrainian Computer Emergency Response Team (CERT) |
|
Bypass of the fix for CVE-2023-23397, patched in May |
Reported by Akamai researcher Ben Barnea |
|
Another bypass of the fix for CVE-2023-23397, patched this month (August) |
We are planning to share the details of CVE-2023-35384 and demonstrate its exploitation in a surprising way, so make sure to keep an eye out for the publication.
Vulnerability exploited in the wild
CVE-2023-38180 — .NET Core and Visual Studio (CVSS 7.5)
This is a DoS vulnerability, but there are no notes, FAQ, or acknowledgments released with this CVE. Therefore, it is nearly impossible to speculate on its root cause. However, since the attack vector is network, we have some clues. Disclaimer: The following paragraph is purely speculative.
According to results from our tests on locally installed instances of Visual Studio, this CVE doesn’t appear to be listening to incoming connections (though we did see outbound connections from its process). As such, it is more likely that the attack vector isn’t achieved by the attackers reaching out directly to the process over the network, but rather by sending some maliciously crafted file to the victim, which then crashes their instance of Visual Studio and the .NET Core.
Microsoft Message Queuing
There were 11 vulnerabilities in the Microsoft Message Queuing (MSMQ) service patched this month. Three critical 9.8 remote code execution (RCE) vulnerabilities, six DoS vulnerabilities, and two information disclosure vulnerabilities.
The MSMQ service is an optional feature in Windows that is used to deliver messages between different applications. Despite being optional, it is used behind the scenes by many enterprise applications for Windows, such as Microsoft Exchange Server. In our observations, we found the service installed in nearly 69% of environments, usually on more than one machine.
Since the MSMQ service is accessible over port 1801, but shouldn’t be accessed by very many clients (since it’s mostly used by the enterprise application itself), we recommend restricting arbitrary network access to that port and service. Try to segment it using allowlist policies, enabling access only to the machines that actually need it. For help with segmentation, you can refer to our blog post (Micro)Segmentation from a Practical Perspective (and specifically to the application ringfencing and microsegmentation sections).
CVE number |
Effect |
Required access |
|---|---|---|
Remote code execution |
Network |
|
Denial of service |
||
Information disclosure |
||
Microsoft Exchange Server
This month, there were six CVEs in Microsoft Exchange Server — four of them allow remote code execution on the remote server, and the other two are EoP or spoofing vulnerabilities. In our observations, we’ve seen that approximately 28% of environments had on-premises Microsoft Exchange Servers.
The EoP CVE, CVE-2023-21709, is actually the CVE with the highest CVSS score (9.8) despite being categorized as “Important,” not “Critical,” severity. According to Microsoft, the vulnerability could allow attackers to brute force an Exchange user’s password and log in as that user. The Important severity is due to the fact that brute force attacks shouldn’t work against users with complex passwords.
For this CVE, merely patching is not enough. Microsoft provides an additional script, CVE-2023-21709.ps1, which administrators need to run after installing the patch. Alternatively, the following command will work:
Clear-WebConfiguration -Filter "/system.webServer/globalModules/add[@name='TokenCacheModule']" -PSPath "IIS:\"
Microsoft also mentions that running the script (or the command above) can address the vulnerability in lieu of patching, but they (and we) strongly recommend patching as soon as possible.
CVE number |
Effect |
Required access |
|---|---|---|
Remote code execution |
Network |
|
Adjacent network |
||
Elevation of privilege |
Network |
|
Spoofing |
Microsoft Teams
Microsoft Teams is Microsoft’s proprietary communication, messaging, and video conferencing platform, and is part of Microsoft 365. This month, there are two critical remote code execution CVEs in Teams. Both CVEs require the user to actively join a malicious meeting set up by the threat actor. The threat actors could then remotely run code in the context of the victim user.
In our observations, 44% of environments had Microsoft Teams running.
CVE number |
Effect |
Required access |
|---|---|---|
Remote code execution |
Network |
|
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Spoofing |
Network |
||
Information disclosure |
|||
Remote code execution |
Network |
||
Arbitrary code execution |
Local |
||
Information disclosure |
Local |
||
