Akamai’s Perspective on July’s Patch Tuesday 2023
As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.
There are 130 CVEs this time, 9 of them critical. This is almost double last month’s number. Four of the critical CVEs (in RRAS and MSMQ) have a high CVSS score of 9.8. There are also four vulnerabilities reported as exploited in the wild.
In this report, we’ll assess how critical the vulnerabilities really are and how commonplace the affected applications and services are to provide a realistic perspective on the bugs that were fixed. You can also see a quick summary of the patch on our Twitter account. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
In this report, we’re focusing on the following areas in which bugs were patched:
Vulnerabilities exploited in the wild
CVE-2023-32046 — Windows MSHTML Platform (CVSS 7.8)
This vulnerability in the MSHTML platform can allow attackers to gain the privileges of the user who is the victim of the attack. MSHTML is Microsoft’s browser engine, and the patch notes mention that a user has to open a specifically crafted file, or browse to a malicious website that is hosting that file, so it’s probably some sort of web resource — an HTML or a JavaScript file. Regardless, the vulnerability requires users to respond to some sort of social engineering and open a malicious file. There are two more patched CVEs in MSHTML this month (that are not known to be exploited in the wild), you can read more about them later in this post.
CVE-2023-32049 — Windows SmartScreen (CVSS 8.8)
This is a security bypass vulnerability, which skips the SmartScreen security warning when opening files that were downloaded from the internet, or are otherwise unsafe. It is not the first time SmartScreen bypass vulnerabilities were actively exploited by threat actors. Google’s Threat Analysis Group (Google TAG) detected and reported Magniber ransomware used a similar vulnerability in the past.
CVE-2023-36874 — Windows Error Reporting Service (CVSS 7.8)
This is a privilege elevation vulnerability that requires attackers to already have local access to the machine. According to the notes, the attackers need to be able to create folders and performance traces on the local machine, which requires restricted user privileges not usually available. This CVE was also reported by Google TAG.
CVE-2023-35311 — Microsoft Outlook (CVSS 8.8)
This is another security bypass vulnerability, this time in Outlook. The vulnerability allows attackers to bypass Outlook’s security notice when clicking hyperlinks.
CVE-2023-36884 — Office and Windows HTML (CVSS 8.3)
On July 11, Microsoft released an advisory regarding a remote code execution vulnerability that is being actively exploited in the wild. The vulnerability affects multiple Microsoft products and is based on luring victims into opening malicious documents.
The vulnerability is being exploited by the RomCom threat actor in phishing campaigns — including one targeting attendees of the recent NATO Summit in Lithuania. The vulnerability has no fix at the moment, but several mitigations for it exist.
Windows Layer 2 bridge network driver
The Layer 2 Bridge network driver is part of the Windows container ecosystem. The driver is responsible for L2bridge networking, which allows containers to connect directly to the physical network of the host. There are two vulnerabilities in this driver this month: a CVSS 6.5 information disclosure vulnerability (CVE-2023-32037) and a critical CVSS 8.8 remote code execution vulnerability (CVE-2023-35315). According to the CVE notes, the critical vulnerability allows for a guest-to-host escape. Since the L2bridge allows containers or virtual machines to write directly to the physical hardware that is shared with the host operating system, a vulnerability in the driver allows malicious code to skip the guest-host boundary.
The Windows container ecosystem comes as an optional feature called Containers. It is not available out of the box and requires purposeful installation. We’ve seen that approximately 35% of monitored environments have Windows machines with the Containers optional feature enabled.
Windows MSHTML platform
MSHTML is a web page renderer for the Windows operating system. It exposes a COM interface to allow programs to add web rendering capabilities. It is also used by Internet Explorer and Microsoft Edge’s Internet Explorer mode. Besides the privilege escalation vulnerability found in the wild (see the in-the-wild section), there are two more security bypass vulnerabilities: CVE-2023-35336 and CVE-2023-35308. From the notes about the two vulnerabilities, it appears that MSHTML fails to validate the Security Zone correctly for specific URLs; for example, it can mistake an external URL for a local one. We’re no strangers to security zones, as our own Ben Barnea found a similar vulnerability in MapUrlToZone, which is the function that is often used to determine whether a URL is an internet path, local path (to the machine/network), etc.
Windows Routing and Remote Access Service (RRAS)
The Routing and Remote Access service (RRAS) is a Windows service that allows the operating system to behave as a router, allowing for site-to-site connections using VPNs or dial-ups. There are three critical vulnerabilities in the service this month, all with the high CVSS score of 9.8. The patch notes don’t tell us much, except that specifically crafted packets sent to the server can trigger remote code execution.
RRAS isn’t available on all Windows servers, it comes as part of the Remote Access role and has to be specifically installed. In our observations, we’ve seen that approximately 15% of monitored environments have Windows servers with the Remote Access role installed.
Remote procedure call runtime
There are 14 different RPC runtime CVEs patched this month, most of them for denial-of-service attacks. Only one CVE (CVE-2023-35300) can gain remote code execution, and the patch notes don’t tell us much else. By reversing the patch, we see that the Microsoft Offensive Research & Security Engineering (MORSE) team seems to have done an extensive amount of work on the NDR unmarshaling engine. We have written in-depth about MS-RPC, so if you’d like to know more about it, you can find many useful article links and tools in our RPC toolkit.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Security feature bypass |
Network |
||
Spoofing |
|||
Remote code execution |
|||
Denial of service |
Network |
||
Elevation of privilege |
Local |
||
Security feature bypass |
Network |
||
Security feature bypass |
Network |
||
Remote code execution |
Network |
||
Denial of service |
|||
Remote code execution |
Adjacent network |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit our Twitter account for real-time updates.
