Akamai’s Perspective on June’s Patch Tuesday 2023

Windows Pragmatic General Multicast (PGM)

Windows Pragmatic General Multicast (PGM) is a protocol designed to deliver packets among multiple network members in a reliable manner. On Windows, the implementation of this protocol is referred to as reliable multicast. This Patch Tuesday fixed three critical remote code execution vulnerabilities in this protocol, all of them with a CVSS score of 9.8.

Since Windows Server 2003, PGM has relied on Windows sockets. In user space, it is implemented in a library called wshrm.dll (Windows Sockets Helper DLL for PGM, where the “rm” stands for remote multicast). In kernel space, PGM is implemented through the driver rmcast.sys.

According to Microsoft’s mitigations on the CVEs, the Message Queuing service must be running for the vulnerability to be exploitable. The service is not installed by default and must be added via the Features screen in the control panel (Figure 1). 

In our observations, we noticed that approximately 50% of environments had servers with the Message Queuing service installed and running, and 25% with PGM installed. Although in most data centers only a few machines had this capability enabled, we noticed some environments in which multiple servers were running the service.

Since the attack complexity for all vulnerabilities is low, we recommend patching relevant servers as soon as possible. If patching is not possible, because of operational continuity or some other reason, then we recommend restricting access to the service, at the very least, by using network segmentation policies. 

Since the Message Queuing service is accessible over port 1801, but isn’t likely to be accessed by that many clients (as it’s mostly used by the enterprise application itself), we recommend restricting arbitrary network access to that port and service. Try to segment it using allowlist policies, allowing access only to the machines that actually need it.

Microsoft SharePoint Server

Microsoft SharePoint is a web-based document management and storage system that integrates with other Microsoft Office products. There are four CVEs this month, but only one is for a critical elevation of privilege vulnerability with a 9.8 CVSS score (CVE-2023-29357). The vulnerability allows attackers to spoof JWT tokens to bypass authentication and gain the privileges of an authenticated user.

In our observations, we’ve seen that approximately 50% of environments had at least one machine with a SharePoint server installed on it.

Since SharePoint servers are usually meant to be used for document sharing, it might be difficult to segment or limit user access to them without harming normal operations. Therefore, we recommend that you patch your server as soon as possible. 

However, for the elevation of privilege vulnerabilities, it might be possible to mitigate some of the risks by hardening user access, or by increasing alert sensitivity on suspicious user activity or log-ons.

Windows Remote Desktop

Windows Remote Desktop is used for remote desktop connection between Windows machines, over the Remote Desktop Protocol (RDP). There are two vulnerabilities this month — both affect the RDP client rather than the server.

CVE-2023-29352 allows attackers to bypass the server certificate validation during a remote desktop connection by using a specially crafted .RDP file. Attackers, however, will have to trick a user into using their .RDP file for the vulnerability to be impactful. This can work in tandem with the other vulnerability patched, CVE-2023-29362, which allows attackers to trigger remote code execution on the client, when they connect to attacker-controlled RDP servers.

Since RDP can be used for lateral movement, we recommend creating policy rules around it anyway. Restricting RDP access among user machines, or only to pre-authorized servers (like jump boxes), can greatly reduce the risk these vulnerabilities present. Nonetheless, we recommend you patch as soon as possible.

Microsoft Exchange Server

Microsoft Exchange Server is the mail server developed by Microsoft. This month, there were only two CVEs, both allowing remote code execution on the remote server. In our observations, we’ve seen that approximately 35% of environments had on-premises Exchange Servers.

Since the two vulnerabilities require that the attacker be authenticated, it might be possible to reduce the risk of a potential exploit by having increased sensitivity over anomalous user log-ons. In addition, since CVE-2023-28310 works over a PowerShell remoting session, it might be possible to mitigate the risk by employing segmentation. 

A PowerShell remoting session is carried over Windows Remote Management (WinRM), which uses TCP ports 5985 and 5986. Since remote management capabilities aren’t required by most users, it should be possible to restrict traffic over WinRM to only authorized users or user machines, thus reducing the attack surface.

Previously covered services

Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.

This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit our Twitter account for real-time updates.