Akamai’s Perspective on October’s Patch Tuesday 2023
As we do every month, the Akamai Security Intelligence Group examined the more intriguing vulnerabilities that were patched. Of the 105 CVEs patched this month, 12 are critical. The highest CVE rating is 9.8. There are also three vulnerabilities reported as exploited in the wild.
This month’s report is shorter than usual and focuses on the vulnerabilities that were exploited in the wild.
Vulnerabilities exploited in the wild
CVE-2023-44487 — HTTP/2 Rapid Reset Attack (CVSS 7.5)
This is a denial-of-service (DoS) vulnerability that was discovered and reported by Google, Cloudflare, and Amazon. The vulnerability enabled the largest distributed denial-of-service (DDoS) attack in history to date, and relies on a technique called “Rapid Reset” in HTTP/2, which in turn leverages stream multiplexing.
Mitigation
This attack, while novel, is at the protocol level and would be mitigated by Akamai on behalf of its customers in the same manner as any other Layer 7 DDoS attack using security product capabilities like rate controls, web application firewall, Bot Manager Premier, or Client Reputation.
Web servers using HTTP/2 that are not protected by Akamai should install vendor patches, or disable HTTP/2 altogether, to prevent exploitation of this CVE.
Microsoft suggests a workaround to disable HTTP/2 via two registry keys EnableHttp2TIs and EnableHttp2Cleartext. Here’s an Osquery query that Akamai Guardicore Segmentation customers can use to read this value across servers in the network:
SELECT name, data FROM registry
WHERE path = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2TIs" or path = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Cleartext";
CVE-2023-36563 — Microsoft WordPad Information Disclosure Vulnerability (CVSS 6.5)
This vulnerability allows an attacker to leak a victim’s NTLM hash. Exploitation is done by running a specially crafted application, which can also be achieved by convincing the victim to open a malicious file. We do not have full details about how these credentials can be disclosed, but it is likely that the attack involves leaking them over SMB.
Microsoft WordPad is installed on every Windows endpoint.
Mitigation
Aside from patching, we recommend the following:
Use microsegmentation to block SMB traffic (TCP port 445) from the WordPad process (wordpad.exe) to internet destinations.
On Windows 11, it is possible to disable the automatic sending of NTLM hashes to remote locations via Group Policies: Administrative templates > Network > Lanman Workstation > Block NTLM.
CVE-2023-41763 — Skype for Business Elevation of Privilege Vulnerability (CVSS 5.3)
The last vulnerability that was exploited in the wild is in Skype for Business. An attacker could make a special call to the target Skype for Business server, which would then make a request to an arbitrary (attacker-controlled) address and disclose IP addresses and/or port numbers. Such information can sometimes provide access to internal networks, which gives this vulnerability its class of Elevation of Privilege.
Mitigation
We advise customers to patch their Skype servers as instructed by Microsoft
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit our Twitter account for real-time updates.
