Get in Touch
Indiscriminate, opportunistic targeting.
Microsoft November 2023 Patch Tuesday: Five zero-day flaws and one critical remote code execution (RCE) vulnerability were addressed as part of 58 total security vulnerabilities addressed by Microsoft. A summary of the highlighted vulnerabilities has been outlined below.
CVE-2023-36025 (CVSSv3.1 score: 8.8) has been designated as a Windows SmartScreen security feature bypass flaw that can be exploited by a victim opening a specially crafted malicious Internet Shortcut file and can be leveraged as a component of a more complex attack chain.
The first zero-day is being tracked as CVE-2023-36033 (CVSSv3.1 score: 7.8), which is an elevation of privilege (EoP) vulnerability within the Windows Dynamic Window Manager (DWM) library, in which intelligence indicates has already been exploited in the wild. The second zero-day, tracked as CVE-2023-36036 (CVSSv3.1 score: 7.8), is also an EoP vulnerability but this time in the Windows Cloud Files Mini Filter Driver.
The third zero-day, tracked as CVE-2023-36413 (CVSSv3.1 score: 6.5) pertains to a publicly disclosed Microsoft Office security feature bypass resulting in entering Editing more as opposed to Protected View upon the interaction with a specially crafted malicious file.
The fourth zero-day allows for the implementation of a denial-of-service (DoS) attack. Tracked as CVE-2023-36038 (CVSSv3.1 score: 8.2), it relates to a ASP.NET Core DoS condition impacting only .NET 8 RC 1 running on the IIS InProcess hosting model.
Only three patches this month relate to critical vulnerabilities in accordance with Microsoft’s proprietary severity ranking scale. The first of these is being tracked as CVE-2023-36397 (CVSSv3.1 score: 9.8) and is an RCE flaw in Windows PGMas. Only systems where Windows Message Queueing Service (MSMQ) is enabled are impacted. Next on the critical list is a VM escape security issue, tracked as CVE-2023-36400 (CVSSv3.1 score: 8.8), successful exploitation of which would almost certainly allow a threat actor to escape from a low privilege Hyper-V guest OS and execute code as SYSTEM on the Hyper-V host. The final critical vulnerability to receive a patch this month is being tracked as CVE-2023-36052 (CVSSv3.1 score: 8.6) and allows for the recovery of plaintext usernames and password credentials resulting from the Azure CLI tool not sufficiently redacting data published to log files under specific conditions.
The trend of Exchange RCE flaws receiving patches continues this month with CVE-2023-36439 (CVSSv3.1 score: 8.0) which grants execution capabilities as NT AUTHORITY\SYSTEM on Exchange server hosts provided that a network-based threat actor has already attained valid credentials for an Exchange user. Three Exchange server spoofing flaws (CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050) also received patches this month, successful exploitation of which would almost certainly result in the exposure of credentials or NTLM ashes to a network-based threat actor.
A final noteworthy mention is that a much-anticipated patch for last month’s cURL SOCKS5 vulnerability, tracked as CVE-2023-38545, has been released.
Finally, it should be noted that three of the vulnerabilities (CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036) within the November disclosure already exist on the US’s Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list.
Successful exploitation of CVE-2023-36025 would almost certainly result in a threat actor being able to bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen.
Successful exploitation of CVE-2023-36033, CVE-2023-36036 or CVE-2023-36400 would almost certainly provide a threat actor with SYSTEM privileges.
Successful exploitation of CVE-2023-36413 would almost certainly allow a threat actor to bypass the Office Protected View and open in editing mode rather than protected mode.
Successful exploitation of CVE-2023-36038 would likely allow a threat actor to implement a DoS attack, resulting in a total loss of availability.
Successful exploitation of CVE-2023-36397 would almost certainly provide a threat actor with the opportunity to attempt RCE on a target asset subsequent to sending a specially crafted file over the network.
Successful exploitation of CVE-2023-36052 would almost certainly allow a threat actor to recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions.
Successful exploitation of CVE-2023-36439 would almost certainly allow an authenticated threat actor to gain RCE capabilities on the server mailbox backend as NT AUTHORITY\SYSTEM.
In summary, it is likely that the exploitation of the vulnerabilities outlined above would lead to a total loss of confidentiality, availability, and integrity of data.
Security patches for the vulnerabilities reported on have been released by Microsoft. Previous product versions therefore remain vulnerable to potential exploitation.
A full list of the affected products pertaining to the November 2023 Patch Tuesday can be found on the Microsoft November 2023 Security Update page.
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday November 2023 Security Guide.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Last month, Microsoft published remediations for 104 security flaws in the October 2023 Patch Tuesday release, including three actively exploited zero-day flaws. Moving into the November disclosure, privilege elevation vulnerabilities surpassed RCE issues in top spot with accounting for 27.5% of discovered security issues, a trend that has continued from last month. Although RCE fell to second in the rankings, they still accounted for 25.8% of patched vulnerabilities. Overall, the November 2023 Patch Tuesday disclosure resulted in the release of fewer vulnerabilities pertaining to a lower number of products compared to recent times.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0002 – Execution
TA0004 – Privilege Escalation