Patch Tuesday – July 2023

Home / Threat Intelligence bulletins / Patch Tuesday - July 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Microsoft Patch Tuesday for July 2023: Five zero-day flaws and eight critical remote code execution (RCE) vulnerabilities were addressed as part of 130 total security vulnerabilities addressed by Microsoft.

Of note, an Office zero-day flaw has been disclosed and is tracked as CVE-2023-36884 (CVSSv3 score: 8.8). Active exploitation of this vulnerability has been attributed to the threat actor group tracked as Storm-0978 (also known as RomCom) against entities associated with the current NATO Summit.

Noteworthy in terms of the high-level severity zero-day vulnerabilities are:

  • CVE-2023-32046 (CVSSv3 Score – 7.8): Windows MSHTML Platform Elevation of Privilege Vulnerability
  • CVE-2023-36874 (CVSSv3 Score – 7.8): Windows Error Reporting Service Elevation of Privilege Vulnerability
  • CVE-2023-32049 (CVSSv3 Score – 8.8): Windows Error Reporting Service Elevation of Privilege Vulnerability
  • CVE-2023-35311 (CVSSv3 Score – 8.8): Microsoft Outlook Security Feature Bypass Vulnerability.

Of the eight disclosed RCE vulnerabilities, three are related within the Windows Routing and Remote Access Service (RRAS) and all have been classified with a CVSS v3 base score of 9.8. These are:

  • CVE-2023-35365 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
  • CVE-2023-35366 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
  • CVE-2023-35367 – Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability.

Two high-severity (CVSSv3 score:9.8) SharePoint vulnerabilities CVE-2023-33157 and CVE-2023-33160 were disclosed, both pertaining to information disclosure and editing, as well as reduced availability of the targeted environment.

The remaining critical RCE vulnerabilities involve the Layer-2 Bridge Network Driver, Windows Message Queuing and Windows PGM:

  • CVE-2023-35315 – Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
  • CVE-2023-32057 – Microsoft Message Queuing Remote Code Execution Vulnerability
  • CVE-2023-35297 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability.

A complete list of the disclosed security vulnerabilities can be found in the Microsoft Advisory.

Impact

  • Successful exploitation of CVE-2023-36884 could allow threat actors to access sensitive information and deny access to the targeted system
  • Successful exploitation of CVE-2023-32046 could allow a threat actor to gain the rights of the user that is running the affected application
  • Successful exploitation of CVE-2023-36874 could allow a threat actor to gain administrator privileges
  • Successful exploitation of CVE-2023-32049 and CVE-2023-35311 could allow a threat actor to bypass the Open File – Security Warning prompt
  • Successful exploitation of CVE-2023-35365, CVE-2023-35366 and CVE-2023-35367 could allow a threat actor to send specially crafted packets to vulnerable assets to achieve RCE capabilities
  • Successful exploitation of CVE-2023-35315 could allow a threat actor to send a specially crafted request to a Windows Server configured as a Layer-2 Bridge
  • Successful exploitation of CVE-2023-32057 and CVE-2023-35297 could allow a threat actor to attain RCE capabilities on the respective affected products.

In summary, exploitation of the vulnerabilities outlined above could lead to a total loss of confidentiality, availability, and integrity of data.

Vulnerability Detection

Security patches for these vulnerabilities have been released by Microsoft. Previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

A full list of the affected products pertaining to the July 2023 Patch Tuesday can be found on the Microsoft Update page.

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday July 2023 Security Guide.

Threat Landscape

Last month, Microsoft published remediations for 78 security flaws in the June 2023 Patch Tuesday release, including 38 RCE vulnerabilities. Moving into the July disclosure, leading attack vectors continue to be those of RCE and privilege escalation (accounting for a combined 53% of patched vulnerabilities). Further, information disclosure, denial of service and spoofing vulnerability cases continue to account for a similar proportion of reported security flaws, compared to June 2023.

Threat Group

Exploitation of CVE-2023-36884 has been attributed to the threat actor group tracked as Storm-0978. The group has a known connection with Russia, and it is highly likely that the group is acting in alignment with Russian intelligence operations. The group has targeted the exploit of CVE-2023-36884 against entities associated with the NATO Summit and, as such, these attacks are almost certainly an attempt to degrade the reputation of Western nations that are affiliated with NATO in support of Ukraine.

Mitre Methodologies

Tactics:

TA0002 – Execution

TA0004 – Privilege Escalation

 

An Intelligence Terminology Yardstick to showing the likelihood of events