Patch Tuesday – October 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Microsoft October 2023 Patch Tuesday: Three zero-day flaws and 12 critical remote code execution (RCE) vulnerabilities were addressed as part of 104 total security vulnerabilities addressed by Microsoft. A summary of the highlighted vulnerabilities has been outlined below:

Just as in last month’s disclosure, the first zero-day vulnerability pertains to a NTLM hash vulnerability in WordPad. The flaw, tracked as CVE-2023-36563 (CVSSv3 score: 6.5), has been associated with two attack vectors. These involve inviting the target to open a specially crafted malicious file and initiating the execution of a custom application.

The second of the discovered zero-day flaws is being tracked as CVE-2023-41763 (CVSSv3 score: 5.3), an information disclosure vulnerability in Skype for Business that has already been subjected to active exploitation.

The final zero-day bug is being tracked as CVE-2023-44487, a denial-of-service vulnerability in the cross-platform Kestrel web server for ASP.NET Core which specially pertains to HTTP/2.

The first of the RCE flaws is being tracked as CVE-2023-35349 (CVSSv3 score: 9.8) and is associated with the Message Queueing Service (MSMQ). A second RCE flaw also pertains to MSMQ (CVE-2023-36697) with a lower CVSSv3 score of 6.8 due to exploitation requiring valid domain credentials, as well as a user on the target machine to connect to a malicious server.

The final listing of this month’s patched critical RCE vulnerabilities is more niche and is tracked as CVE-2023-36718 (CVSSv3 score:7.8) and involves a bug in the Microsoft Virtual Trusted Platform Module (vTPM)

The remaining 75% of the released RCE flaws (CVE-2023-41765 CVE-2023-41767 CVE-2023-41768 CVE-2023-41769 CVE-2023-41770 CVE-2023-41771 CVE-2023-41773 CVE-2023-41774 and CVE-2023-38166) involve the Layer 2 Tunneling Protocol and can be exploited via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.

Microsoft has patched one security issue in Exchange, down from five in the September release. Tracked as CVE-2023-36778 (CVSSv3 score: 8.0), the vulnerability could allow a threat actor to access the same network as the Exchange Server host and use valid credentials for an Exchange user in a PowerShell remoting session.

The final patch of note is that of CVE-2023-36569 (CVSSv3 score: 8.4), local privilege escalation (LPE) vulnerability in Microsoft Office, whereby patches are available for Office 2019, 2021, and Apps for Enterprise.

Impact

• Successful exploitation of CVE-2023-36563 could allow a threat actor to take control of an affected system via the execution of a specially crafted application.
• Successful exploitation of CVE-2023-41763 could result in the disclosure of IP addresses and/or port numbers.
• Successful exploitation of CVE-2023-35349 and CVE-2023-36697 could allow an unauthenticated threat actor to remotely execute code on the target server.
• Successful exploitation of CVE-2023-36718 could result in a contained execution environment escape.
• Successful exploitation of CVE-2023-36778 could allow an authenticated threat actor on the same intranet as the Exchange server to achieve RCE capabilities via a PowerShell remoting session.
• Successful exploitation of CVE-2023-36569 could allow a threat actor to gain SYSTEM privileges on target systems.

In summary, it is likely that the exploitation of the vulnerabilities outlined above would lead to a total loss of confidentiality, availability, and integrity of data.

Vulnerability Detection

Security patches for these vulnerabilities have been released by Microsoft. Previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

A full list of the affected products pertaining to the October 2023 Patch Tuesday can be found on the Microsoft October 2023 Security Update page.

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday October 2023 Security Guide.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Last month, Microsoft published remediations for 59 security flaws in the September 2023 Patch Tuesday release, including two actively exploited zero-day flaws. Moving into the October disclosure, the leading attack vector continues to be that of RCE (accounting for 43.2% of patched vulnerabilities). Of note this month, the number of privilege elevation vulnerabilities and denial-of-service issues dramatically increased to 26 and 17 respectively, (compared to zero and three respectively in September.

Due to the vast array of attack vectors associated with the vulnerability disclosure, as well as the universal utilisation of Microsoft products across the world in all industry sectors, it is almost certain that threat actors will attempt to exploit the flaws listed in this security bulletin.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:

TA0002 – Execution

TA0004 – Privilege Escalation

Further Information

Microsoft October 2023 Patch Tuesday Security Update