Get in Touch
Indiscriminate, opportunistic targeting.
Microsoft September 2023 Patch Tuesday: Two zero-day flaws and four critical remote code execution (RCE) vulnerabilities were addressed as a part of 59 total security issues addressed by Microsoft. A summary of the highlighted vulnerabilities is below.
The first zero-day vulnerability pertains to a New Technology LAN Manager (NTLM) hash flaw which allows for the implementation of the “Pass the Hash” technique. The security issue, tracked as CVE-2023-36761 (CVSSv3 score: 6.2), has been reportedly exploited in the wild. The second of the discovered zero-day flaws is being tracked as CVE-2023-36802 (CVSSv3 score: 7.8), an elevation of privilege vulnerability in Microsoft Streaming Service Proxy.
The first of the RCE flaws is being tracked as CVE-2023-38148 (CVSSv3 score: 8.8) and is associated with the Windows Internet Connection Sharing (ICS) functionality.
The three remaining critical RCE flaws have common attributes and pertain to Visual Studio and .NET. The flaws are being tracked as CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796, all of which have received a CVSSv3 score of 7.8. All of these vulnerabilities depend upon a user opening a malicious package file and have therefore been classified as arbitrary code execution as opposed to RCE, which do not require user interaction.
Microsoft has patched five security issues in Exchange. Three of these are RCE vulnerabilities with a CVSSv3 base score of 8.0 and are being tracked as, CVE-2023-36744, CVE-2023-36745 and CVE-2023-36756.
A SharePoint elevation of privilege patch has been released and is being tracked as CVE-2023-36764.
- Successful exploitation of CVE-2023-36761 results in disclosure of NTLM hashes, which could allow a threat actor to perform “Pass the Hash” attack and authenticate remotely to a target system without a requirement to brute-force the hash.
- Successful exploitation of CVE-2023-36802 which could grant SYSTEM privileges to a threat actor via the compromise of a kernel driver.
- Successful exploitation of CVE-2023-38148 would likely allow a threat actor to perform arbitrary code execution on the ICS host at SYSTEM level.
- Successful exploitation of CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796 would likely allow a threat actor to perform arbitrary code execution upon a user opening a malicious package file.
- Successful exploitation of CVE-2023-36744, CVE-2023-36745 and CVE-2023-36756 would likely allow a threat actor to perform RCE upon a user opening a malicious package file. However, they must be present on the same local area network (LAN) as the Exchange server and must already possess valid credentials for an Exchange user.
- Successful exploitation of CVE-2023-36764 could allow a threat actor to attain administrator privileges via a specially-crafted ASP.NET page.
- Successful exploitation of CVE-2023-38155 could allow a threat actor to attain administrator privileges, following significant reconnaissance activity.
- Successful exploitation of CVE-2023-33136 could allow a threat actor Queue Build permissions to modify an overridable input variable to achieve RCE capabilities.
In summary, it is likely that the exploitation of these vulnerabilities would lead to a total loss of confidentiality, availability, and integrity of data.
Security patches for these vulnerabilities have been released by Microsoft. Previous product versions therefore remain vulnerable to potential exploitation.
A full list of the affected products pertaining to the September 2023 Patch Tuesday can be found on the Microsoft September 2023 Security Update page.
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday September 2023 Security Guide.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Last month, Microsoft published remediations for 87 security flaws in the August 2023 Patch Tuesday release, including 25 RCE vulnerabilities. Moving into the September disclosure, the leading attack vector continues to be that of RCE (accounting for 40.6% of patched vulnerabilities). Furthermore, cases of information disclosure, denial of service and spoofing vulnerabilities continue to account for a similar proportion of reported security flaws, compared to August 2023.
No attribution to specific threat actors or groups has been identified at the time of writing.
TA0002 – Execution
TA0004 – Privilege Escalation