Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)

CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability

CVE-2023-36884 is a RCE vulnerability in Microsoft Windows and Office that was assigned a CVSSv3 score of 8.3 and has been exploited in the wild as a zero-day. At the time this blog post was published and this advisory was made public, Microsoft had not released any patches for this vulnerability. However, Microsoft has provided mitigation guidance that can be used to avoid exploitation.

According to researchers at Microsoft, exploitation of CVE-2023-36884 has been attributed to a threat actor known as Storm-0978, also known as DEV-0978 and RomCom, a reference to the backdoor used by the group as part of its attacks. The threat actor is reportedly based out of Russia and is known for conducting ransomware attacks, including extortion-only campaigns, using a ransomware known as Underground. Additionally, the group also conducts intelligence gathering operations that rely on credential theft. Exploitation of CVE-2023-36884 began in June 2023. Targeted regions include Ukraine, North America and Europe while targeted industries include telecommunications and finance. For more information, please refer to Microsoft’s blog post.

Tenable has released Plugin ID 178275: Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Mitigation which can be used to identify a Windows host that is potentially missing a mitigation for CVE-2023-36884. In order for the plugin to execute, users are required to enable the "Show potential false alarms" setting, also known as paranoid mode.

We recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

CVE-2023-35311 | Microsoft Outlook Security Feature Bypass Vulnerability

CVE-2023-35311 is a security feature bypass vulnerability in Microsoft Outlook. It was assigned a CVSSv3 score of 8.8 and was exploited in the wild as a zero-day. Exploitation of this flaw requires an attacker to convince a potential victim to click on a malicious URL. Successful exploitation would result in the bypassing of the Microsoft Outlook Security Notice prompt, a feature designed to protect users. Microsoft says that while its Outlook Preview pane feature is an attack vector, user interaction is still required.

CVE-2023-32046 | Windows MSHTML Platform Elevation of Privilege Vulnerability

CVE-2023-32046 is an EoP vulnerability in Microsoft’s MSHTML (Trident) engine that was exploited in the wild as a zero-day. It was assigned a CVSSv3 score of 7.8 and patches are available for all supported versions of Windows. To exploit this vulnerability, an attacker would need to create a specially crafted file and use social engineering techniques to convince their target to open the document. Microsoft’s advisory also includes a note suggesting that users who install Security Only updates should also install the Internet Explorer Cumulative update to fully address this vulnerability.

The discovery of CVE-2023-32046 follows CVE-2021-40444, another zero-day flaw in Microsoft’s MSHTML that was exploited in the wild and patched as part of Microsoft’s September 2021’s Patch Tuesday release. It was used by a variety of threat actors, from advanced persistent threat actors and ransomware groups. While CVE-2021-40444 didn’t make our top 5 list in the 2021 Threat Landscape Retrospective, the vulnerability was part of a group of noteworthy vulnerabilities that nearly made our list.

CVE-2023-36874 | Windows Error Reporting Service Elevation of Privilege Vulnerability

CVE-2023-36874 is an EoP vulnerability in the Microsoft Windows Error Reporting Service. It was assigned a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. To exploit this flaw, an attacker would need to have already gained local access to a target system and have certain basic user privileges. Successful exploitation would allow an attacker to obtain administrative privileges on the target system. Discovery of this flaw is credited to Vlad Stolyarov and Maddie Stone, researchers at Google’s Threat Analysis Group (TAG). At the time this blog post was published, no specific details about its exploitation were available.

CVE-2023-32049 | Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-32049 is a security feature bypass vulnerability impacting Windows SmartScreen, an early warning system designed to protect against malicious websites used for phishing attacks or malware distribution. In order to exploit this vulnerability, an attacker would need to convince a user into opening a specially crafted URL. Exploitation would allow the attacker to bypass the “Open File” warning prompt and compromise the victim's machine. This vulnerability was exploited in the wild as a zero-day and was assigned a CVSSv3 score of 8.8.

This vulnerability is similar to other mark of the web (MOTW) vulnerabilities patched by Microsoft in which malicious files could evade MOTW defenses. CVE-2022-44698 is a recent example of another zero-day vulnerability that was exploited in the wild and patched in the December 2022 Patch Tuesday release.

CVE-2023-29347 | Windows Admin Center Spoofing Vulnerability

CVE-2023-29347 is a spoofing vulnerability in Windows Admin Center (WAC) assigned a CVSSv3 score of 8.7 and a max severity rating of important. The vulnerability lies in the web server component of WAC, however malicious scripts would execute on a victims browser, so Microsoft’s CVSS scoring reflects this as a scope change. There are several ways a remote, authenticated attacker can exploit the vulnerability: through a malicious script imported into the WAC HTML form, through a.csv file imported to the user interface or through the WAC API. Successful exploitation allows the attacker to perform operations on the WAC server using the privileges of the victim.

CVE-2023-35365, CVE-2023-35366 and CVE-2023-35367 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 are RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) of Windows operating systems, each of which were assigned a CVSSv3 score of 9.8. RRAS is a service in Windows that can be used as a VPN gateway or router. Exploitation requires an attacker to send crafted packets to an impacted server. RRAS is not installed or configured in Windows by default and those users who have not enabled the feature are not impacted by these vulnerabilities. Microsoft has given these vulnerabilities a rating of “Exploitation less likely” using the Microsoft Exploitability Index

CVE-2023-32057 | Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-32057 is a RCE vulnerability in the Microsoft Message Queuing (MSMQ) component of Windows operating systems that was given a CVSSv3 score of 9.8 and a rating of critical. A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. For successful exploitation, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, that it runs under the service name “Message Queuing” and is listening on TCP port 1801. Microsoft rated this vulnerability as “Exploitation less likely” using the Microsoft Exploitability Index.