For June 2023 Patch Tuesday, Microsoft has delivered 70 new patches but, for once, none of the fixed vulnerabilities are currently exploited by attackers nor were publicly known before today!
Vulnerabilities of note
Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative, has singled out CVE-2023-29357, a critical elevation of privilege (EoP) vulnerability in Microsoft SharePoint Server 2019, as deserving express patching.
“This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method,” he noted.
Jason Kikta, CIO/CISO at Automox, explained further: “An attacker who gains access to spoofed JWT authentication tokens can then use them to execute a network attack, which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action.”
Exfiltration of sensitive information is a priority for both criminal and state espionage actors. Therefore, mass exploitation against public-facing SharePoint instances in the near future is likely. Further, an actor is likely to exploit this vulnerability shortly after gaining access to a given internal corporate system, which reduces the potential response time before data is stolen. On-prem customers who have enabled the AMSI feature are protected from this vulnerability, but all others should patch within 24 hours to avoid exploitation.”
Three distinct vulnerabilities (CVE-2023-29363, CVE-2023-32014, CVE-2023-32015) affecting the Windows Pragmatic General Multicast (PGM) protocol installed with the message queuing (MSMQ) service could allow a remote, unauthenticated attacker to execute code on an affected system and should be also patched quickly.
“While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts,” Childs pointed out.
Then there’s CVE-2023-32031 – a RCE in Microsoft Exchange Server (2016 and 2109).
The attacker must be authenticated to exploit it, but if that requirement is fulfilled, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.
“With low attack complexity and privileges and no user interaction required, we recommend patching this one and CVE-2023-28310 within 24 hours to avoid exploitation,” Kitka advised.
“Both flaws are rated as important but are considered more likely to be exploited compared to some of the other vulnerabilities patched this month,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.
“Unlike past Microsoft Exchange Server flaws that were rated higher and did not require authentication, these vulnerabilities require an attacker to be authenticated. That said, attackers can still potentially exploit these flaws if they’re able to obtain valid credentials, which is not as difficult as you’d expect.”