August 2023 Patch Tuesday: Microsoft fixes critical bugs in Teams, MSMQ
August 2023 Patch Tuesday is here; among the 76 CVE-numbered issues fixed by Microsoft this time around is a DoS vulnerability in .NET and Visual Studio (CVE-2023-38180) for which proof-of-exploit code exists.
Other than the fact that a patch is available, practically no other information has been shared by the company about CVE-2023-38180.
Vulnerabilities in Microsoft Office and Exchange Server
There is a Microsoft Office “Defense in Depth Update” available that, according to Microsoft, stops the attack chain leading to CVE-2023-36884, a Windows Search RCE vulnerability that has been previously exploited by Russian hackers in targeted attacks.
“Microsoft recommends installing the Office updates discussed in this advisory as well as installing the Windows updates from August 2023,” the company says. (Though, at the time of writing, the advisory for CVE-2023-36884 still points to the July cumulative Windows updates.)
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, says that although it has been rated Important, CVE-2023-21709 – an elevation of privilege in Microsoft Exchange – should be considered Critical.
“This vulnerability allows a remote, unauthenticated attacker to log in as another user. In this case, you’re elevating from no permissions to being able to authenticate to the server, which makes all of those post-authentication exploits (…) viable,” he noted.
“To address CVE-2023-21709, administrators must perform additional actions and can run the CVE-2023-21709.ps1 script that we have released,” says the Microsoft Exchange team says.
“We have validated the script and CVE resolution on supported versions of Exchange Server only. We recommend updating to August [security updates] first and then running the script.”
Vulnerabilities in Microsoft Teams and Message Queuing
On this August 2023 Patch Tuesday, Childs also flagged CVE-2023-29328 and CVE-2023-29330, two flaws affecting Microsoft Teams that could be exploited by an attacker after they convince the victim to join a Microsoft Teams meeting.
Microsoft (naturally) doesn’t say how the bugs can be exploited, but says that they may allow an unprivileged attacker to perform remote code execution in the context of the victim user, access the victim’s information and alter it, and potentially cause downtime for the client machine.
Other critical vulnerabilities fixed this time around are three RCE flaws in Microsoft Message Queuing (MSMQ) and an Outlook RCE (CVE-2023-36895).
“There are 11 total bugs impacting Message Queuing getting fixed this month, and it’s clear that the research community is paying close attention to this service. While we haven’t detected active exploits targeting Message Queuing yet, it’s like just a matter of time as example PoCs exist. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly,” Childs advised.
“While MSMQ is not enabled by default and is less common today, any device with it enabled is at critical risk,” noted Automox CISO Jason Kikta, and pointed users towards a Worklet that can help users check to see if the service is enabled and listening on TCP port 1801, stop the service and disable it from starting, and create an inbound firewall block rule for TCP port 1801 to prevent exploitation attacks over the network.