Rawpixel.com - stock.adobe.com

November Patch Tuesday heralds five new MS zero-days

Microsoft pushes fixes for five new zero-days in its latest monthly update

Microsoft has issued fixes for a total of five zero-day vulnerabilities on the penultimate Patch Tuesday of 2023, three of them known to have already been exploited in the wild.

With a total of just over 60 issues resolved this month, the November Patch Tuesday drop is by no means the largest of recent months and ranges across a smaller number of products than is typically seen.

The three exploited zero-days are tracked as CVE-2023-36025, a security feature bypass in Windows SmartScreen; CVE-2023-36033, an elevation of privilege (EoP) vulnerability in Windows DWM Core Library; and CVE-2023-36036, an EoP vulnerability in Windows Cloud Files Mini Filter Driver. Out of these, an exploit has been publicly disclosed for the second, and all three have already made it into the CISA Known Exploited Vulnerabilities hall of fame.

The two other zero-days – which have been made public but not yet exploited – are CVE-2023-36038, a denial of service vulnerability in ASP.NET Core, and CVE-2023-36413, a security feature bypass in Microsoft Office.

Four out of the five carry CVSS scores of over 7, making them of high severity by that metric, while the Microsoft Office issue carries a lower score of 6.5, meaning it is considered of high severity.

There are also three critical bugs, although none of them disclosed or exploited yet. These are tracked as CVE-2023-36052, an information disclosure vulnerability in Azure CLI Rest Command; CVE-2023-36397 a remote code execution (RCE) vulnerability in Windows Pragmatic General Multicast; and CVE-2023-36400, an EoP vulnerability in Windows HMAC Key Derivation.

Running his eyes over the exploited zero-days, Adam Barnett, lead software engineer at Rapid7, said: “CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

“Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033…Exploitation leads to system privileges, but Microsoft does not provide any further guidance on the attack mechanism.”

Fewer details of the third exploited vulnerability, CVE-2023-36035, are known at this stage, although it too grants an attacker system level privileges, a frequent step along the route taken by attackers as they seek to disable security tools or run credential dumping tools – such as mimikatz – in the service of lateral movement.

Looking to the other zero-days, Mike Walters, Action1 co-founder and president, commented: “CVE-2023-36038 represents a significant vulnerability in ASP.NET Core, capable of causing denial of service. This vulnerability is noteworthy for its network attack vector, low attack complexity, and the fact that it doesn’t require any privileges or user interaction for exploitation.

“The vulnerability can be triggered when HTTP requests to .NET 8 RC 1, running on the IIS InProcess hosting model, are cancelled. This can lead to an increase in the number of threads and potentially cause an OutOfMemoryException. Successful exploitation of this vulnerability could lead to a complete loss of service availability.

Waters said this issue should be high on the list due to the risk of downtime for websites running the vulnerable library, which could easily become subject to a distributed denial-of-service (DDoS) attack as a result of it.

CVE-2023-36413, he explained could become a big problem in short order due to its high potential for exploitation: “It has a network attack vector and is characterised by low attack complexity. While it does not require high-level privileges, user interaction is necessary for exploitation.

“A key aspect of this vulnerability is that it allows attackers to circumvent Office’s protected view, causing documents to open in edit mode instead of the more secure protected mode. Although Microsoft has confirmed the existence of a proof of concept, there is currently no concrete evidence of this vulnerability being exploited in the wild. This nuanced understanding of the vulnerability’s potential impact is essential for prioritising security measures,” said Walters.

Peep the PEAP problem

Elsewhere, other observers have been drawing attention to some of the other more dangerous issues patched this month which don’t necessarily meet the all-important criteria to become a zero-day.

Catching the eye of Natalia Silva, lead cyber security content engineer at Immersive Labs, was CVE-2023-36028, an RCE flaw in Microsoft Protected Extensible Authentication Protocol (PEAP), which is used as a secure authentication framework in wireless networks. This carries a CVSS score of 9.8, making it about as critical as they come.

“This vulnerability could be exploited by an unauthenticated attacker targeting a Microsoft PEAP Server by transmitting specially crafted malicious PEAP packets across the network. This means the attacker does not need any credentials or authentication before launching this attack,” explained Silva.

“If the exploitation by the attacker is successful, the attacker can execute code onto the targeted PEAP server. The secondary effect could be unauthorised access to data, manipulation of data, or any other malicious actions.  

“CVE-2023-36028 has been assigned a high CVSS score of 9.8. However, Microsoft’s exploitation assessment is that exploitation is less likely. This could be due to a combination of the complexity of the exploitation and the frequency of finding PEAP being deployed,” she added.

Historically, Patch Tuesday also sees at least one RCE flaw in Exchange surface, and November 2023 is no exception to this trend. Step forward CVE-2023-36439, which grants system level execution privileges on the Exchange server host.

“The patch notes indicate that an attacker must be authenticated and local to the network, meaning that an attacker must already have gained access to a host in the network,” said Immersive’s senior threat research director Kev Breen.

“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn't have internet-facing authentication doesn’t mean it’s protected.  

“If an attacker gained this level of access to an exchange server, they could do a lot of damage to an organisation,” he observed.

The Exchange platform is also beset by three server spoofing vulnerabilities tracked as CVE-2023-36035, CVE-2023-36039, and CVE-2023-36050, all of which require an attacker to have already accessed the local network and to hold valid credentials, but can ultimately lead to credentials or NTLM hashes for other users becoming exposed. Taken hand-in-hand with the RCE bug, said Breen, these should be high on the priority list for anybody running Exchange Server in-house.

Read more about Patch Tuesday

Read more on Application security and coding requirements