A smorgasbord for June’s Patch Tuesday
Credit to Author: Angela Gunn| Date: Tue, 13 Jun 2023 21:05:13 +0000
Microsoft on Tuesday released patches for 69 vulnerabilities, including four critical-severity issues in Windows and one each in SharePoint and Visual Studio / .NET. As usual, the largest number of addressed vulnerabilities affect Windows, with 38 CVEs. Patches applicable to both .NET and Visual Studio account for nine of the remainder. Office takes six patches; SharePoint, five. Azure, Exchange, .NET (without Visual Studio), and Visual Studio (without .NET) each get two. Dynamics 365, PowerApps, and YARP (Yet Another Reverse Proxy, related to both .NET and NuGet) each get one.
In a heavier-than-usual month for announcements concerning patches not directly handled by Microsoft, the company is also providing information on 25 patches from Chromium (Google), GitHub, Autodesk, and… Microsoft. The situation around those 25 information-only announcements is a bit tangled. Not only are there far more than usual (and this with no Adobe patches flagged, though Adobe did release updates on its own today) but the 17 Chromium patches affecting the Edge browser hail from both Google and Microsoft itself. One of the 17, CVE-2023-3079, a V8 type-confusion issue patched by Google on June 5, is known to be under exploit in the wild. (V8 is a JavaScript engine developed by the Chromium Project and used in a variety of applications, Edge among them.)
At patch time, none of the issues this month have been publicly disclosed (aside from the information published about the info-only patches released prior to June 13). However, Microsoft cautions that eight of the issues addressed are more likely to be exploited in either the latest or earlier versions of the affected product soon (that is, within the next 30 days). Microsoft once again this month offered no guidance overview on exploitation likelihood in earlier versions versus latest versions for any of their patches.
Elsewhere on the patching scene, Fortinet this week published a security advisory for a critical-class SSL-VPN vulnerability under active exploit in the wild. CVE-2023-27997 affects FortiOS and FortiProxy SSL-VPN. A remote-code execution issue, it affects multiple versions of the software and was discovered by Fortinet’s own researchers, along with external researchers engaged in responsible disclosure. during a code audit after a previous incident. Fortinet customers are urged to review the available information and patch their devices soon; the Sophos MDR team is monitoring the situation as it unfolds.
We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the three Edge patches (CVE-2023-29345, CVE-2023-33143, CVE-2023-33145) with Microsoft-assigned CVE numbers as information-only; they are not included in any of the totals or charts that follow.
By the Numbers
- Total Microsoft CVEs: 69
- Total advisories shipping in update: 0
- Publicly disclosed: 0
- Known-exploited: 0
- Severity
- Critical: 6
- Important: 62
- Moderate: 1
- Impact
- Remote Code Execution: 26
- Elevation of Privilege: 17
- Denial of Service: 10
- Spoofing: 9
- Information Disclosure: 4
- Security Feature Bypass: 3
Figure 1: Remote code execution issues once again top the charts in June
Products
- Windows: 38
- .NET and Visual Studio: 9
- Office: 6
- SharePoint: 5
- Azure: 2
- Exchange: 2
- .NET (no Visual Studio): 2
- Visual Studio (no .NET): 2
- Dynamics 365: 1
- Power Apps: 1
- YARP: 1
In addition to the 17 Chromium / Edge patches discussed above, Microsoft also acknowledged three Autodesk-related CVEs and five GitHub-related CVEs in this month patch-release announcements. All eight of these issues were patched on Tuesday, and Microsoft mentions them in their own Patch Tuesday release to state that the latest version of Visual Stupid is hereby protected. It’s less clear, though that older versions of Visual Studio are likewise protected; system administrators tending older systems should proceed with caution.
Figure 2: Windows accounts for more than half of June’s patches, but there are plenty to go around
Notable June updates
CVE-2023-29357 — Microsoft SharePoint Server Elevation of Privilege Vulnerability
The only update this month with the dubious distinction of being both critical-class and more likely to be exploited in the next 30 days, this issue also sports a 9.8 CVSS base score, making it the month’s leading item of concern. According to the information available, an attacker who has gained access to spoofed JWT (JSON Web Token) authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user — no privileges nor user action required. The bulletin takes pains to let sysadmins know they too must take pains: The fix includes multiple patches for SharePoint Foundation Server 2013, SharePoint Enterprise Server 2016, or SharePoint Server 2019, and all applicable patches have to be applied. There’s a slight silver lining for on-premises customers: If ASMI (the Advanced System Management Interface) is enabled, you’re okay.
CVE-2023-29363 — Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32014 — Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32015 — Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Less likely to be exploited in the next 30 days but still concerning, these three critical-class RCEs share a name and a focus on Pragmatic General Multicast, and are described similarly by the company: When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Exploitation of any of these requires that the target system have the Windows message queuing service enabled, which may prove a mitigation for some systems.
CVE-2023-29353 – Sysinternals Process Monitor for Windows Denial of Service Vulnerability
While not particularly exciting in itself, this Important-class denial of service issue is the only one delivering its patches via the Microsoft Store this month. According to Microsoft, successful exploitation of this vulnerability requires an attacker to create the ProcMon exploit file, which is complicated. In addition, there are several aspects left to pure luck regarding how memory within ProcMon is laid out.
CVE-2023-33146 — Microsoft Office Remote Code Execution Vulnerability
This important-class RCE involves SketchUp graphics, and Microsoft has published information on how to disable the ability to insert those in Office files while things get sorted out. Admins of Mac systems should take that advice seriously, since although the vulnerability appears to affect that platform as well as Windows, there’s not a patch yet for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021. Microsoft hasn’t given a date yet for those fixes, but says they’ll update the CVE information when it’s ready.
Figure 3: As we near the halfway point of the year, the overall patch count is below that of 2022 for every type of vulnerability
Sophos protections
As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.
Appendix A: Vulnerability Impact and Severity
This is a list of June’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.
Remote Code Execution (26 CVEs)
Critical severity | |
CVE-2023-24897 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-29363 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
CVE-2023-32014 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-24895 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-28310 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-29326 | .NET Framework Remote Code Execution Vulnerability |
CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability |
CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability |
CVE-2023-29365 | Windows Media Remote Code Execution Vulnerability |
CVE-2023-29366 | Windows Geolocation Service Remote Code Execution Vulnerability |
CVE-2023-29367 | iSCSI Target WMI Provider Remote Code Execution Vulnerability |
CVE-2023-29370 | Windows Media Remote Code Execution Vulnerability |
CVE-2023-29372 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2023-29373 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
CVE-2023-32008 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability |
CVE-2023-32017 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability |
CVE-2023-32018 | Windows Hello Remote Code Execution Vulnerability |
CVE-2023-32029 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-33126 | .NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-33128 | .NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-33131 | Microsoft Outlook Remote Code Execution Vulnerability |
CVE-2023-33133 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2023-33137 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2023-33146 | Microsoft Office Remote Code Execution Vulnerability |
Elevation of Privilege (17 CVEs)
Critical severity | |
CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Important severity | |
CVE-2023-29346 | NTFS Elevation of Privilege Vulnerability |
CVE-2023-29351 | Windows Group Policy Elevation of Privilege Vulnerability |
CVE-2023-29358 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-29359 | GDI Elevation of Privilege Vulnerability |
CVE-2023-29360 | Windows TPM Device Driver Elevation of Privilege Vulnerability |
CVE-2023-29361 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-29364 | Windows Authentication Elevation of Privilege Vulnerability |
CVE-2023-29368 | Windows Filtering Platform Elevation of Privilege Vulnerability |
CVE-2023-29371 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-32009 | Windows Collaborative Translation Framework Elevation of Privilege Vulnerability |
CVE-2023-32010 | Windows Bus Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-32012 | Windows Container Manager Service Elevation of Privilege Vulnerability |
CVE-2023-32032 | .NET and Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-33135 | .NET and Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-33142 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Moderate severity | |
CVE-2023-24936 | .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability |
Denial of Service (10 CVEs)
Critical severity | |
CVE-2023-32013 | Windows Hyper-V Denial of Service Vulnerability |
Important severity | |
CVE-2023-24937 | Windows CryptoAPI Denial of Service Vulnerability |
CVE-2023-24938 | Windows CryptoAPI Denial of Service Vulnerability |
CVE-2023-29331 | .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability |
CVE-2023-29353 | Sysinternals Process Monitor for Windows Denial of Service Vulnerability |
CVE-2023-29369 | Remote Procedure Call Runtime Denial of Service Vulnerability |
CVE-2023-32011 | Windows iSCSI Discovery Service Denial of Service Vulnerability |
CVE-2023-32030 | .NET and Visual Studio Denial of Service Vulnerability |
CVE-2023-33129 | Microsoft SharePoint Denial of Service Vulnerability |
CVE-2023-33141 | Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability |
Spoofing (9 CVEs)
Important severity | |
CVE-2023-21565 | Azure DevOps Server Spoofing Vulnerability |
CVE-2023-21569 | Azure DevOps Server Spoofing Vulnerability |
CVE-2023-24896 | Dynamics Finance and Operations Cross-site Scripting Vulnerability |
CVE-2023-32020 | Windows DNS Spoofing Vulnerability |
CVE-2023-32024 | Microsoft Power Apps Spoofing Vulnerability |
CVE-2023-33130 | Microsoft SharePoint Server Spoofing Vulnerability |
CVE-2023-33132 | Microsoft SharePoint Server Spoofing Vulnerability |
CVE-2023-33140 | Microsoft OneNote Spoofing Vulnerability |
CVE-2023-33144 | Visual Studio Code Spoofing Vulnerability |
Information Disclosure (4 CVEs)
Important severity | |
CVE-2023-29355 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-32016 | Windows Installer Information Disclosure Vulnerability |
CVE-2023-32019 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-33139 | Visual Studio Information Disclosure Vulnerability |
Security Feature Bypass (3 CVEs)
Important severity | |
CVE-2023-29352 | Windows Remote Desktop Security Feature Bypass Vulnerability |
CVE-2023-32021 | Windows SMB Witness Service Security Feature Bypass Vulnerability |
CVE-2023-32022 | Windows Server Service Security Feature Bypass Vulnerability |
Appendix B: Exploitability
This is a list of the June CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.
Exploitation more likely | |
CVE-2023-28310 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
CVE-2023-29358 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-29359 | GDI Elevation of Privilege Vulnerability |
CVE-2023-29360 | Windows TPM Device Driver Elevation of Privilege Vulnerability |
CVE-2023-29361 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-29371 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability |
Appendix C: Products Affected
This is a list of June’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.
Windows (38 CVEs)
Critical severity | |
CVE-2023-29363 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
CVE-2023-32013 | Windows Hyper-V Denial of Service Vulnerability |
CVE-2023-32014 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-24937 | Windows CryptoAPI Denial of Service Vulnerability |
CVE-2023-24938 | Windows CryptoAPI Denial of Service Vulnerability |
CVE-2023-29346 | NTFS Elevation of Privilege Vulnerability |
CVE-2023-29351 | Windows Group Policy Elevation of Privilege Vulnerability |
CVE-2023-29352 | Windows Remote Desktop Security Feature Bypass Vulnerability |
CVE-2023-29353 | Sysinternals Process Monitor for Windows Denial of Service Vulnerability |
CVE-2023-29355 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-29358 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-29359 | GDI Elevation of Privilege Vulnerability |
CVE-2023-29360 | Windows TPM Device Driver Elevation of Privilege Vulnerability |
CVE-2023-29361 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability |
CVE-2023-29364 | Windows Authentication Elevation of Privilege Vulnerability |
CVE-2023-29365 | Windows Media Remote Code Execution Vulnerability |
CVE-2023-29366 | Windows Geolocation Service Remote Code Execution Vulnerability |
CVE-2023-29367 | iSCSI Target WMI Provider Remote Code Execution Vulnerability |
CVE-2023-29368 | Windows Filtering Platform Elevation of Privilege Vulnerability |
CVE-2023-29369 | Remote Procedure Call Runtime Denial of Service Vulnerability |
CVE-2023-29370 | Windows Media Remote Code Execution Vulnerability |
CVE-2023-29371 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-29372 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2023-29373 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
CVE-2023-32008 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability |
CVE-2023-32009 | Windows Collaborative Translation Framework Elevation of Privilege Vulnerability |
CVE-2023-32010 | Windows Bus Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-32011 | Windows iSCSI Discovery Service Denial of Service Vulnerability |
CVE-2023-32012 | Windows Container Manager Service Elevation of Privilege Vulnerability |
CVE-2023-32016 | Windows Installer Information Disclosure Vulnerability |
CVE-2023-32017 | Microsoft PostScript Printer Driver Remote Code Execution Vulnerability |
CVE-2023-32018 | Windows Hello Remote Code Execution Vulnerability |
CVE-2023-32019 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-32020 | Windows DNS Spoofing Vulnerability |
CVE-2023-32021 | Windows SMB Witness Service Security Feature Bypass Vulnerability |
CVE-2023-32022 | Windows Server Service Security Feature Bypass Vulnerability |
NET and Visual Studio (9 CVEs)
Critical severity | |
CVE-2023-24897 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-24895 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-29331 | .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability |
CVE-2023-32030 | .NET and Visual Studio Denial of Service Vulnerability |
CVE-2023-32032 | .NET and Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-33126 | .NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-33128 | .NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-33135 | .NET and Visual Studio Elevation of Privilege Vulnerability |
Moderate severity | |
CVE-2023-24936 | .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability |
Office (6 CVEs)
Important severity | |
CVE-2023-32029 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2023-33131 | Microsoft Outlook Remote Code Execution Vulnerability |
CVE-2023-33133 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2023-33137 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2023-33140 | Microsoft OneNote Spoofing Vulnerability |
CVE-2023-33146 | Microsoft Office Remote Code Execution Vulnerability |
SharePoint (5 CVEs)
Critical severity | |
CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Important severity | |
CVE-2023-33129 | Microsoft SharePoint Denial of Service Vulnerability |
CVE-2023-33130 | Microsoft SharePoint Server Spoofing Vulnerability |
CVE-2023-33132 | Microsoft SharePoint Server Spoofing Vulnerability |
CVE-2023-33142 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Azure (2 CVEs)
Important severity | |
CVE-2023-21565 | Azure DevOps Server Spoofing Vulnerability |
CVE-2023-21569 | Azure DevOps Server Spoofing Vulnerability |
Exchange (2 CVEs)
Important severity | |
CVE-2023-28310 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability |
.NET (no Visual Studio) (2 CVEs)
Important severity | |
CVE-2023-29326 | .NET Framework Remote Code Execution Vulnerability |
CVE-2023-29337 | NuGet Client Remote Code Execution Vulnerability |
Visual Studio (no .NET) (2 CVEs)
Important severity | |
CVE-2023-33139 | Visual Studio Information Disclosure Vulnerability |
CVE-2023-33144 | Visual Studio Code Spoofing Vulnerability |
Dynamics 365 (1 CVE)
Important severity | |
CVE-2023-24896 | Dynamics Finance and Operations Cross-site Scripting Vulnerability |
Power Apps (1 CVE)
Important severity | |
CVE-2023-32024 | Microsoft Power Apps Spoofing Vulnerability |
YARP (1 CVE)
Important severity | |
CVE-2023-33141 | Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability |