Executive Summary
In an effort to provide additional value to our customers RedLegg will be releasing monthly security bulletins for critical vulnerabilities as they are released from major software vendors. RedLegg will provide as much context and information as is available at the time the bulletin is released.
RedLegg will include a brief description of the vulnerability, whether or not an active exploit or POC exists, and then a link to an update if any exists. If no update exists there will be remediation or mitigation suggestions in order to limit the risk that each vulnerability represents.
*Important note: These vulnerabilities are specific to Microsoft’s Patch Tuesday Monthly Security Updates. The included vulnerabilities are not the only vulnerabilities that were recently released; however, these are the vulnerabilities RedLegg has identified as critical and require immediate attention. Vulnerabilities are indexed in order according to evidence of active exploitation and level of severity.
VULNERABILITIES
Windows SmartScreen Security Feature Bypass Vulnerability
Identifier: CVE-2023-360025
Exploit or POC: Yes (Actively Being Exploited)
Update Guide: CVE-2023-36025 – Security Update GuideDescription: CVE-30256 allows for security bypass. User interaction is required for successful exploitation. This vulnerability could allow an adversary to bypass Windows Defender SmartScreen checks and their associated prompts.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36025 – Security Update Guide.
Windows DWM Core Library Elevation of Privilege Vulnerability
Identifier: CVE-2023-36033
Exploit or POC: Yes (Actively Being Exploited)
Update Guide: CVE-2023-36033 – Security Update GuideDescription: CVE-2023-36033 allows for elevation of privileges. User interaction is not required to exploit this vulnerability. Successful exploitation could allow an adversary to secure SYSTEM privileges.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36033 – Security Update Guide.
Windows Cloud Files Mini Filer Driver Elevation of Privilege Vulnerability
Identifier: CVE-2023-36036
Exploit or POC: Yes (Actively Being Exploited)
Update Guide: CVE-2023-36036 – Security Update GuideDescription: CVE-2023-36036 allows for elevation of privileges. User interaction is not required to exploit this vulnerability. Successful exploitation could allow an adversary to secure SYSTEM privileges.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36036 – Security Update Guide.
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Identifier: CVE-2023-36397
Exploit or POC: No
Update Guide: CVE-2023-36397 – Security Update GuideDescription: CVE-2023-36397 allows for remote code execution. User interaction is not required for successful exploitation. An adversary could exploit this vulnerability when Windows message queuing service is running in a PGM Server environment by sending specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.
Mitigation recommendation: Mitigation steps listed here: CVE-2023-36397 – Security Update Guide
Windows HMAC Key Derivation Elevation of Privilege Vulnerability
Identifier: CVE-2023-36400
Exploit or POC: No
Update Guide: CVE-2023-36400 – Security Update GuideDescription: CVE-2023-36400 allows for elevation of privileges. User interaction is not required to exploit this vulnerability. Successful exploitation could allow an adversary to run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36400 – Security Update Guide.
Windows Scripting Engine Memory Corruption Vulnerability
Identifier: CVE-2023-36017
Exploit or POC: No
Update Guide: CVE-2023-36017 – Security Update Guide Description: CVE-2023-36017 impacts the JScript9 scripting engine. Successfully exploiting this vulnerability requires user interaction. Successful exploitation of this vulnerability requires a user with an affected version of Windows, access a malicious server. An attacker would have to host a specially crafted server share or website. An adversary would have no way to force users to visit this specially crafted server share or website, thereby would need to employ social engineering tactics convince the target user into visiting the server share or website, typically by way of email or chat message.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36017 – Security Update Guide.
Microsoft Exchange Server Spoofing Vulnerability
Identifier: CVE-2023-36035, CVE-2023-36039, and CVE-2023-36050 Exploit or POC: No
Update Guide: CVE-2023-36035 – Security Update Guide, CVE-2023-36039 – Security Update Guide, and CVE-2023-36050 – Security Update Guide
Description: CVE-2023-36035, CVE-2023-36039, and CVE-2023-36050 allow for server spoofing. Successful exploitation does not require user interaction; however, an adversary would need to authenticate with LAN-access and secure credentials to a valid Exchange user to exploit this vulnerability. This vulnerability could allow an adversary to exploit this vulnerability by leveraging the known (Type 4) UnitySerializationHolder gadget through a deserialization of untrusted data.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36035 – Security Update Guide, CVE-2023-36039 – Security Update Guide, and CVE-2023-36050 – Security Update Guide.
Microsoft Exchange Server Remote Code Execution Vulnerability
Identifier: CVE-2023-36439
Exploit or POC: No
Update Guide: CVE-2023-36439 – Security Update Guide Description: CVE-2023-36439 allows for remote code execution. Successful exploitation does not require user interaction; however, authentication is required. This vulnerability could allow an adversary to gain remote code execution rights on the server mailbox backend as NT AUTHORITY\SYSTEM.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36439 – Security Update Guide.
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Identifier: CVE-2023-36424
Exploit or POC: No
Update Guide: CVE-2023-36424 – Security Update Guide Description: CVE-2023-36424 allows for privilege escalation. User interaction is not required to successfully exploit this vulnerability. This vulnerability could allow an adversary to elevate privileges from Medium Integrity Level to a High Integrity Level.
Mitigation recommendation: Patching is currently the only method of mitigation. Update to the latest software versions mentioned in the CVE-2023-36424 – Security Update Guide.
