Josh Philliban
Cyber Security Assessor
Josh Philliban Linked In
Microsoft
In their August Patch Tuesday release, Microsoft has addressed 87 vulnerabilities, with 6 of those classified as Critical and 68 as Important. The patches cover a broad array of applications and services, including Office, Defender, .NET Core, Azure Arc, Microsoft Exchange Server, Windows Kernel, and more. 12 Windows and Chromium based vulnerabilities have been identified, and two advisory notes issued.
This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE) and Elevation of Privilege (EoP). Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:
Critical
1. CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 – These are RCE vulnerabilities in Microsoft Message Queuing (MSMQ), with a CVSSv3 score of 9.8 each. Although rated as “Exploitation Less Likely”, they can be exploited by sending malicious packets to a vulnerable MSMQ server, leading to arbitrary code execution.
Important
2. CVE-2023-38180 – A Denial of Service (DoS) vulnerability affecting Microsoft Visual Studio, .NET versions 6.0 and 7.0, and ASP.NET Core 2.1, with a CVSSv3 score of 7.5. This is known to have been exploited as a zero-day in the wild, and although no specific details have been released at this time.
3. CVE-2023-21709 – An EoP vulnerability in Microsoft Exchange Server, with a CVSSv3 score of 9.8, it allows an unauthenticated attacker to attempt to brute force the password for valid user accounts, and then gain access to that user’s account. Extra patching steps are required to remediate this issue, and it is highly recommended to refer to Microsoft's advisory for remediation.
4. CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182, CVE-2023-35388 – Additional Microsoft Exchange Server vulnerabilities, some of which are more likely to be exploited. These include Remote Code Execution and Spoofing vulnerabilities. Organisations using Exchange Server should prioritise these patches.
5. CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, and CVE-2023-38154 – EoP vulnerabilities in the Windows Kernel, with CVSSv3 scores of 7.8. Four of these are rated as “Exploitation More Likely”. A local, authenticated attacker could exploit these to obtain SYSTEM privileges.
6. CVE-2023-36900 – An EoP vulnerability in the Windows Common Log File System (CLFS) Driver, with a CVSSv3 score of 7.8, rated as “Exploitation More Likely.” This vulnerability, if successfully exploited, would again grant the attacker SYSTEM privileges.
Advisory Notes
ADV230003 – Microsoft Office Defence in Depth Update: Released in response to CVE-2023-36884, this update enhances security and stops the attack chain leading to the vulnerability.
ADV230004 – Memory Integrity System Readiness Scan Tool Defence in Depth Update: This is just an amendment to add resource information in the form of an RSCS section.
Microsoft's August Patch Tuesday release has covered an extensive list of applications and services, providing important fixes for potential vulnerabilities. Continuous vigilance and the timely application of security patches remain essential in maintaining a robust cybersecurity posture.
Adobe
Adobe has released four patches addressing 37 vulnerabilities, with 19 of these rated as critical. The applications in question are Adobe Acrobat and Reader, Commerce, Dimension, and the Adobe XMP Toolkit SDK. These vulnerabilities encompass denial-of-service, security feature bypass, memory leak and arbitrary code execution.
Cisco
Cisco have so far released four advisories for five vulnerabilities in August, however these have either been rated as Medium or Informational. The products affected are Cisco AnyConnect Secure Mobility Client and Cisco Secure Client (both including Linux, MacOS and Windows), Cisco Secure Web Appliance, Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco BroadWorks CommPilot.
SAP
SAP has released 15 new security notes and three updates to previous security notes. Ten of these CVEs are rated “High” or “Hot News” (Very High). The products affected by the high to very high rated CVEs are:
SAP PowerDesigner, SAP ECC and SAP S/4HANA (IS-OIL), SAP Commerce, SAP NetWeaver, SAP Business One, SAP BusinessObjects Business Intelligence, and SAP Message Server.
Zoom
Zoom have identified 15 vulnerabilities, with three of these being rated as Critical (CVE-2023-39213, CVE-2023-39216 and CVE-2023-36534) and all three of these enabling Escalation of Privileges.
IBM’s Latest data breach findings:
As well as this month’s Patch Tuesday vulnerabilities we wanted to highlight some of the findings from IBM’s 2023 Data Breach Report.
$4.45 million – The average cost of a data breach in 2023, this is a 2.3% increase from the 2022 cost of USD 4.35 million.
$1.76 million – The effect of extensive security AI and automation on the financial impact of a breach. Organisations that used these capabilities extensively within their approach also experienced, on average, a 108-day shorter time to identify and contain the breach.
$1.76 million – The cost savings achieved by organisations with high levels of IR planning and testing.
82% – The percentage of breaches that involved data stored in the cloud; public, private, or multiple environments.