Microsoft have released 94 new patches this month with 6 of those rated as Critical and 70 as Important. The patches cover a large number of Windows applications, as well as patches released for GitHub and AutoDesk. Whilst there are a large number of vulnerabilities identified this is becoming usual for Microsoft, and none of them are currently under active attack at time of release.
Outlined below are some of the more critical/important vulnerabilities detailed in this month’s patch Tuesday:
1. CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability: This is rated critical, with a CVSSv3 score of 9.8. An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. Microsoft have stated that users with Microsoft Defender enabled on their SharePoint Server farms and who have the Anti-Malware Scan Interface (AMSI) enabled are protected. The vulnerability was rated as "Exploitation More Likely" in Microsoft's Exploitability Index.
2. CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability: These three vulnerabilities each have a CVSSv3 score of 9.8. If exploited, a remote, unauthenticated attacker could send malicious files to the vulnerable target to achieve remote code execution. The vulnerabilities lie in the implementation of the PGM protocol in the Windows message queueing service component. For the system to be vulnerable it must have the Windows messaging queue service enabled.
3. CVE-2023-28310 and CVE-2023-32031 - Microsoft Exchange Server Remote Code Execution Vulnerability: These vulnerabilities allow an authenticated attacker to execute cote, potentially with SYSTEM privileges. They have been classed as Important and not Critical as the attacker first has to be authenticated, however Microsoft have given both a rating of “Exploitation More Likely”.
Adobe has released four patches addressing 18 CVEs. The applications in question are Adobe Animate, Adobe Commerce, Adobe Experience Manager and Substance 3D Designer.
Adobe Animate – 1 critical vulnerability
- CVE-2023-29321 - Arbitrary code execution
Adobe Commerce – 2 critical vulnerabilities
- CVE-2023-29297 - Arbitrary code execution
- CVE-2023-22248 - Security feature bypass
Adobe Experience Manager – 0 critical vulnerabilities
Substance 3D Designer – 1 critical vulnerability
- CVE-2023-21618 - Arbitrary code execution
Over the weekend Fortinet released a critical 9.2 CVSSv3 affecting it’s FortiOS firmware, against an undisclosed pre-authentication remote code execution vulnerability in SSL VPN devices, tracked as CVE-2023-27997. Patches have been released and the list of affected products is available here: Fortinet - FG-IR-23-097