Josh Philliban
Cyber Security Assessor
Josh Philliban Linked In
Microsoft
In their September Patch Tuesday release, Microsoft has addressed 59 vulnerabilities, with 5 of those rated as Critical and 2 being zero-day vulnerabilities. The patches cover a broad array of applications and services, including Windows, Visual Studio, Exchange, .Net, Office, SharePoint, Azure, and more. Additionally, there have been 5 Edge/Chromium based vulnerabilities identified, although no advisory notes have been issued.
This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure. Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:
Critical
1. CVE-2023-38148 – This is an RCE vulnerability in Internet Connection Sharing (ICS) that could allow an attacker to execute arbitrary code on a system by sending a specially crafted packet to the ICS service. It has a CVSS score of 8.8 and is rated as “Exploitation More Likely”. Although it is rated as more likely, this vulnerability requires ICS to be enabled, which is not the default setting, and the attacker to be on the same network segment as the target system. Users who have ICS enabled should patch this vulnerability to prevent potential attacks.
2. CVE-2023-36796, CVE-2023-36793, and CVE-2023-36792 - These are RCE vulnerabilities in Visual Studio that could allow an attacker to run arbitrary code on a local machine by convincing a user to open a specially crafted package file. These vulnerabilities affect all versions of the .NET Framework from 3.5 onward, and Microsoft Visual Studio versions starting from 2017. These have a CVSS score of 7.8 and Microsoft advises users to update their Visual Studio clients as soon as possible. No active exploits or proof of concepts have been reported for these vulnerabilities.
Important
1. CVE-2023-36761 – This is an information disclosure vulnerability in Microsoft Word that could allow an attacker to obtain NTLM password hashes of a user by sending a specially crafted document and convincing the user to view it in the preview pane. This vulnerability has been exploited in the wild and exploit code is publicly available. Microsoft rates this vulnerability as important and assigns it a CVSS score of 6.2. Although this vulnerability is only rated as Important, it has a low complexity of attack, requires no elevated privileges or user interaction, and has been actively exploited in the wild. Users are advised to patch this vulnerability as soon as possible to prevent credential theft and account compromise.
2. CVE-2023-36802 - This is an EoP vulnerability in Microsoft Streaming Service Proxy that could allow an attacker to gain SYSTEM-level privileges on a system by sending a specially crafted request to the service. This vulnerability has also been exploited in the wild and Microsoft rates it as important with a CVSS score of 7.8. Users should patch this vulnerability as soon as possible to prevent unauthorized access and control of their systems.
3. CVE-2023-36744, CVE-2023-36745 and CVE-2023-36756 – These are RCE vulnerabilities in Microsoft Exchange Server that could allow an attacker to run arbitrary code on a server. These all have a CVSS score of 8.0 and are rated as “Exploitation More Likely”, however the attacker must be authenticated with LAN-access and have credentials for a valid Exchange user. Exploitation of these vulnerabilities could lead to total loss of Confidentiality, Integrity, and Availability of data. Although the vulnerabilities have been detailed in September’s Patch release, users who have already August 2023 security updates are already protected from this vulnerability.
Adobe
Adobe has released three patches addressing just 5 vulnerabilities this month, however only one of these is rated as critical. The applications in question are Adobe Acrobat and Reader, Connect, and Experience Manager. All of these vulnerabilities result in Arbitrary Code Execution, with the critical Acrobat and Reader vulnerability (CVE-2023-26369 – CVSS score of 7.8) being the highest priority to patch.
Cisco
Cisco have so far released 6 advisories for 7 vulnerabilities in September, with the impact ratings ranging from Critical to Medium, with one having been exploited in the wild. The products affected are the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform, Cisco Identity Services Engine (ISE) Policy Service Nodes (PSNs) that are configured with RADIUS, Cisco HyperFlex HX Data Platform, Cisco Identity Services Engine again, Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software – exploited in the wild, and the following Cisco Small Business products:
- RV110W Wireless-N VPN Firewalls
- RV130 VPN Routers
- RV130W Wireless-N Multifunction VPN Routers
- RV215W Wireless-N VPN Routers
SAP
SAP has released 15 new security notes and 5 updates to previous security notes. Seven of these CVEs are rated “High” or “Hot News” (Very High). The products affected by the high to very high rated CVEs are:
- SAP Business Client
- SAP BusinessObjects Business Intelligence Platform
- SAP NetWeaver Process Integration
- SAP Business Objects Business Intelligence Platform
- SAP CommonCryptoLib
- SAP NetWeaver AS ABAP
- SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise
- SAP Web Dispatcher
- SAP Content Server
- SAP HANA Database
- SAP Host Agent
- SAP Extended Application Services and Runtime (XSA)
VMware
VMware have released a patch for a vulnerability in the VMware Tools product, affecting both Windows and Linux. This is a SAML token signature bypass vulnerability, that would result in Elevation of Privileges. This vulnerability is rated as Important and has a CVSS score of 7.5.
As always, users are recommended to install the latest security updates as soon as possible to protect their systems from potential threats.