A smorgasbord for June’s Patch Tuesday

Credit to Author: Angela Gunn| Date: Tue, 13 Jun 2023 21:05:13 +0000

Microsoft on Tuesday released patches for 69 vulnerabilities, including four critical-severity issues in Windows and one each in SharePoint and Visual Studio / .NET. As usual, the largest number of addressed vulnerabilities affect Windows, with 38 CVEs. Patches applicable to both .NET and Visual Studio account for nine of the remainder. Office takes six patches; SharePoint, five. Azure, Exchange, .NET (without Visual Studio), and Visual Studio (without .NET) each get two. Dynamics 365, PowerApps, and YARP (Yet Another Reverse Proxy, related to both .NET and NuGet) each get one.

In a heavier-than-usual month for announcements concerning patches not directly handled by Microsoft, the company is also providing information on 25 patches from Chromium (Google), GitHub, Autodesk, and… Microsoft. The situation around those 25 information-only announcements is a bit tangled. Not only are there far more than usual (and this with no Adobe patches flagged, though Adobe did release updates on its own today) but the 17 Chromium patches affecting the Edge browser hail from both Google and Microsoft itself. One of the 17, CVE-2023-3079, a V8 type-confusion issue patched by Google on June 5, is known to be under exploit in the wild. (V8 is a JavaScript engine developed by the Chromium Project and used in a variety of applications, Edge among them.)

At patch time, none of the issues this month have been publicly disclosed (aside from the information published about the info-only patches released prior to June 13). However, Microsoft cautions that eight of the issues addressed are more likely to be exploited in either the latest or earlier versions of the affected product soon (that is, within the next 30 days). Microsoft once again this month offered no guidance overview on exploitation likelihood in earlier versions versus latest versions for any of their patches.

Elsewhere on the patching scene, Fortinet this week published a security advisory for a critical-class SSL-VPN vulnerability under active exploit in the wild. CVE-2023-27997 affects FortiOS and FortiProxy SSL-VPN. A remote-code execution issue, it affects multiple versions of the software and was discovered by Fortinet’s own researchers, along with external researchers engaged in responsible disclosure. during a code audit after a previous incident. Fortinet customers are urged to review the available information and patch their devices soon; the Sophos MDR team is monitoring the situation as it unfolds.

We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the three Edge patches (CVE-2023-29345, CVE-2023-33143, CVE-2023-33145) with Microsoft-assigned CVE numbers as information-only; they are not included in any of the totals or charts that follow.

By the Numbers

  • Total Microsoft CVEs: 69
  • Total advisories shipping in update: 0
  • Publicly disclosed: 0
  • Known-exploited: 0
  • Severity
    • Critical: 6
    • Important: 62
    • Moderate: 1
  • Impact
    • Remote Code Execution: 26
    • Elevation of Privilege: 17
    • Denial of Service: 10
    • Spoofing: 9
    • Information Disclosure: 4
    • Security Feature Bypass: 3

A bar chart showing June bulletin counts by impact and severity; information is covered in text.

Figure 1: Remote code execution issues once again top the charts in June

Products

  • Windows: 38
  • .NET and Visual Studio: 9
  • Office: 6
  • SharePoint: 5
  • Azure: 2
  • Exchange: 2
  • .NET (no Visual Studio): 2
  • Visual Studio (no .NET): 2
  • Dynamics 365: 1
  • Power Apps: 1
  • YARP: 1

In addition to the 17 Chromium / Edge patches discussed above, Microsoft also acknowledged three Autodesk-related CVEs and five GitHub-related CVEs in this month patch-release announcements. All eight of these issues were patched on Tuesday, and Microsoft mentions them in their own Patch Tuesday release to state that the latest version of Visual Stupid is hereby protected. It’s less clear, though that older versions of Visual Studio are likewise protected; system administrators tending older systems should proceed with caution.

A bar chart showing product families affected by June patches; information is covered in the article text.

Figure 2: Windows accounts for more than half of June’s patches, but there are plenty to go around

Notable June updates

CVE-2023-29357 — Microsoft SharePoint Server Elevation of Privilege Vulnerability

The only update this month with the dubious distinction of being both critical-class and more likely to be exploited in the next 30 days, this issue also sports a 9.8 CVSS base score, making it the month’s leading item of concern. According to the information available, an attacker who has gained access to spoofed JWT (JSON Web Token) authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user — no privileges nor user action required. The bulletin takes pains to let sysadmins know they too must take pains: The fix includes multiple patches for SharePoint Foundation Server 2013, SharePoint Enterprise Server 2016, or SharePoint Server 2019, and all applicable patches have to be applied. There’s a slight silver lining for on-premises customers: If ASMI (the Advanced System Management Interface) is enabled, you’re okay.

CVE-2023-29363 — Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32014 — Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32015 — Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Less likely to be exploited in the next 30 days but still concerning, these three critical-class RCEs share a name and a focus on Pragmatic General Multicast, and are described similarly by the company: When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Exploitation of any of these requires that the target system have the Windows message queuing service enabled, which may prove a mitigation for some systems.

CVE-2023-29353 – Sysinternals Process Monitor for Windows Denial of Service Vulnerability

While not particularly exciting in itself, this Important-class denial of service issue is the only one delivering its patches via the Microsoft Store this month. According to Microsoft, successful exploitation of this vulnerability requires an attacker to create the ProcMon exploit file, which is complicated. In addition, there are several aspects left to pure luck regarding how memory within ProcMon is laid out.

CVE-2023-33146 — Microsoft Office Remote Code Execution Vulnerability

This important-class RCE involves SketchUp graphics, and Microsoft has published information on how to disable the ability to insert those in Office files while things get sorted out. Admins of Mac systems should take that advice seriously, since although the vulnerability appears to affect that platform as well as Windows, there’s not a patch yet for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021. Microsoft hasn’t given a date yet for those fixes, but says they’ll update the CVE information when it’s ready.

A bar chart showing cumulative bulletin counts from January to June 2023, sorted by impact. RCE leads with just over 175 patches, followed by EoP hovering just above 110.

Figure 3: As we near the halfway point of the year, the overall patch count is below that of 2022 for every type of vulnerability

Sophos protections

 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of June’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (26 CVEs)

Critical severity
CVE-2023-24897.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2023-29363Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32014Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32015Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Important severity
CVE-2023-24895.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2023-28310Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-29326.NET Framework Remote Code Execution Vulnerability
CVE-2023-29337NuGet Client Remote Code Execution Vulnerability
CVE-2023-29362Remote Desktop Client Remote Code Execution Vulnerability
CVE-2023-29365Windows Media Remote Code Execution Vulnerability
CVE-2023-29366Windows Geolocation Service Remote Code Execution Vulnerability
CVE-2023-29367iSCSI Target WMI Provider Remote Code Execution Vulnerability
CVE-2023-29370Windows Media Remote Code Execution Vulnerability
CVE-2023-29372Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-29373Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-32008Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
CVE-2023-32017Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
CVE-2023-32018Windows Hello Remote Code Execution Vulnerability
CVE-2023-32029Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-32031Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-33126.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-33128.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-33131Microsoft Outlook Remote Code Execution Vulnerability
CVE-2023-33133Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-33137Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-33146Microsoft Office Remote Code Execution Vulnerability

 

Elevation of Privilege (17 CVEs)

Critical severity
CVE-2023-29357Microsoft SharePoint Server Elevation of Privilege Vulnerability
Important severity
CVE-2023-29346NTFS Elevation of Privilege Vulnerability
CVE-2023-29351Windows Group Policy Elevation of Privilege Vulnerability
CVE-2023-29358Windows GDI Elevation of Privilege Vulnerability
CVE-2023-29359GDI Elevation of Privilege Vulnerability
CVE-2023-29360Windows TPM Device Driver Elevation of Privilege Vulnerability
CVE-2023-29361Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-29364Windows Authentication Elevation of Privilege Vulnerability
CVE-2023-29368Windows Filtering Platform Elevation of Privilege Vulnerability
CVE-2023-29371Windows GDI Elevation of Privilege Vulnerability
CVE-2023-32009Windows Collaborative Translation Framework Elevation of Privilege Vulnerability
CVE-2023-32010Windows Bus Filter Driver Elevation of Privilege Vulnerability
CVE-2023-32012Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2023-32032.NET and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-33135.NET and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-33142Microsoft SharePoint Server Elevation of Privilege Vulnerability
Moderate severity
CVE-2023-24936.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

 

Denial of Service (10 CVEs)

Critical severity
CVE-2023-32013Windows Hyper-V Denial of Service Vulnerability
Important severity
CVE-2023-24937Windows CryptoAPI  Denial of Service Vulnerability
CVE-2023-24938Windows CryptoAPI  Denial of Service Vulnerability
CVE-2023-29331.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
CVE-2023-29353Sysinternals Process Monitor for Windows Denial of Service Vulnerability
CVE-2023-29369Remote Procedure Call Runtime Denial of Service Vulnerability
CVE-2023-32011Windows iSCSI Discovery Service Denial of Service Vulnerability
CVE-2023-32030.NET and Visual Studio Denial of Service Vulnerability
CVE-2023-33129Microsoft SharePoint Denial of Service Vulnerability
CVE-2023-33141Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability

 

Spoofing (9 CVEs)

Important severity
CVE-2023-21565Azure DevOps Server Spoofing Vulnerability
CVE-2023-21569Azure DevOps Server Spoofing Vulnerability
CVE-2023-24896Dynamics Finance and Operations Cross-site Scripting Vulnerability
CVE-2023-32020Windows DNS Spoofing Vulnerability
CVE-2023-32024Microsoft Power Apps Spoofing Vulnerability
CVE-2023-33130Microsoft SharePoint Server Spoofing Vulnerability
CVE-2023-33132Microsoft SharePoint Server Spoofing Vulnerability
CVE-2023-33140Microsoft OneNote Spoofing Vulnerability
CVE-2023-33144Visual Studio Code Spoofing Vulnerability

 

Information Disclosure (4 CVEs)

Important severity
CVE-2023-29355DHCP Server Service Information Disclosure Vulnerability
CVE-2023-32016Windows Installer Information Disclosure Vulnerability
CVE-2023-32019Windows Kernel Information Disclosure Vulnerability
CVE-2023-33139Visual Studio Information Disclosure Vulnerability

 

Security Feature Bypass (3 CVEs)

Important severity
CVE-2023-29352Windows Remote Desktop Security Feature Bypass Vulnerability
CVE-2023-32021Windows SMB Witness Service Security Feature Bypass Vulnerability
CVE-2023-32022Windows Server Service Security Feature Bypass Vulnerability

 

 

Appendix B: Exploitability

This is a list of the June CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.

Exploitation more likely
CVE-2023-28310Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-29357Microsoft SharePoint Server Elevation of Privilege Vulnerability
CVE-2023-29358Windows GDI Elevation of Privilege Vulnerability
CVE-2023-29359GDI Elevation of Privilege Vulnerability
CVE-2023-29360Windows TPM Device Driver Elevation of Privilege Vulnerability
CVE-2023-29361Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-29371Windows GDI Elevation of Privilege Vulnerability
CVE-2023-32031Microsoft Exchange Server Remote Code Execution Vulnerability

 

 

Appendix C: Products Affected

This is a list of June’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.

Windows (38 CVEs)

Critical severity
CVE-2023-29363Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32013Windows Hyper-V Denial of Service Vulnerability
CVE-2023-32014Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
CVE-2023-32015Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Important severity
CVE-2023-24937Windows CryptoAPI  Denial of Service Vulnerability
CVE-2023-24938Windows CryptoAPI  Denial of Service Vulnerability
CVE-2023-29346NTFS Elevation of Privilege Vulnerability
CVE-2023-29351Windows Group Policy Elevation of Privilege Vulnerability
CVE-2023-29352Windows Remote Desktop Security Feature Bypass Vulnerability
CVE-2023-29353Sysinternals Process Monitor for Windows Denial of Service Vulnerability
CVE-2023-29355DHCP Server Service Information Disclosure Vulnerability
CVE-2023-29358Windows GDI Elevation of Privilege Vulnerability
CVE-2023-29359GDI Elevation of Privilege Vulnerability
CVE-2023-29360Windows TPM Device Driver Elevation of Privilege Vulnerability
CVE-2023-29361Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2023-29362Remote Desktop Client Remote Code Execution Vulnerability
CVE-2023-29364Windows Authentication Elevation of Privilege Vulnerability
CVE-2023-29365Windows Media Remote Code Execution Vulnerability
CVE-2023-29366Windows Geolocation Service Remote Code Execution Vulnerability
CVE-2023-29367iSCSI Target WMI Provider Remote Code Execution Vulnerability
CVE-2023-29368Windows Filtering Platform Elevation of Privilege Vulnerability
CVE-2023-29369Remote Procedure Call Runtime Denial of Service Vulnerability
CVE-2023-29370Windows Media Remote Code Execution Vulnerability
CVE-2023-29371Windows GDI Elevation of Privilege Vulnerability
CVE-2023-29372Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-29373Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-32008Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
CVE-2023-32009Windows Collaborative Translation Framework Elevation of Privilege Vulnerability
CVE-2023-32010Windows Bus Filter Driver Elevation of Privilege Vulnerability
CVE-2023-32011Windows iSCSI Discovery Service Denial of Service Vulnerability
CVE-2023-32012Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2023-32016Windows Installer Information Disclosure Vulnerability
CVE-2023-32017Microsoft PostScript Printer Driver Remote Code Execution Vulnerability
CVE-2023-32018Windows Hello Remote Code Execution Vulnerability
CVE-2023-32019Windows Kernel Information Disclosure Vulnerability
CVE-2023-32020Windows DNS Spoofing Vulnerability
CVE-2023-32021Windows SMB Witness Service Security Feature Bypass Vulnerability
CVE-2023-32022Windows Server Service Security Feature Bypass Vulnerability

 

NET and Visual Studio (9 CVEs)

Critical severity
CVE-2023-24897.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
Important severity
CVE-2023-24895.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2023-29331.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
CVE-2023-32030.NET and Visual Studio Denial of Service Vulnerability
CVE-2023-32032.NET and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-33126.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-33128.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2023-33135.NET and Visual Studio Elevation of Privilege Vulnerability
Moderate severity
CVE-2023-24936.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

 

Office (6 CVEs)

Important severity
CVE-2023-32029Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-33131Microsoft Outlook Remote Code Execution Vulnerability
CVE-2023-33133Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-33137Microsoft Excel Remote Code Execution Vulnerability
CVE-2023-33140Microsoft OneNote Spoofing Vulnerability
CVE-2023-33146Microsoft Office Remote Code Execution Vulnerability

 

SharePoint (5 CVEs)

Critical severity
CVE-2023-29357Microsoft SharePoint Server Elevation of Privilege Vulnerability
Important severity
CVE-2023-33129Microsoft SharePoint Denial of Service Vulnerability
CVE-2023-33130Microsoft SharePoint Server Spoofing Vulnerability
CVE-2023-33132Microsoft SharePoint Server Spoofing Vulnerability
CVE-2023-33142Microsoft SharePoint Server Elevation of Privilege Vulnerability

 

Azure (2 CVEs)

Important severity
CVE-2023-21565Azure DevOps Server Spoofing Vulnerability
CVE-2023-21569Azure DevOps Server Spoofing Vulnerability

 

Exchange (2 CVEs)

Important severity
CVE-2023-28310Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-32031Microsoft Exchange Server Remote Code Execution Vulnerability

 

.NET (no Visual Studio) (2 CVEs)

Important severity
CVE-2023-29326.NET Framework Remote Code Execution Vulnerability
CVE-2023-29337NuGet Client Remote Code Execution Vulnerability

 

Visual Studio (no .NET) (2 CVEs)

Important severity
CVE-2023-33139Visual Studio Information Disclosure Vulnerability
CVE-2023-33144Visual Studio Code Spoofing Vulnerability

 

Dynamics 365 (1 CVE)

Important severity
CVE-2023-24896Dynamics Finance and Operations Cross-site Scripting Vulnerability

 

Power Apps (1 CVE)

Important severity
CVE-2023-32024Microsoft Power Apps Spoofing Vulnerability

 

YARP (1 CVE)

Important severity
CVE-2023-33141Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability

 

http://feeds.feedburner.com/sophos/dgdY