www.belgium.be Logo of the federal government

Warning: MICROSOFT PATCH TUESDAY JUNE 2023 PATCHES 70 VULNERABILITIES( 6 CRITICAL, 0 0-DAY, 0 ACTIVELY EXPLOITED), Patch Immediately!

Référence: 
Advisory #2023-69
Version: 
1.0
Logiciels concernés : 
Microsoft
Type: 
Several types, ranging from information disclosure to remote code execution and Privilege escalation.
CVE/CVSS: 

Microsoft patched 70 CVEs in its June 2023 Patch Tuesday release, 6 rated as critical and 62 rated as important.

  • Remote Code Execution: 23
  • Elevation of Privileges: 12
  • Denial of Service: 10
  • Spoofing: 9
  • Information Disclosure: 5
  • Security Feature Bypass: 3

 

Sources

https://msrc.microsoft.com/update-guide/releaseNote/2023-Jun

Risques

Microsoft's June 2023 Patch Tuesday includes 70 vulnerabilities (6 critical, 62 important, 1 moderate and 1 low), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. Although this Patch Tuesday does not include actively exploited vulnerabilities some of these vulnerabilities are more likely to be exploited in the near future and urgent patching is advised.

Description

Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software. This month’s release covers 70 vulnerabilities. 6 vulnerabilities are marked as critical and 62 as important. It does not include vulnerabilities which were made public prior to patch Tuesday. None of the patched vulnerabilities are actively exploited. Microsoft considers 8 of these vulnerabilities are more likely to be exploited in the near future, urgent patching is advised.

The CCB would like to point your attention to the following vulnerabilities:

  • CVE-2023-29357 is a critical EoP vulnerability affecting Microsoft SharePoint Server 2019. CVE-2023-29357 has a CVSSv3.1 score of 9.8. An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action.
    • UPDATE 2023-12-19: A proof-of-concept exploit chain has been released for CVE-2023-29357 and CVE-2023-24955 Microsoft SharePoint Server Vulnerabilities. These vulnerabilities can be used to achieve remote code execution (RCE).
  • CVE-2023-32013 is a critical DoS vulnerability affecting Windows Hyper-V. It received a CVSSv3.1 score of 6.5. Since successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability, Microsoft considers attack complexity to be high.
  • CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are three critical RCE vulnerabilities affecting the Pragmatic General Multicast (PGM) protocol. On Windows, the implementation of this protocol is referred to as reliable multicast. All three vulnerabilities received a CVSSv3.1 score of 9.8. When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft considers exploitation less likely.
  • CVE-2023-24897 is a critical RCE vulnerability affecting .NET, .NET Framework, and Visual Studio. It received a CVSSv3.1 score of 7.8. User interaction such as downloading and opening a specially crafted file from a website is required for successful exploitation.
  • CVE-2023-32031 is an important RCE vulnerability affecting Microsoft Exchange Server. It received a CVSSv3.1 score of 8.8. A remote authenticated attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Actions recommandées

The CCB recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Références

https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2023-patch-tuesday-fixes-78-flaws-38-rce-bugs/
https://blog.qualys.com/vulnerabilities-threat-research/2023/06/13/microsoft-patch-tuesday-june-2023-security-update-review
https://isc.sans.edu/diary/June%202023%20Microsoft%20Patch%20Tuesday/29942
https://www.tenable.com/blog/microsofts-june-2023-patch-tuesday-addresses-70-cves-cve-2023-29357
https://www.tenable.com/blog/cve-2023-29357-cve-2023-24955-exploit-chain-released-for-microsoft-sharepoint-server