The September 2023 Security Update Review

September 12, 2023 | Dustin Childs

Hello and welcome to another patch Tuesday in what continues to be a hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check it out here.

Apple Patches for September 2023

Apple kicked off the September patch release by patching two bugs in macOS Ventura, iPad and iOS, and watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.

Cisco Advisories for September 2023

You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.   

Adobe Patches for September 2023

For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for Experience Manager and Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.

Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2023

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.

Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.

Two of the CVEs released today are listed as being under active attack at the time of release while only one is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug being exploited:

-       CVE-2023-36761 - Microsoft Word Information Disclosure Vulnerability
This is the bug currently under active attack, but I wouldn’t classify it as “information disclosure”. An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack. Those are usually defined as Spoofing bugs (see Exchange blew). Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.

-       CVE-2023-29332 - Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
This Critical-rated bug in the Azure Kubernetes service could allow a remote, unauthenticated attacker to gain Cluster Administration privileges. We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity. Microsoft gives this an “Exploitation Less Likely” rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.

-       CVE-2023-38148 - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
This Critical-rated bug is the highest-rated CVSS this month (8.8), but it’s not all bad news. First, this is limited to network-adjacent attackers. A successful exploit also relies on ICS being enabled. Most places these days don’t require ICS, and it’s not turned on by default. However, if you’re in one of those places where ICS is used, this could allow an unauthenticated attacker to run their code on affected systems.

-       CVE-2023-38146 - Windows Themes Remote Code Execution Vulnerability
This probably isn’t one of the most severe bugs patched this month, but it kicked off such a wave of nostalgia, that I had to call it out. This bug could allow code execution if an attacker can convince a user to open a specially crafted theme file. If this sounds like screensaver exploits from 20+ years, it’s because it’s just like screensaver bugs from 20+ years ago. Congrats to Pwn2Own winners Thijs Alkemade and Daan Keuper of Computest Sector 7 for helping bring this oldie but goodie to light.

Here’s the full list of CVEs released by Microsoft for September 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability Important 6.2 Yes Yes Info
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Critical 7.5 No No EoP
CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36770 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36771 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36772 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36773 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No EoP
CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-41303 * AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior Important 7.8 No No RCE
CVE-2023-38155 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-39956 * Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36736 Microsoft Identity Linux Broker Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability Important 7 No No RCE
CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass Important 7.8 No No SFB
CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-41764 Microsoft Office Spoofing Vulnerability Moderate 5.5 No No Spoofing
CVE-2023-4761 * Chromium: CVE-2023-4761 Out of bounds memory access in FedCM High N/A No No RCE
CVE-2023-4762 * Chromium: CVE-2023-4762 Type Confusion in V8 High N/A No No RCE
CVE-2023-4763 * Chromium: CVE-2023-4763 Use after free in Networks High N/A No No RCE
CVE-2023-4764 * Chromium: CVE-2023-4764 Incorrect security UI in BFCache High N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

Before we get to the other Critical-rated patches for September, let’s talk about the Exchange fixes released this month. Yes – even though Exchange just received a big update last month, there’s another one* today. There are five different Exchange CVEs today, and all were reported by ZDI researcher Piotr Bazydło. He’s been on quite the Exchange kick recently, including finding bypasses for both patches and silent fixes. The one that concerns me the most is the NTLM relay, which is marked as a Spoofing bug (see my pedantic note above). What’s most concerning about this is that this vulnerability seems to have been patched last month but wasn’t documented. This bug, along with the three RCE bugs, require authentication, but recall that last month’s Exchange patches included an auth bypass. Nifty. The final Exchange patch corrects an info disclosure bug that could disclose “file content.” It’s not clear if that’s a random file or if an attacker can name an arbitrary file. All of these patches require the August update to be installed, so don’t skip that and think you’re protected. And to all those admins rebooting Exchange over the weekend, I wish you Godspeed and good luck.

*UPDATE: Microsoft reached out to let us know these CVEs are not new updates but were released in the August update and are now being documented. They did not state why they were patched silently in August and gave no indication if their omission was intentional or accidental.

The remaining Critical-rated patches are all for Visual Studio. These are all open-and-own bugs that could lead to arbitrary code execution when opening a malicious package file with an affected version of Visual Studio.

Looking at the 15 other RCE getting patches this month, most share that open-and-own exploit scenario as the Critical-rated Visual Studio bugs. Interestingly, there are two Important-rated Visual Studio RCEs that look identical to the Critical-rated ones. There’s no indication why one is more severe than the others. There are six fixes for RCE in 3D Viewer Remote, and four of these were reported by ZDI researcher Mat Powell. The bugs are simple open-and-own vulns, but the product must be updated through the app store. If automatic updates from the store are disabled or if you’re otherwise disconnected, you’ll need to manually update. One of the RCEs in Word has a Preview Pane vector, but a user needs to click the attachment preview to trigger the exploit. There’s a scripting engine (Trident/EdgeHTML) bug that was reported through the ZDI. Under limited circumstances, crafted data in an image can lead to execution of untrusted script. An attacker can leverage this vulnerability to execute code in the context of the current process. There’s a patch for Miracast that could allow an attacker to project to an affected system in limited circumstances. Microsoft lists that as Adjacent, but I would consider it more of a Physical attack. Finally, there’s a fix for Azure DevOps that’s listed as RCE, but I would classify it as a privilege escalation instead. An attacker needs Queue Build permissions on an Azure DevOps pipeline that has an overridable variable. They could then use this to get a code injection by overriding the variable. You decide if it’s RCE or EoP as you patch your affected servers.

Before looking at the privilege escalation bugs, there are some impactful Denial-of-Service (DoS) vulnerability we should address. The first involves TCP/IP. A remote, unauthenticated attacker could take down an affected system by sending specially crafted IPv6 packets. As you might imagine, systems with IPv6 disabled aren’t impacted, but considering IPv6 is enabled by default, this could create some havoc on unpatched systems. Microsoft lists disabling router discovery on the IPv6 as a temporary workaround. As above, patches are permanent while workarounds are temporary. The other DoS bug of note impacts the DHCP server, although Microsoft provides no other details about the bug. The final DoS impact .NET and Visual Studio, but this bug requires someone to open a specially crafted file.

Moving on to the other EoP bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. That’s true for CVE-2023-36802, which is the other bug listed as being under active attack. In most cases, this leads to either administrator privileges or running code at SYSTEM level. In fact, this is true of all of the EoP bugs patched this month outside of the previously mentioned Azure Kubernetes escalation.

Two fixes in this month’s release address security feature bypass (SFB) bugs. The first is in the Windows Defender Attack Surface Reduction blocking feature. The vulnerability could allow attackers to bypass the Windows Defender Attack Surface Reduction blocking feature, which definitely falls into the you-had-one-job category. The other patch impacts Office and corrects a bypass that could allow a potentially dangerous extension from being uploaded and downloaded. Like one of the Office bugs mentioned above, the Preview Pane is an attack vector, but a user would need to click to preview an attachment.

The September release contains eight additional information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. There are two significant exceptions. The first is in Outlook. A successful exploit could allow the disclosure of credentials. Yikes. At least the Preview Pane is not an attack vector here. The other interesting bug resides in the Microsoft Identity Linux Broker. Exploiting this vulnerability could disclose application data on the target. However, encrypted data at rest remains encrypted.

The lone Moderate-rated bug in this month’s release impacts Office components. Successful exploitation would allow an unauthenticated attacker to insert malicious content into a document. This document may then pass an authentication check when a partial signature is present.

Wrapping things up, there are three cross-site scripting (XSS) bugs fixed in this release. One fix is for Dynamics Finance and Operations while the remaining are for the on-prem Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on October 10, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!