Headline
Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs
Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239131 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Vulristics improvements I optimized the detection of the vulnerable product and the type […]
Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays.
Alternative video link (for Russia): https://vk.com/video-149273431_456239131
As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.
I optimized the detection of the vulnerable product and the type of vulnerability based on the description. Now processing already downloaded data (with option –rewrite-flag “False”) takes a few seconds. For example, only ~3 seconds for 100 MS Patch Tuesday vulnerabilities . It used to take a few minutes.
What I’ve done:
- For Microsoft generated descriptions, e.g. “Microsoft Excel Remote Code Execution Vulnerability”, vulnerability type and product are now directly parsed out of the description, keyword search is not performed.
- I rewrote the generic keyword search based on products.json. I have reduced the use of heavy functions without sacrificing the quality of the detections.
The bottleneck is downloading data from data sources. This should be resolved with own complete vulnerability feed, that could be generated by Vulristics. Thus, improving Vulristics, I am approaching the implementation of the feed. 😉
ADVs
Microsoft Patch Tuesday is not only about CVEs. Sometimes it is also about ADVs, as in the latest Patch Tuesday:
🔻ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously
🔻ADV230002 – Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules
Sometimes the corresponding CVE is mentioned in the ADV description, sometimes it’s not. I don’t know why they do this and why they simply can’t use existing CVEs or allocate their own CVEs (since ADV is in the “update-guide/vulnerability/” section, and Microsoft is CVE Numbering Authority). But here’s the fact – MS use vulnerability IDs that can’t be used for mapping. 😑
For now, I just ignore them and show them when generating the Vulristics report.
Vulristics comments
For Microsoft Patch Tuesday, July 2023, I took comments about vulnerabilities from reviews of:
🔹Qualys
🔹Tenable
🔹Rapid7
🔹ZDI
🔹Kaspersky
🔹Dark Reading
🔹Krebs on Security
🔹The Hacker News
🔹Sophos Naked Security
I tweaked the Vulristics reports a bit. Now you can see the criticality of the vulnerabilities that were mentioned in each of the comment sources.
VM vendors (Qualys, Tenable, Rapid7) mention more vulnerabilities in their reviews. As well as Dark Reading. Sophos, for example, only mentions the very, very TOP. ZDI actually mentions a lot of vulnerabilities too, but most of them are simply listed in a table with a minimum of columns – so i ignore this.
I also added the All (A) column to all tables with the total number of vulnerabilities for the product, type of vulnerabilities, or comment source.
Microsoft Patch Tuesday July 2023
$ cat comments_links.txt
Qualys|Microsoft and Adobe Patch Tuesday, July 2023 Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/2023/07/11/microsoft-patch-tuesday-july-2023-security-update-review
ZDI|THE JULY 2023 SECURITY UPDATE REVIEW|https://www.thezdi.com/blog/2023/7/10/the-july-2023-security-update-review
Kaspersky|Band-aid on a… corpse: Microsoft patches IE — again|https://www.kaspersky.com/blog/microsoft-patch-tuesday-july-2023/48606/
Dark Reading|Microsoft Discloses 5 Zero-Days in Voluminous July Security Update|https://www.darkreading.com/application-security/microsoft-discloses--zero-days-in-voluminous-july-security-update
Krebs on Security|Apple & Microsoft Patch Tuesday, July 2023 Edition|https://krebsonsecurity.com/2023/07/apple-microsoft-patch-tuesday-july-2023-edition/
The Hacker News|Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack|https://thehackernews.com/2023/07/microsoft-releases-patches-for-130.html
Sophos Naked Security|Microsoft patches four zero-days, finally takes action against crimeware kernel drivers|https://nakedsecurity.sophos.com/2023/07/12/microsoft-patches-four-zero-days-finally-takes-action-against-crimeware-kernel-drivers/
$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "July" --mspt-comments-links-path "comments_links.txt" --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: July
MS PT Date: 2023-07-11
MS PT CVEs found: 130
MS PT OTHER VULNS found: 2
{'ADV230001', 'ADV230002'}
Ext MS PT Date from: 2023-06-14
Ext MS PT Date to: 2023-07-10
Ext MS PT CVEs found: 13
ALL MS PT CVEs: 143
...
So now let’s go directly to MS Patch Tuesday CVEs 🙂
- All vulnerabilities: 143
- Urgent: 2
- Critical: 1
- High: 62
- Medium: 78
- Low: 0
Remote Code Execution – Microsoft Office (CVE-2023-36884) definitely catches the eye. This vulnerability even has a normal description, and not a minimal one. Exploitation of this vulnerability began in June 2023. Exploitation requires the victim to open a specially crafted malicious document, which would typically be delivered via email. In the blog, Microsoft mentioned that the attacks were targeted against defense and government entities in Europe and North America. There are still no patches, only workarounds. In the absence of a patch, Microsoft is urging users to use the “Block all Office applications from creating child processes” attack surface reduction (ASR) rule.
Also actively exploited:
🔻Security Feature Bypass – Windows SmartScreen (CVE-2023-32049). Windows SmartScreen is an early warning system designed to protect against malicious websites used for phishing attacks or malware distribution. An attacker must make the users click on a specially crafted URL to exploit the vulnerability. Exploitation would allow the attacker to bypass the “Open File” warning prompt and compromise the victim’s machine.
🔻Security Feature Bypass – Microsoft Outlook (CVE-2023-35311). Exploitation of this flaw requires an attacker to convince a potential victim to click on a malicious URL. Successful exploitation would result in the bypassing of the Microsoft Outlook Security Notice prompt, a feature designed to protect users. Microsoft says that while its Outlook Preview pane feature is an attack vector, user interaction is still required. This is likely being paired with some other exploit designed to execute code when opening a file.
🔻Elevation of Privilege – Windows Error Reporting Service (CVE-2023-36874). To elevate to administrative privileges, an attacker would need to have access to a user account with the ability to create folders and performance traces on the target system. Standard user accounts don’t have these permissions by default. Successful exploitation would allow an attacker to obtain administrative privileges on the target system.
🔻Elevation of Privilege – Windows MSHTML Platform (CVE-2023-32046). Windows MSHTML is a browser engine that renders web pages frequently connected to Internet Explorer. Successful exploitation requires the victim to open a specially-crafted malicious file, typically delivered either via email or a web page. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11, since it is used in other contexts (e.g. Outlook).
These are all vulnerabilities that have a public exploit or are exploited in the wild. Let’s see the rest.
There are no Exchange vulnerabilities, but there is an intriguing Remote Code Execution – Windows Active Directory Certificate Services (AD CS) (CVE-2023-35350). But, judging by the Microsoft description, this is not particularly critical. An attacker with Certificate Authority (CA) read access permissions can send a specially crafted request to a vulnerable Certificate Server. By default, only domain administrators are granted CA read access.
Additionally, the following RCEs highlighted in the reviews, can be noted:
🔸Microsoft Message Queuing (CVE-2023-32057, CVE-2023-35309). An attacker must send a malicious MSMQ packet to an MSMQ server to exploit this vulnerability. On successful exploitation, an attacker may perform remote code execution on the server side. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly.
🔸Windows Routing and Remote Access Service (RRAS) (CVE-2023-35365, CVE-2023-35366, CVE-2023-35367). Exploitation requires an attacker to send crafted packets to an impacted server. RRAS is not installed or configured in Windows by default and those users who have not enabled the feature are not impacted by these vulnerabilities.
🔸Windows Layer-2 Bridge Network Driver (CVE-2023-35315). An unauthenticated attacker must send specially crafted file operation requests to a Windows Server configured as a Layer-2 Bridge to exploit the vulnerability. An attacker must gain access to the restricted network before running an attack. Successful exploitation of the vulnerability will lead to remote code execution on the target system.
🔸Microsoft SharePoint (CVE-2023-33134, CVE-2023-33157, CVE-2023-33159, CVE-2023-33160). They all require the attacker to authenticate or the user to perform certain actions, and this, fortunately, reduces the risk of hacking. However, because SharePoint can contain sensitive data and is usually accessible from outside the organization, those who use the on-premises or hybrid versions should update.
🔸Windows Pragmatic General Multicast (PGM) (CVE-2023-35297). Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. PGM provides a reliable sequence of packets to multiple recipients simultaneously. An attack can be performed only on the systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN).
Full Vulristics report: ms_patch_tuesday_july2023
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Related news
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild. The vulnerabilities are as follows - CVE-2023-36584 (CVSS score: 5.4) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2023-1671 (CVSS score: 9.8) -
By Deeba Ahmed Watch out, ladies! This is a post from HackRead.com Read the original post: ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians
European Union military personnel and political leaders working on gender equality initiatives have emerged as the target of a new campaign that delivers an updated version of RomCom RAT called PEAPOD. Cybersecurity firm Trend Micro attributed the attacks to a threat actor it tracks under the name Void Rabisu, which is also known as Storm-0978, Tropical Scorpius, and UNC2596, and is also
This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers
Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
Categories: Exploits and vulnerabilities Categories: News Microsoft has announced patches for 87 vulnerabilities this month, including two that are being actively exploited. (Read more...) The post August Patch Tuesday stops actively exploited attack chain and more appeared first on Malwarebytes Labs.
Microsoft has patched a total of 74 flaws in its software as part of the company's Patch Tuesday updates for August 2023, down from the voluminous 132 vulnerabilities the company fixed last month. This comprises six Critical and 67 Important security vulnerabilities. Also released by the tech giant are two defense-in-depth updates for Microsoft Office (ADV230003) and the Memory Integrity System
Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including a patch that addresses multiple zero-day vulnerabilities currently being exploited in the wild.
Categories: Business Tags: microsoft Tags: zero-day Tags: exploit Tags: CVE-2023-36884 Tags: storm-0978 Tags: email Tags: phish Tags: phishing Tags: Ukraine We take a look at reports of an exploit being deployed via booby trapped Word documents. (Read more...) The post Zero-day deploys remote code execution vulnerability via Word documents appeared first on Malwarebytes Labs.
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog https://aka.ms/Storm-0978 Entry for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new inform...
Microsoft SharePoint Server Spoofing Vulnerability
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
Microsoft Message Queuing Remote Code Execution Vulnerability
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
Microsoft Message Queuing Remote Code Execution Vulnerability
Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability
Windows MSHTML Platform Elevation of Privilege Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Windows Error Reporting Service Elevation of Privilege Vulnerability
Microsoft SharePoint Remote Code Execution Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.
**How could an attacker exploit the vulnerability?** In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
**According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability?** An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim's information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment.
**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Within a SharePoint site, the attacker must be authenticated, and they would need to have the “Use Remote Interfaces” and “Add and Customize Pages” permissions on a Policy Center site to be able to exploit this vulnerability.
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors might be helpful in your situation: The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named **Message Queuing** and TCP port 1801 is listening on the machine.
**How could an attacker exploit this vulnerability?** An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a Windows Server configured as a Layer-2 Bridge.
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.
This vulnerability is only exploitable on Windows Servers that have installed and configured the Routing and Remote Access Service (RRAS) role which is not installed and configured by default. Please see Routing and Remote Access Server (RRAS) | Microsoft Learn for more information. You might also benefit by reading more about Roles here: Roles, Role Services, and Features included in Windows Server - Server Core | Microsoft Learn
This vulnerability is only exploitable on Windows Servers that have installed and configured the Routing and Remote Access Service (RRAS) role which is not installed and configured by default. Please see Routing and Remote Access Server (RRAS) | Microsoft Learn for more information. You might also benefit by reading more about Roles here: Roles, Role Services, and Features included in Windows Server - Server Core | Microsoft Learn
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.
**How could an attacker exploit this vulnerability?** An attacker with Certificate Authority (CA) read access permissions can send a specially crafted request to a vulnerable Certificate Server. By default, only domain administrators are granted CA read access.
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain administrator privileges.
This vulnerability is only exploitable on Windows Servers that have installed and configured the Routing and Remote Access Service (RRAS) role which is not installed and configured by default. Please see Routing and Remote Access Server (RRAS) | Microsoft Learn for more information. You might also benefit by reading more about Roles here: Roles, Role Services, and Features included in Windows Server - Server Core | Microsoft Learn