Microsoft SharePoint Server Spoofing Vulnerability

CVE-2023-33132

Microsoft Outlook Remote Code Execution Vulnerability

CVE-2023-33131

CVE-2023-33130

Microsoft SharePoint Denial of Service Vulnerability

CVE-2023-33129

Microsoft Office Remote Code Execution Vulnerability

CVE-2023-33146

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-32029

Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month's relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn't marred by the active exploitation of a zero-day vulnerability in Microsoft's products.

**Microsoft Corp.** today released software updates to fix dozens of security vulnerabilities in its **Windows** operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.

June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”

Top of the list on that front is CVE-2023-29357, which is a “critical” bug in **Microsoft SharePoint Server** that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).

“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said **Kevin Breen**, director of cyber threat research at **Immersive Labs**. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”

There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the **Windows Pragmatic General Multicast** (PGM), which is used for delivering multicast data — such as video streaming or online gaming.

Security firm **Action1** says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.

It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using **Microsoft Exchange** for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.

Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.

“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the **SANS Internet Storm Center**. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Microsoft Patch Tuesday, June 2023 Edition

The average cost of a data breach is $4.35 million. Understand the power of public key infrastructure (PKI) and its role in encrypting data and battling breaches.

Identity is the key to unlocking zero-trust environments, but it is also the key to a lucrative payday for cybercriminals selling prized company data and personal information.

In recent years, data breaches (and their impact on companies and affected individuals) have made headlines. Data breaches have affected a variety of industries including financial services organizations Equifax and CapitalOne, energy company Colonial Pipeline, and fast-food chain Chick-Fil-A. While these companies were well-known before their data breaches, if the world did not know their names prior to making headlines for breaches, they do now.

**Understanding the Power of PKI**

The best way to protect anything is by keeping it under lock and key, but for information stored in the cloud or exchanged electronically, a physical lock and key is futile. Public key infrastructure (PKI) serves as a cybersecurity lock-and-key system that protects data and resources, as well as authenticates access, secures communications, and provides data integrity and non-repudiation. PKI is widely used in secure email communication, digital signatures, secure Web browsing (HTTPS), virtual private networks (VPNs), and secure online transactions, and other applications.

At PKI's core is asymmetric cryptography, which uses key pairs: a public key and a private key. The public key is widely distributed and used to encrypt information while the corresponding private key is kept secret and used for decryption. Once these keys are inserted into individual devices and applications, they work to encrypt data and authenticate connected devices and applications.

Imagine your organization has a mailroom that houses feedback boxes for all the departments in the company. Each department's feedback box and the mailroom have a public key that allows anyone in the company to unlock any department's box and drop a message into it. However, the head of each department has a private key that only they possess. This private key is mathematically related to the public key and is the only key in the entire company that can unlock a department's feedback box to access messages or decrypt anything in the box that is encrypted.

**How PKI Encrypts Data**

Since PKI uses mathematically related keys to encrypt and decrypt data, only the private key can decrypt data that is encrypted with the public key. Therefore, data in transit cannot be intercepted, and when at rest on a device or database, encrypted data cannot be read even if stolen because thieves will not have the private key to unlock it.

If you deploy and use PKI across a corporate network, you can establish a zero-trust environment by authenticating and encrypting everything that is written to or retrieved from a server or device. For example, if your website uses a TLS/SSL certificate to encrypt communications between a customer's browsers and your website's server, you are using PKI encryption. As the backbone of enterprise network security, deploying PKI is extremely complex.

**Benefits of Cloud-Based PKI**

Deploying and maintaining PKI requires a lot of resources and talent, but it's critical for protecting company data. Many organizations find deploying PKI in the cloud and as a service (PKIaaS) to be a better option than doing it all in-house. Cloud PKIaaS offers several benefits for enterprises of all sizes, such as:

**Rapid deployment:** PKI has come a long way since its inception. While it used to be a system that required on-premises deployment, it can now be deployed entirely through the cloud. Cloud PKI can be integrated into existing security systems and operational within a matter of days.

**Agility:** PKI has been around for decades and is already deployed in most infrastructures with Microsoft Certificate Authority (CA). PKIaaS provides a straightforward way to migrate from Microsoft CA without changing your enterprise infrastructure.

**Scalability:** Cloud PKIaaS enables organizations to scale as they grow and expand use cases without incurring additional hardware or infrastructure costs.

**Security:** Not only is encrypted data useless without the decryption key but so are your keys to the kingdom: private keys. PKIaaS protects private keys in Federal Information Process Standards (FIPS)-compliant hardware security modules (HSMs) stored in geographically dispersed data centers capable of withstanding nuclear attacks.

**Cost savings:** By leveraging the existing capabilities of your organization's devices, software, and hardware, cloud PKI maximizes your IT investment by eliminating costs of acquiring new devices or tools.

With the average cost of a data breach at $4.35 million in 2022, deploying PKI and encrypting data are more cost-effective than becoming the victim of a breach. For more information on PKI encryption, we recommend reading our Encrypt Everything e-book for strategies to help develop a data breach battle plan.

**About the Author**

    

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).

Harness the Power of PKI to Battle Data Breaches

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

Tuesday, June 13, 2023 15:06

Cisco Talos recently discovered two vulnerabilities in the Microsoft Excel spreadsheet management software that could allow a malicious actor to execute arbitrary code on the targeted machine.

Microsoft disclosed these issues and patched them as part of June’s monthly security release for the company.

One of the vulnerabilities, TALOS-2023-1730 (CVE-2023-32029), exists in the FreePhisxdb function of Excel. An attacker could exploit this vulnerability by tricking the targeted user into opening a specially crafted file. Then, they can manipulate the heap to gain the ability to execute arbitrary code.

TALOS-2023-1734 (CVE-2023-33133) works similarly, but in this case, causes an out-of-bounds read that turns into an out-of-bounds write, which in turn, could lead to memory corruption and, finally, arbitrary code execution.

Microsoft noted that although these vulnerabilities are listed as “remote code execution,” the attack itself is carried out locally. Both vulnerabilities have a CVSS severity score of 7.8 out of 10 and are considered to be “less likely” to be exploited, according to Microsoft.

Cisco Talos worked with Microsoft to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Microsoft Office Excel 2019 Plus, version 16.0.16130.20218. Talos tested and confirmed this version of Excel could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61503, 61504, 61574 and 61575. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Two remote code execution vulnerabilities disclosed in Microsoft Excel

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild.

Tuesday, June 13, 2023 14:06

Microsoft released its monthly security update Tuesday, disclosing 69 vulnerabilities across its suite of products and software. Five of these vulnerabilities are considered to be critical, 45 of them are listed as being high severity, 17 of them are medium severity and two are of low severity.

For the first time in four months, none of the vulnerabilities Microsoft disclosed this Patch Tuesday have been exploited in the wild. June is also closer to an average month for Microsoft’s security update after only disclosing 40 vulnerabilities last month, which was nearly a three-year low.

Cisco Talos discovered two vulnerabilities in Microsoft Excel that the company patched Tuesday. These are important-severity remote code execution vulnerabilities that are triggered if the targeted user opens an attacker-created file.

Three critical vulnerabilities — CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 — in the Windows Pragmatic General Multicast (PGM) server environment with a severity score of 9.8 could lead to remote code execution. In a Windows Pragmatic General Multicast (PGM)  server environment where the Windows message queuing service is running, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. Microsoft has advised users to refer to a setting, standard configuration, or general best practice existing in a default state that could reduce the severity of exploitation of this vulnerability.

CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server that also has a severity score of 9.8. An attacker who successfully exploits this vulnerability could gain administrator-level privileges. They could have access to spoof the JSON Web Token \[JWT\] authentication tokens and use them to execute a network attack that bypasses the authentication and allows them to gain access to the privileges of an authenticated user. The attacker requires no user interaction to exploit this vulnerability. Microsoft has advised that customers should apply all updates offered for the SharePoint Enterprise server. On-premises customers can enable the AMSI feature, which protects them from this vulnerability.

Talos would also like to highlight a few high-severity vulnerabilities that Microsoft considers “more likely” to be exploited.

A high-severity remote code execution vulnerability, CVE-2023-28310, exists in Microsoft Exchange Server. An authenticated attacker on the same intranet as the Exchange Server can achieve remote code execution via a PowerShell remote session.

CVE-2023-29358, an elevation of privilege vulnerability in the Windows graphics device interface (GDI), is a use-after-free vulnerability in the Win32k kernel driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-29361 could also allow an attacker to gain SYSTEM privileges if they exploit a use-after-free issue in the Windows Cloud Files Mini Filter Driver.

Microsoft Exchange server contains a high-severity remote code execution vulnerability, CVE-2023-32031, with a severity score of 8.8. An attacker successfully exploiting this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

Another elevation of privilege vulnerability, though only considered "important," CVE-2023-29371, exists in the Windows Win32k kernel driver. An attacker could modify a curve without updating the cCurves values, which leads to an out-of-bounds write in win32kfull when the curves’ edges get processed, ultimately giving them system privileges.

One medium-severity worth noting is CVE-2023-29352, a security feature bypass vulnerability in Windows Remote Desktop. An attacker who successfully exploited this vulnerability could bypass certificate validation during a remote desktop connection by creating a validly signed “.RDP” file to bypass warning prompts when executed.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their rule set by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61907 - 61911, 61915, 61916, 61933  - 61935 and 61937 - 61939. The Snort 3 rules released for these vulnerabilities are 300592, 300593, 300595 and 300600.

Tag

#microsoft