The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2023-21608 (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as **CVE-2023-21608** (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user.

A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were credited with discovering and reporting the flaw.

The following versions of the software are impacted -

*   Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
*   Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310)
*   Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436)
*   Acrobat Reader 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436)

Details surrounding the nature of the exploitation and the threat actors that may be abusing CVE-2023-21608 are currently unknown. A proof-of-concept (PoC) exploit for the flaw was made available in late January 2023.

CVE-2023-21608 is also the second Adobe Acrobat and Reader vulnerability that has seen in-the-wild exploitation after CVE-2023-26369, an out-of-bounds write issue that could result in code execution by opening a specially crafted PDF document.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the vendor-provided patches by October 31, 2023, to secure their networks against potential threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Cybersecurity Agency Warns of Actively Exploited Adobe Acrobat Reader Vulnerability

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.

Wednesday, October 11, 2023 07:10

Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.  

What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.   

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered “important.”  

The nine Layer 2 Tunneling Protocol vulnerabilities all require an attacker to win a race condition. A race condition is when two threads in a piece of code try to reach the same piece of data at the same time, and thus one action must be completed before the other.  

In this scenario, an attacker could exploit the Tunneling Protocol by sending a specially crafted protocol message to a Routing and Remote Access Service (RAS) server, which could lead to remote code execution on the RAS server machine. The vulnerabilities Microsoft disclosed and patched on Tuesday are:  

*   CVE-2023-38166 
*   CVE-2023-41765 
*   CVE-2023-41767 
*   CVE-2023-41768 
*   CVE-2023-41769 
*   CVE-2023-41770 
*   CVE-2023-41771 
*   CVE-2023-41773 
*   CVE-2023-41774 

The Layer 2 Tunneling Protocol allows remote users to connect to a machine, or site-to-site connectivity via a VPN. Vulnerabilities involving VPNs have come under a microscope since the discovery of the VPNFilter malware in 2018 that affected thousands of devices across the globe. 

A vulnerability in Fortinet’s SSL VPN, CVE-2018-13379, topped the U.S. Cybersecurity and Infrastructure Security Agency’s list of the most-exploited vulnerabilities in 2022, despite being disclosed back in 2018. U.S. officials also warned earlier this year of Volt Typhoon, a large APT believed to be backed by China’s government that is targeting networking devices to possibly gain a foothold onto U.S. military networks and critical infrastructure.  

Another critical remote execution vulnerability disclosed Tuesday, CVE-2023-35349, exists in the Microsoft Message Queuing service. An unauthenticated attacker could exploit this vulnerability to execute code on the targeted server. 

However, this vulnerability is only exploitable if the user has Message Queuing enabled. Microsoft stated in its advisory that users should check to see if there is a service running named “Message Queuing” and if TCP port 1801 is listening on the machine. 

One of the other critical vulnerabilities fixed this month is CVE-2023-36718, a remote code execution vulnerability in the Microsoft Virtual Trusted Platform Module. An attacker who exploits this vulnerability could perform a contained execution environment escape.  

The attack complexity is considered “high” and therefore less likely to be exploited, Microsoft said, because exploitation relies on complex memory shaping techniques and the attacker must at least be authenticated as a guest first.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62486 - 62493 and 62508 - 62511, and Snort 3 signatures 300719 - 300722.

Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.
Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.
The two

Vulnerability / Endpoint Security

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.

Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.

The two vulnerabilities that been weaponized as zero-days are as follows -

*   **CVE-2023-36563** (CVSS score: 6.5) - An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes
*   **CVE-2023-41763** (CVSS score: 5.3) - A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft said in an advisory for CVE-2023-36563.

"Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file."

Also fixed by Redmond are dozens of flaws impacting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that could lead to remote code execution and denial-of-service (DoS).

The security update further resolves a severe privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8) that could permit an attacker to impersonate and login as another user via a brute-force attack.

The tech giant has also released an update for CVE-2023-44487, also referred to as the HTTP/2 Rapid Reset attack, which has been exploited by unknown actors as a zero-day to stage hyper-volumetric distributed denial-of-service (DDoS) attacks.

"While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised," it said.

Finally, Microsoft has announced that Visual Basic Script (aka VBScript), which is often exploited for malware distribution, is being deprecated, adding, "in future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos, and
*   VMware

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

**Microsoft** today issued security updates for more than 100 newly-discovered vulnerabilities in its **Windows** operating system and related software, including four flaws that are already being exploited. In addition, **Apple** recently released emergency updates to quash a pair of zero-day bugs in **iOS**.

Apple last week shipped emergency updates in **iOS 17.0.3** and **iPadOS 17.0.3** in response to active attacks. The patch fixes **CVE-2023-42724**, which attackers have been using in targeted attacks to elevate their access on a local device.

Apple said it also patched **CVE-2023-5217**, which is not listed as a zero-day bug. However, as _Bleeping Computer_ pointed out, this flaw is caused by a weakness in the open-source “**libvpx**” video codec library, which was previously patched as a zero-day flaw by **Google** in the Chrome browser and by Microsoft in **Edge**, **Teams**, and **Skype** products. For anyone keeping count, this is _the 17th zero-day flaw that Apple has patched so far this year._

Fortunately, the zero-days affecting Microsoft customers this month are somewhat less severe than usual, with the exception of **CVE-2023-44487**. This weakness is not specific to Windows but instead exists within the HTTP/2 protocol used by the World Wide Web: Attackers have figured out how to use a feature of HTTP/2 to massively increase the size of distributed denial-of-service (DDoS) attacks, and these monster attacks reportedly have been going on for several weeks now.

Amazon, Cloudflare and Google all released advisories today about how they’re addressing CVE-2023-44487 in their cloud environments. Google’s **Damian Menscher** wrote on Twitter/X that the exploit — dubbed a “**rapid reset attack**” — works by sending a request and then immediately cancelling it (a feature of HTTP/2). “This lets attackers skip waiting for responses, resulting in a more efficient attack,” Menscher explained.

**Natalie Silva**, lead security engineer at **Immersive Labs**, said this flaw’s impact to enterprise customers could be significant, and lead to prolonged downtime.

“It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks,” Silva said. In this month’s Patch Tuesday release by Microsoft, they have released both an update to this vulnerability, as well as a temporary workaround should you not be able to patch immediately.”

Microsoft also patched zero-day bugs in **Skype for Business** (CVE-2023-41763) and **Wordpad** (CVE-2023-36563). The latter vulnerability could expose NTLM hashes, which are used for authentication in Windows environments.

“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given,” said **Adam Barnett**, lead software engineer at **Rapid7**. “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”

Other notable bugs addressed by Microsoft include CVE-2023-35349, a remote code execution weakness in the **Message Queuing** (MSMQ) service, a technology that allows applications across multiple servers or hosts to communicate with each other. This vulnerability has earned a CVSS severity score of 9.8 (10 is the worst possible). Happily, the MSMQ service is not enabled by default in Windows, although Immersive Labs notes that **Microsoft Exchange Server** can enable this service during installation.

Speaking of Exchange, Microsoft also patched CVE-2023-36778,  a vulnerability in all current versions of Exchange Server that could allow attackers to run code of their choosing. Rapid7’s Barnett said successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell session.

For a more detailed breakdown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Patch Tuesday, October 2023 Edition

October's CVE update is here. Here's which security vulnerabilities to patch now to exorcise your Microsoft systems demons.

Microsoft flagged two zero-day security vulnerabilities under active attack in October's Patch Tuesday update, which affect Microsoft WordPad and Skype for Business. The release also features a critical-rated, wormable bug in Message Queuing that could instill terror for admins of vulnerable systems.

The two bugs are part of a cadre of 103 total CVEs addressed by the computing giant this month. The patches run the gamut of Microsoft's portfolio, including Azure, ASP.NET, Core, and Visual Studio; Exchange Server; Office, Microsoft Dynamics, and Windows.

Appropriately for October, the number of critical-rated vulnerabilities comes in at an unlucky 13; and notably, a full 20% of the fixes in the update relate to Microsoft Message Queuing (MSMQ).

**October 2023 Bugs Under Active Exploit**

Falling into the hair-raising active exploit camp, the first issue under attack in the wild is CVE-2023-36563, an information-disclosure bug in the WordPad word processing program that could open the door to NTLM relay attacks by exposing NTLM hashes.

"To exploit this vulnerability, an attacker must first gain access to the system," explained Mike Walters, president and co-founder of Action1, in October Patch Tuesday commentary. "Subsequently, they would run a specially crafted application designed to take advantage of the vulnerability and seize control of the affected system."

He added, "Alternatively, the attacker could persuade a local user to open a malicious file. This persuasion might involve enticing the user to click a link, often via email or instant message, and then convincing them to open the specially crafted file."

As far as mitigation goes, "Microsoft doesn't list any Preview Pane vector, so user interaction is required," said Dustin Childs, researcher for Trend Micro's Zero Day Initiative, in a blog. "In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn't received much attention, but it could significantly hamper NTLM-relay exploits."

Meanwhile, CVE-2023-41763 in Skype for Business is ready to haunt admin dreams. It's listed as an elevation-of-privilege issue, but Childs pointed out that it should be treated as an information disclosure problem.

"An attacker could exploit this vulnerability by initiating a specially crafted network call to the targeted Skype for Business server," Walters said. "This action could lead to the parsing of an HTTP request sent to an arbitrary address, potentially revealing IP addresses and port numbers."

He added that some sensitive information may be exposed, including in some cases data that could grant access to internal networks. However, it won't allow the attacker to modify the exposed data or restrict access to the affected resource.

**20 Microsoft Message Queuing Vulnerabilities**

Also putting the shivers into cybersecurity defenders this month are a full 20 different MSMQ vulnerabilities, which together represent an outsized percentage of the total October fixes. One of them, CVE-2023-35349, earns the distinction of being the scariest (i.e., most severe) issue of the month; it carries a CVSS critical score of 9.8 out of 10.

The bug allows unauthenticated remote code execution (RCE) without user interaction, meaning that the issue is wormable on systems where Message Queuing is enabled.

MSMQ is used to allow applications across multiple servers or hosts to communicate with each other and allow for communications to be stored and queued as required. It is not enabled by default, but Microsoft Exchange Server can enable it during installation, according to Rob Reeves, principal security engineer at Immersive Labs.

"It is highly likely that a successful attack will afford the attacker with SYSTEM-level permissions on the target or allow for kernel exploitation," he said in emailed Patch Tuesday commentary. "It would be considered unusual for an enterprise environment to expose the MSMQ service publicly on the Internet ... so it is reasonable to assume that to leverage this vulnerability in an attack, an attacker would have first successfully phished a target network and discovered the vulnerable service during enumeration."

Users should patch immediately, but can also mitigate the problem by blocking communications on TCP Port 1801 from untrusted connections via the firewall, Reeves added.

Childs noted that the other MSMQ bugs are a mix of RCE issues that do require user interaction, and DoS flaws that do not.

"Microsoft doesn't state if successful exploitation would simply stop the service or blue screen the entire system," he noted. "They also don't note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure."

**Other Microsoft Bugbears to Prioritize This Month**

As far as other security monsters to be on the lookout for, CVE-2023-36434 in Windows IIS Server stands out, according to ZDI's Childs. An attacker who successfully exploits the bug could log on to an affected IIS server as another user.

The elevation-of-privilege vulnerability was labeled "important" by Microsoft, because a threat actor would need to already be present in the network to use it, but it carries a CVSS 9.8 rating.

"These days, brute force attacks can be easily automated," Childs noted. "If you're running IIS, you should treat this as a critical update and patch quickly."

Action1's Walters meanwhile highlighted a group of nine RCE vulnerabilities in the Layer 2 Tunneling Protocol, which all have a CVSS score of 8.1 (CVE-2023-41774, CVE-2023-41773, CVE-2023-41771, CVE-2023-41770, CVE-2023-41769, CVE-2023-41768, CVE-2023-41767, CVE-2023-41765, and CVE-2023-38166).

"They possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction," he said. "Their exploitation is notably intricate ... To successfully exploit these vulnerabilities, an attacker must overcome a race condition. An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server."

An RCE vulnerability in Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server (CVE-2023-36577, CVSS 8.8) caught the eye of Jason Kikta, CISO and senior vice president at Automox.  
"Microsoft WDAC OLE DB Provider for SQL Server is a set of components designed to facilitate efficient data access from Microsoft SQL Server databases to endpoints," he said in a Patch Tuesday advisory. "It's a key element of the WDAC that allows developers to create applications capable of communicating with almost any data source, including SQL Server. This vulnerability may allow an attacker to execute arbitrary code on a targeted system by convincing a user to connect to a malicious database."

He noted, "These attacks can be mitigated by configuring the environment to connect only to trusted servers and enforcing certificate validation."  
And finally, Chris Goettl, vice president of security products at Ivanti, flagged the fact that October Patch Tuesday includes the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2.

"The latter go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week," he said in emailed commentary.

"End-of-life software poses a risk to an organization," he warned. "No public updates will be available for these OS versions going forward. For Windows 11 users this means upgrading to a new Windows 11 branch. For Server 2012\\2012 R2 it is highly recommended to subscribe to ESU or migrate to a newer server edition."

This month's release also includes a patch for the just-disclosed HTTP/2 Rapid Reset distributed denial of service (DDoS) bug, as well as one for an external Chromium flaw that affects Microsoft Edge.

Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug

In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured default installation without authenticating and achieve remote command execution ability.

**MTProto proxy remote code execution vulnerability**

High severity GitHub Reviewed Published Oct 10, 2023 to the GitHub Advisory Database • Updated Oct 10, 2023

GHSA-738q-mc72-2q22: MTProto proxy remote code execution vulnerability

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-36730

Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability

CVE-2023-36718

Skype for Business Remote Code Execution Vulnerability

Tag

#rce