The September 2023 Security Update Review

Secure your products with top-tier expert knowledge and advanced Penetration Testing (CREST Approved)

Let's collaborate to build and maintain secure, trustworthy products

We transform threats into trust by integrating advanced tech and expertise in product security. Our approach encompasses Security by Design, rigorous security assurance and penetration testing, and compliance through expert documentation, from design to post-market. We offer CREST-approved pen testing in EMEA, upholding top security standards.

CREST Approved in EMEA

Hello and welcome to another patch Tuesday in what continues to be a hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Apple Patches for September 2023

Apple kicked off the September patch release by patching two bugs in macOS Ventura, iPad and iOS, and watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.

Cisco Advisories for September 2023

You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.   

Adobe Patches for September 2023

For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for Experience Manager and Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.

Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2023

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.

Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.

One of the CVEs released today is listed as being publicly known and under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting bug being exploited:

–       CVE-2023-36761 – Microsoft Word Information Disclosure Vulnerability
This is the bug currently under active attack, but I wouldn’t classify it as “information disclosure”. An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack. Those are usually defined as Spoofing bugs (see Exchange blew). Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.

–       CVE-2023-29332 – Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
This Critical-rated bug in the Azure Kubernetes service could allow a remote, unauthenticated attacker to gain Cluster Administration privileges. We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity. Microsoft gives this an “Exploitation Less Likely” rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.

–       CVE-2023-38148 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
This Critical-rated bug is the highest-rated CVSS this month (8.8), but it’s not all bad news. First, this is limited to network-adjacent attackers. A successful exploit also relies on ICS being enabled. Most places these days don’t require ICS, and it’s not turned on by default. However, if you’re in one of those places where ICS is used, this could allow an unauthenticated attacker to run their code on affected systems.

–       CVE-2023-38146 – Windows Themes Remote Code Execution Vulnerability
This probably isn’t one of the most severe bugs patched this month, but it kicked off such a wave of nostalgia, that I had to call it out. This bug could allow code execution if an attacker can convince a user to open a specially crafted theme file. If this sounds like screensaver exploits from 20+ years, it’s because it’s just like screensaver bugs from 20+ years ago. Congrats to Pwn2Own winners Thijs Alkemade and Daan Keuper of Computest Sector 7 for helping bring this oldie but goodie to light.

Here’s the full list of CVEs released by Microsoft for September 2023:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2023-36761
Microsoft Word Information Disclosure
Vulnerability
Important
6.2
Yes
Yes
Info

CVE-2023-38148
Internet Connection Sharing (ICS) Remote
Code Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2023-29332
Microsoft Azure Kubernetes Service Elevation
of Privilege Vulnerability
Critical
7.5
No
No
EoP

CVE-2023-36792
Visual Studio Remote Code Execution
Vulnerability
Critical
7.8
No
No
RCE

CVE-2023-36793
Visual Studio Remote Code Execution
Vulnerability
Critical
7.8
No
No
RCE

CVE-2023-36796
Visual Studio Remote Code Execution
Vulnerability
Critical
7.8
No
No
RCE

CVE-2023-36799
.NET Core and Visual Studio Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-36788
.NET Framework Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36770
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36771
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36772
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36773
3D Builder Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36739
3D Viewer Remote Code Execution
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36740
3D Viewer Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36760
3D Viewer Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2022-41303 *
AutoDesk: CVE-2022-41303 use-after-free
vulnerability in Autodesk® FBX® SDK 2020 or prior
Important
7.8
No
No
RCE

CVE-2023-38155
Azure DevOps Server and Team Foundation
Server Elevation of Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-33136
Azure DevOps Server Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2023-38156
Azure HDInsight Apache Ambari Elevation of
Privilege Vulnerability
Important
7.2
No
No
EoP

CVE-2023-38162
DHCP Server Service Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36801
DHCP Server Service Information Disclosure
Vulnerability
Important
5.3
No
No
Info

CVE-2023-38152
DHCP Server Service Information Disclosure
Vulnerability
Important
5.3
No
No
Info

CVE-2023-36800
Dynamics Finance and Operations Cross-site
Scripting Vulnerability
Important
7.6
No
No
XSS

CVE-2023-39956 *
Electron: CVE-2023-39956 -Visual Studio Code
Remote Code Execution Vulnerability
Important
6.1
No
No
RCE

CVE-2023-36886
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
7.6
No
No
XSS

CVE-2023-38164
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
7.6
No
No
XSS

CVE-2023-36766
Microsoft Excel Information Disclosure
Vulnerability
Important
7.8
No
No
Info

CVE-2023-36777
Microsoft Exchange Server Information
Disclosure Vulnerability
Important
5.7
No
No
Info

CVE-2023-36744
Microsoft Exchange Server Remote Code
Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36745
Microsoft Exchange Server Remote Code
Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36756
Microsoft Exchange Server Remote Code
Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36757
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing

CVE-2023-36736
Microsoft Identity Linux Broker Information
Disclosure Vulnerability
Important
4.4
No
No
Info

CVE-2023-36765
Microsoft Office Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36767
Microsoft Office Security Feature Bypass
Vulnerability
Important
4.3
No
No
SFB

CVE-2023-36763
Microsoft Outlook Information Disclosure
Vulnerability
Important
7.5
No
No
Info

CVE-2023-36764
Microsoft SharePoint Server Elevation of
Privilege Vulnerability
Important
8.8
No
No
EoP

CVE-2023-36802
Microsoft Streaming Service Proxy Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36762
Microsoft Word Remote Code Execution
Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36805
Scripting Engine Memory Corruption
Vulnerability
Important
7
No
No
RCE

CVE-2023-36742
Visual Studio Code Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36758
Visual Studio Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36759
Visual Studio Elevation of Privilege
Vulnerability
Important
6.7
No
No
EoP

CVE-2023-36794
Visual Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-35355
Windows Cloud Files Mini Filter Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38143
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38144
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38163
Windows Defender Attack Surface Reduction
Security Feature Bypass
Important
7.8
No
No
SFB

CVE-2023-36804
Windows GDI Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38161
Windows GDI Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38139
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38141
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38142
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38150
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36803
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-38140
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-38147
Windows Miracast Wireless Display Remote
Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-38149
Windows TCP/IP Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-38160
Windows TCP/IP Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-38146
Windows Themes Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2023-41764
Microsoft Office Spoofing Vulnerability
Moderate
5.5
No
No
Spoofing

CVE-2023-4761 *
Chromium: CVE-2023-4761 Out of bounds memory
access in FedCM
High
N/A
No
No
RCE

CVE-2023-4762 *
Chromium: CVE-2023-4762 Type Confusion in
V8
High
N/A
No
No
RCE

CVE-2023-4763 *
Chromium: CVE-2023-4763 Use after free in
Networks
High
N/A
No
No
RCE

CVE-2023-4764 *
Chromium: CVE-2023-4764 Incorrect security
UI in BFCache
High
N/A
No
No
SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

Before we get to the other Critical-rated patches for September, let’s talk about the Exchange fixes released this month. Yes – even though Exchange just received a big update last month, there’s another one today. There are five different Exchange CVEs today, and all were reported by ZDI researcher Piotr Bazydło. He’s been on quite the Exchange kick recently, including finding bypasses for both patches and silent fixes. The one that concerns me the most is the NTLM relay, which is marked as a Spoofing bug (see my pedantic note above). What’s most concerning about this is that this vulnerability seems to have been patched last month but wasn’t documented. This bug, along with the three RCE bugs, require authentication, but recall that last month’s Exchange patches included an auth bypass. Nifty. The final Exchange patch corrects an info disclosure bug that could disclose “file content.” It’s not clear if that’s a random file or if an attacker can name an arbitrary file. All of these patches require the August update to be installed, so don’t skip that and think you’re protected. And to all those admins rebooting Exchange over the weekend, I wish you Godspeed and good luck.

The remaining Critical-rated patches are all for Visual Studio. These are all open-and-own bugs that could lead to arbitrary code execution when opening a malicious package file with an affected version of Visual Studio.

Looking at the 15 other RCE getting patches this month, most share that open-and-own exploit scenario as the Critical-rated Visual Studio bugs. Interestingly, there are two Important-rated Visual Studio RCEs that look identical to the Critical-rated ones. There’s no indication why one is more severe than the others. There are six fixes for RCE in 3D Viewer Remote, and four of these were reported by ZDI researcher Mat Powell. The bugs are simple open-and-own vulns, but the product must be updated through the app store. If automatic updates from the store are disabled or if you’re otherwise disconnected, you’ll need to manually update. One of the RCEs in Word has a Preview Pane vector, but a user needs to click the attachment preview to trigger the exploit. There’s a scripting engine (Trident/EdgeHTML) bug that was reported through the ZDI. Under limited circumstances, crafted data in an image can lead to execution of untrusted script. An attacker can leverage this vulnerability to execute code in the context of the current process. There’s a patch for Miracast that could allow an attacker to project to an affected system in limited circumstances. Microsoft lists that as Adjacent, but I would consider it more of a Physical attack. Finally, there’s a fix for Azure DevOps that’s listed as RCE, but I would classify it as a privilege escalation instead. An attacker needs Queue Build permissions on an Azure DevOps pipeline that has an overridable variable. They could then use this to get a code injection by overriding the variable. You decide if it’s RCE or EoP as you patch your affected servers.

Before looking at the privilege escalation bugs, there are some impactful Denial-of-Service (DoS) vulnerability we should address. The first involves TCP/IP. A remote, unauthenticated attacker could take down an affected system by sending specially crafted IPv6 packets. As you might imagine, systems with IPv6 disabled aren’t impacted, but considering IPv6 is enabled by default, this could create some havoc on unpatched systems. Microsoft lists disabling router discovery on the IPv6 as a temporary workaround. As above, patches are permanent while workarounds are temporary. The other DoS bug of note impacts the DHCP server, although Microsoft provides no other details about the bug. The final DoS impact .NET and Visual Studio, but this bug requires someone to open a specially crafted file.

Moving on to the other EoP bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. In fact, this is true of all of the EoP bugs patched this month outside of the previously mentioned Azure Kubernetes escalation.

Two fixes in this month’s release address security feature bypass (SFB) bugs. The first is in the Windows Defender Attack Surface Reduction blocking feature. The vulnerability could allow attackers to bypass the Windows Defender Attack Surface Reduction blocking feature, which definitely falls into the you-had-one-job category. The other patch impacts Office and corrects a bypass that could allow a potentially dangerous extension from being uploaded and downloaded. Like one of the Office bugs mentioned above, the Preview Pane is an attack vector, but a user would need to click to preview an attachment.

The September release contains eight additional information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. There are two significant exceptions. The first is in Outlook. A successful exploit could allow the disclosure of credentials. Yikes. At least the Preview Pane is not an attack vector here. The other interesting bug resides in the Microsoft Identity Linux Broker. Exploiting this vulnerability could disclose application data on the target. However, encrypted data at rest remains encrypted.

The lone Moderate-rated bug in this month’s release impacts Office components. Successful exploitation would allow an unauthenticated attacker to insert malicious content into a document. This document may then pass an authentication check when a partial signature is present.

Wrapping things up, there are three cross-site scripting (XSS) bugs fixed in this release. One fix is for Dynamics Finance and Operations while the remaining are for the on-prem Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on October 10, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

   Blog post Zero Day Initiative – Blog 

More To Explore

Elevating Teleco Security for the Digital Future

Elevating Teleco Security for the Digital Future In the digital era, the telecommunication sector is at the forefront, driven by groundbreaking advancements like 5G and