It’s that time of the month again: We're looking at June's Patch Tuesday roundup. Microsoft has released its monthly update, and compared to previous months, it’s actually not so bad. No actively exploited zero-days and only six critical vulnerabilities.
So, we’ll have the luxury of going over those in some more detail.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The critical CVEs patched in these updates are:
CVE-2023-29357 (CVSS score: 9.8 out of 10): a Microsoft SharePoint Server Elevation of Privilege (EoP) vulnerability. Successful exploitation could provide an attacker with administrator privileges. For the exploitation, the attacker needs no privileges nor do they require user interaction.
The Microsoft advisory states:
"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user."
JWT is a token based stateless authentication mechanism. Basically, the identity provider generates a JWT that certifies the user identity and the resource server decodes and verifies the authenticity of the token by using secret salt or public key.
CVE-2023-29363 (CVSS score: 9.8 out of 10): a Windows Pragmatic General Multicast (PGM) Remote Code Execution (RCE) vulnerability.
PGM is a reliable and scalable multicast protocol that enables receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is a receiver-reliable protocol, which means the receiver is responsible for ensuring all data is received, absolving the sender of reception responsibility. It is mainly used for delivering multicast data such as video streaming or online gaming.
CVE-2023-32014 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.
CVE-2023-32015 (CVSS score: 9.8 out of 10): another PGM RCE vulnerability.
For all the PGM vulnerabilities, Microsoft points out that: when Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.
The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.
CVE-2023-32013 (CVSS score: 6.5 out of 10): a Windows Hyper-V Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.
Hyper-V is Microsoft's hardware virtualization product. It lets you create and run virtual machines, which are software emulations of a computer system.
CVE-2023-24897 (CVSS score: 7.8 out of 10): a .NET, .NET Framework, and Visual Studio Remote Code Execution (RCE) vulnerability. The word "Remote" refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE) because the attack itself is carried out locally.
I’d like to throw one important vulnerability in the mix because we expect to hear more about it, because it is, well, you know, Exchange.
CVE-2023-32031 (CVSS score: 8.8 out of 10): a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. An attacker could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.
This is typically a vulnerability that is used in a chained attack, because the attacker will need access to a vulnerable host in the network to gain the necessary authentication they need to successfully exploit this vulnerability.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
- Cisco released security updates for several products
- Google released security updates for Google Chrome
- Google also released its Android June 2023 updates
- SAP has released its June 2023 Patch Day updates
- VMware released VMware ESXi updates
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.