Microsoft’s Patch Tuesday for October 2023 covers a total of 103 CVEs, including three zero-day vulnerabilities affecting WordPad, Skype and the HTTP/2 “Rapid Reset” DDoS vulnerability.
The highest-rated of the vulnerabilities is CVE-2023-35349, a critical remote code execution vulnerability in the Microsoft Message Queuing (MSMQ) service with a CVSS score of 9.8.
Immersive Labs principal security engineer Rob Reeves told eSecurity Planet that the attack doesn’t require credentials or authentication in order to execute code on the system. Still, he noted, “It would be considered unusual for an enterprise environment to expose the MSMQ service publicly on the internet, given a number of high-profile vulnerabilities in the service that have occurred historically, so it is reasonable to assume that to leverage this vulnerability in an attack, an attacker would have first successfully phished a target network and discovered the vulnerable service during enumeration.”
“To mitigate this vulnerability, users should protect TCP Port 1801 from untrusted connections via the firewall where possible but should also look to apply the relevant patch to fully fix the issue,” Reeves added.
Zero-Day Vulnerabilities: HTTP/2, WordPad, Skype
The zero-day flaws addressed by Microsoft are:
- CVE-2023-36563, an information disclosure vulnerability in Microsoft WordPad with a CVSS score of 6.5
- CVE-2023-41763, an elevation of privilege vulnerability in Skype for Business with a CVSS score of 5.3
- CVE-2023-44487, an HTTP/2 rapid reset attack with recommended workarounds
HTTP/2 Flaw Leads to Record DDoS Attacks
The HTTP/2 protocol flaw made headlines before the Patch Tuesday list was released, as Google, AWS and Cloudflare jointly announced that the flaw affected almost all web servers and has led to record-shattering DDoS attacks.
Immersive Labs lead cyber security engineer Natalie Silva told eSecurity Planet that the HTTP/2 attack exploits a weakness in the protocol. “This attack method abuses the stream cancellation feature of HTTP/2 to continuously send and cancel requests, overwhelming the target server or application and causing a Denial of Service (DoS) state,” she said.
“The impact to customers can be significant, as it can lead to prolonged downtime, loss of access to services, and potential financial losses for businesses relying on the affected web servers,” Silva added. “It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks.”
The CVE record contains links for mitigations and patches that web server vendors and open source projects are issuing for the vulnerability.
Also read:
WordPad Flaw Could Disclose NTLM Hashes
The Microsoft WordPad flaw, which could disclose NTLM hashes, requires the attacker to be logged into the system and either to run a specially crafted application or to trick a local user into opening a malicious file.
Ivanti vice president of security products Chris Goettl noted that while the CVSS score is a relatively low 6.5, “proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.”
Rapid7 lead software engineer Adam Barnett pointed out, “It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”
Skype for Business Flaw Could Expose IP Address, Ports
Regarding the Skype for Business flaw, Microsoft explained, “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker.”
In some cases, the company advised, the information exposed could provide the attacker with access to internal networks. Ivanti’s Goettl noted that, as with the WordPad flaw, the CVE should be treated as a higher severity than its rating due to the risk of exploit.
See the Top Patch and Vulnerability Management products
9 Critical Layer 2 Tunneling Vulnerabilities
Nine critical remote code execution flaws were identified in the Layer 2 tunneling protocol, all with a CVSS score of 8.1: CVE-2023-38166, CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, and CVE-2023-41774.
All nine vulnerabilities, Action1 president and co-founder Mike Walters noted, “possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction.”
“To successfully exploit these vulnerabilities, an attacker must overcome a race condition,” Walters added. “An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server, potentially leading to remote code execution (RCE) on the targeted RRAS server computer.”
Immersive Labs senior director of threat research Kev Breen also highlighted CVE-2023-36778, a remote code execution vulnerability in Microsoft Exchange Server flagged as “exploitation more likely,” with a CVSS score of 8.0.
“The patch notes indicate that an attacker must be authenticated and local to the network; this means that an attacker must already have gained access to a host in the network,” Breen said. “This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal vulnerable targets. Just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected.”
EOL for Server 2012, Win 11 21H2
Ivanti’s Goettl also noted that this Patch Tuesday includes the final updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. “End-of-life software poses a risk to an organization,” he said. “No public updates will be available for these OS versions going forward. For Windows 11 users, this means upgrading to a new Windows 11 brand. For Server 2012/2012 R2 it is highly recommended to subscribe to ESU or migrate to a newer server edition.”
Read next:
- Network Protection: How to Secure a Network
- Weekly Vulnerability Recap – October 9, 2023 – Zero-Days Strike Android, Microsoft, Apple, Cisco & More
