Microsoft patches this month include 3 critical and 3 weaponised threats.
There are 3 Critical and 54 Important fixes this month. Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, ASP.NET, Visual Studio, Azure, Microsoft Dynamics and Hyper-V have all received fixes this month.
Robert Brown, Head of Customer Success for Syxsense said, “We have 3 patches that resolve vulnerabilities which are Weaponised and one of those is Publicly Aware. If you count all the individual CVSS scores together, November has a combined CVSS score of 432.4 where the average CVSS score was 7.6 which is up on last month’s median score of 7.3 even though there were double the updates fixed.”
Based on the Vendor Severity & CVSS Score, we have made a few recommendations below. As usual we recommend our customers enter the CVE numbers below into your Syxsense console and deploy patches as soon as testing is complete.
CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
Microsoft does not provide any intelligence at this time for how much this is being under active attack, however an attacker who successfully exploited this vulnerability could gain SYSTEM privileges of the vulnerable system.
Note: The vulnerability is Weaponised and Publicly Aware.
Syxscore
- Vendor Severity: Important
- CVSS: 7.8
- Weaponised: Yes
- Public Aware: Yes
- Countermeasure: No
Risk
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope / Jump Point: Unchanged / No
CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.
Note: The vulnerability is Weaponised.
Syxscore
- Vendor Severity: Important
- CVSS: 8.8
- Weaponised: Yes
- Public Aware: No
- Countermeasure: No
Risk
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope / Jump Point: Unchanged / No
CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft does not provide any intelligence at this time for how much this is being under active attack, however an attacker who successfully exploited this vulnerability could gain SYSTEM privileges of the vulnerable system.
Note: The vulnerability is Weaponised.
Syxscore
- Vendor Severity: Important
- CVSS: 7.8
- Weaponised: Yes
- Public Aware: No
- Countermeasure: No
Risk
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope / Jump Point: Unchanged / No
CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel.
Mitigation: You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.
Note: The vulnerability has the joint highest CVSS rating for November.
Syxscore
- Vendor Severity: Critical
- CVSS: 9.8
- Weaponised: No
- Public Aware: No
- Countermeasure: Yes
Risk
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope / Jump Point: Unchanged / No
CVE-2023-36413 – Microsoft Office Security Feature Bypass Vulnerability
Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.
Note: The vulnerability is Publicly Aware.
Syxscore
- Vendor Severity: Important
- CVSS: 6.5
- Weaponised: No
- Public Aware: Yes
- Countermeasure: No
Risk
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope / Jump Point: Unchanged / No
Reference | Description | Vendor Severity | CVSS Score | Weaponised | Publicly Disclosed | Additional Information | Impact | Exploitability Assessment |
CVE-2023-36033 | Windows DWM Core Library Elevation of Privilege Vulnerability | Important | 7.8 | Yes | Yes | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Detected |
CVE-2023-36025 | Windows SmartScreen Security Feature Bypass Vulnerability | Important | 8.8 | Yes | No | The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts. | Security Feature Bypass | Exploitation Detected |
CVE-2023-36036 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important | 7.8 | Yes | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Detected |
CVE-2023-36038 | ASP.NET Core Denial of Service Vulnerability | Important | 8.2 | No | Yes | This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. If an attacker was able to successfully exploit the vulnerability the attack might result in a total loss of availability. |
Denial of Service | Exploitation Less Likely |
CVE-2023-36413 | Microsoft Office Security Feature Bypass Vulnerability | Important | 6.5 | No | Yes | Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. | Security Feature Bypass | Exploitation More Likely |
CVE-2023-36397 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical | 9.8 | No | No | The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. Mitigation: You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine. |
Remote Code Execution | Exploitation Less Likely |
CVE-2023-36028 | Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability | Important | 9.8 | No | No | An unauthenticated attacker could attack a Microsoft Protected Extensible Authentication Protocol (PEAP) Server by sending specially crafted malicious PEAP packets over the network. | Remote Code Execution | Exploitation Less Likely |
CVE-2023-36400 | Windows HMAC Key Derivation Elevation of Privilege Vulnerability | Critical | 8.8 | No | No | Scope = Changed, Jump Point = True In this case, a successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest’s security boundary to execute code on the Hyper-V host execution environment. |
Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36017 | Windows Scripting Engine Memory Corruption Vulnerability | Important | 8.8 | No | No | Remote Code Execution | Exploitation More Likely | |
CVE-2023-36402 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | Remote Code Execution | Exploitation Less Likely | |
CVE-2023-36437 | Azure DevOps Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | An attacker could exploit an integer overflow vulnerability that results in arbitrary heap writes, which could be used to perform arbitrary code execution. | Remote Code Execution | Exploitation Less Likely |
CVE-2023-36560 | ASP.NET Security Feature Bypass Vulnerability | Important | 8.8 | No | No | The attacker would be able to bypass the security checks that prevents an attacker from accessing internal applications in a website. | Security Feature Bypass | Exploitation Less Likely |
CVE-2023-38151 | Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability | Important | 8.8 | No | No | Countermeasure: The victim must have installed Microsoft OLE DB Provider for DB2 Server Version 7.0 for the target machine to be vulnerable. | Remote Code Execution | Exploitation Less Likely |
CVE-2023-36052 | Azure CLI REST Command Information Disclosure Vulnerability | Critical | 8.6 | No | No | Scope = Changed, Jump Point = True An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files. An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files. |
Information Disclosure | Exploitation Less Likely |
CVE-2023-36719 | Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability | Important | 8.4 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36021 | Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability | Important | 8 | No | No | Security Feature Bypass | Exploitation Less Likely | |
CVE-2023-36035 | Microsoft Exchange Server Spoofing Vulnerability | Important | 8 | No | No | An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. | Spoofing | Exploitation More Likely |
CVE-2023-36039 | Microsoft Exchange Server Spoofing Vulnerability | Important | 8 | No | No | An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. | Spoofing | Exploitation More Likely |
CVE-2023-36050 | Microsoft Exchange Server Spoofing Vulnerability | Important | 8 | No | No | An attacker could exploit the vulnerability by leveraging the known (Type 4) UnitySerializationHolder gadget through a deserialization of untrusted data. Exploitation of this vulnerability requires that a user gain LAN-access as well as obtain credentials for a valid Exchange user. | Spoofing | Exploitation More Likely |
CVE-2023-36425 | Windows Distributed File System (DFS) Remote Code Execution Vulnerability | Important | 8 | No | No | Scope = Changed, Jump Point = True An attacker could exploit a DFS namespace (non-default) out-of-bound write vulnerability that results in heap corruption, which could then be used to perform arbitrary code execution on the server’s dfssvc.exe process which runs as SYSTEM user. |
Remote Code Execution | Exploitation Less Likely |
CVE-2023-36439 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8 | No | No | Remote Code Execution | Exploitation More Likely | |
CVE-2023-36018 | Visual Studio Code Jupyter Extension Spoofing Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality. | Spoofing | Exploitation Less Likely |
CVE-2023-36037 | Microsoft Excel Security Feature Bypass Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality. | Security Feature Bypass | Exploitation Less Likely |
CVE-2023-36041 | Microsoft Excel Remote Code Execution Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality. | Remote Code Execution | Exploitation Less Likely |
CVE-2023-36045 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important | 7.8 | No | No | Remote Code Execution | Exploitation Less Likely | |
CVE-2023-36047 | Windows Authentication Elevation of Privilege Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36393 | Windows User Interface Application Core Remote Code Execution Vulnerability | Important | 7.8 | No | No | Remote Code Execution | Exploitation Less Likely | |
CVE-2023-36396 | Windows Compressed Folder Remote Code Execution Vulnerability | Important | 7.8 | No | No | Remote Code Execution | Exploitation Less Likely | |
CVE-2023-36407 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36408 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36422 | Microsoft Windows Defender Elevation of Privilege Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36424 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | An attacker could use this vulnerability to elevate privileges from Medium Integrity Level to a High Integrity Level. | Elevation of Privilege | Exploitation More Likely |
CVE-2023-36705 | Windows Installer Elevation of Privilege Vulnerability | Important | 7.8 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36007 | Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability | Important | 7.6 | No | No | Scope = Changed, Jump Point = True The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. |
Spoofing | Exploitation Less Likely |
CVE-2023-36031 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 7.6 | No | No | Scope = Changed, Jump Point = True The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. |
Spoofing | Exploitation Less Likely |
CVE-2023-36049 | .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | Important | 7.6 | No | No | Elevation of Privilege | Exploitation Less Likely | |
CVE-2023-36410 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 7.6 | No | No | Scope = Changed, Jump Point = True The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. |
Spoofing | Exploitation Less Likely |
CVE-2023-36392 | DHCP Server Service Denial of Service Vulnerability | Important | 7.5 | No | No | Denial of Service | Exploitation Less Likely | |
CVE-2023-36395 | Windows Deployment Services Denial of Service Vulnerability | Important | 7.5 | No | No | Denial of Service | Exploitation Less Likely | |
CVE-2023-36401 | Microsoft Remote Registry Service Remote Code Execution Vulnerability | Important | 7.2 | No | No | Remote Code Execution | Exploitation Less Likely | |
CVE-2023-36423 | Microsoft Remote Registry Service Remote Code Execution Vulnerability | Important | 7.2 | No | No | Remote Code Execution | Exploitation Less Likely | |
CVE-2023-36046 | Windows Authentication Denial of Service Vulnerability | Important | 7.1 | No | No | Denial of Service | Exploitation Less Likely | |
CVE-2023-36399 | Windows Storage Elevation of Privilege Vulnerability | Important | 7.1 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation More Likely |
CVE-2023-36394 | Windows Search Service Elevation of Privilege Vulnerability | Important | 7 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation More Likely |
CVE-2023-36403 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36405 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36427 | Windows Hyper-V Elevation of Privilege Vulnerability | Important | 7 | No | No | An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. | Elevation of Privilege | Exploitation Less Likely |
CVE-2023-36043 | Open Management Infrastructure Information Disclosure Vulnerability | Important | 6.5 | No | No | Scope = Changed, Jump Point = True An attacker who successfully exploits this vulnerability could affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component could be different from the impacted component and are managed by different security authorities. |
Information Disclosure | Exploitation Less Likely |
CVE-2023-36398 | Windows NTFS Information Disclosure Vulnerability | Important | 6.5 | No | No | Information Disclosure | Exploitation Less Likely | |
CVE-2023-36016 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 6.2 | No | No | Scope = Changed, Jump Point = True The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. |
Spoofing | Exploitation Less Likely |
CVE-2023-36042 | Visual Studio Denial of Service Vulnerability | Important | 6.2 | No | No | Denial of Service | Exploitation Less Likely | |
CVE-2023-36558 | ASP.NET Core – Security Feature Bypass Vulnerability | Important | 6.2 | No | No | Elevation of Privilege | Exploitation Less Likely | |
CVE-2023-36030 | Microsoft Dynamics 365 Sales Spoofing Vulnerability | Important | 6.1 | No | No | Scope = Changed, Jump Point = True The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine. |
Spoofing | Exploitation Less Likely |
CVE-2023-38177 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important | 6.1 | No | No | Remote Code Execution | Exploitation More Likely | |
CVE-2023-36404 | Windows Kernel Information Disclosure Vulnerability | Important | 5.5 | No | No | Information Disclosure | Exploitation Less Likely | |
CVE-2023-36406 | Windows Hyper-V Information Disclosure Vulnerability | Important | 5.5 | No | No | The type of information that could be disclosed if an attacker successfully exploited this vulnerability is Kernel memory read – unintentional read access to memory contents in kernel space from a user mode process. | Information Disclosure | Exploitation Less Likely |
CVE-2023-36428 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | Important | 5.5 | No | No | Exploiting this vulnerability could allow the disclosure of initialized or uninitialized memory in the process heap. | Information Disclosure | Exploitation Less Likely |