This month’s Patch Tuesday brings 106 vulnerabilities, seven of which are critical and two of which are currently being exploited in the wild to our knowledge. There’s certainly been plenty of discussion in the community in the past month around Microsoft Azure vulnerabilities. Today, we’ll focus on the vulnerabilities patched by Microsoft in this month’s Patch Tuesday release.  

Administrators have a few key vulnerabilities that affect a broad range of operating systems within the Microsoft ecosystem. We believe the most important this month is CVE-2023-36910, a critical CVSS 9.8 vulnerability that allows for remote code execution and affects most Windows desktop and server operating systems. 

Administrators should also prioritize patching three important vulnerabilities in the Windows Kernel that allow for the elevation of privilege to SYSTEM on most versions of Windows 10, 11, and Server 2008-2022. The kernel is often a popular target for attackers and we recommend that you patch these vulnerabilities before we see attackers begin to exploit them. 

Last but not least, two important vulnerabilities in Microsoft Exchange Server allow for remote code execution and are likely to be targeted by attackers in the coming days. Exchange Server is typically difficult to patch and attackers know that, and often target it as a result. We recommend administrators patch these systems as soon as possible.  

Keep reading for added detail on some patches you’ll want to focus on this month. 

Microsoft Patch Tuesday Vulnerabilities: A Brief History 

CVE-2023-36910 

Microsoft Message Queuing Remote Code Execution Vulnerability [Critical] 

CVE-2023-36910 is a critical, CVSS 9.8/10 vulnerability in Microsoft Message Queuing (MSMQ) that can be exploited remotely and without privileges to remotely execute code on vulnerable Windows 10, 11, and Server 2008-2022 systems. In addition to patching ASAP, teams can apply a mitigation to reduce the severity of potential exploitation of this vulnerability. To be vulnerable, a system would need to have the Windows Message queuing service enabled, by default this service would be named “Message Queuing” and TCP port 1801 would be listening on the machine. While MSMQ is not enabled by default and is less common today, any device with it enabled is at critical risk. 

Our team of experts at Automox has created a Worklet to help you with mitigation before applying the patch. Our Worklet will check to see if the service is enabled and listening on TCP port 1801, and check for activity. The Worklet will stop the service and disable it from starting, it will also create an inbound firewall block rule for TCP port 1801 to prevent exploitation attacks over the network. – Jason Kikta, CISO 
 
* NOTE: Current Automox users, feel free to find the Worklet directly in the console, here. 

CVE-2023-35380, CVE-2023-35382, CVE-2023-35386 

Windows Kernel Elevation of Privilege Vulnerability [IMPORTANT] 

These three CVEs all score a CVSS 7.8 and are more likely to be targeted for exploitation according to Microsoft. The vulnerabilities are present in most builds of Windows 10, 11, and Server 2008-2022 and allow for elevation of privilege to SYSTEM when exploited successfully. Attackers must have local access to the machine, typically obtained through stolen credentials. They also must have some basic privileges to create folders and performance traces on machines, typically these are available to normal users by default.  

If you use Microsoft in your enterprise, you’re almost guaranteed to be vulnerable as most builds are affected by this kernel vulnerability. We recommend patching within 72 hours due to the scope of the operating systems affected and the attractiveness of the kernel to attackers. – Tom Bowyer, Manager, Product Security 

CVE-2023-35388, CVE-2023-38182 

Microsoft Exchange Server Remote Code Execution Vulnerability [IMPORTANT] 

These vulnerabilities are important, CVSS 8.0/10 vulnerabilities in IT team’s favorite system, Microsoft Exchange. Both vulnerabilities allow for remote code execution by authenticated attackers who are on the same local area network/intranet as the exchange server and have credentials for a valid exchange user. Both vulnerabilities exist in Exchange Server 2016 CU 23, and Exchange Server 2019 CU 12 and 13. Exchange Server patches are often not trivial to apply, and attackers know yet. The vulnerabilities have not yet been exploited but are likely to be targeted by attackers, most of whom have refined their Exchange exploitation capabilities in recent years. As a result, we recommend patching this vulnerability within the next month, ideally within this week if possible. – Jason Kikta, CISO 

Tired of the Patch Tuesday fire drill? Automate it in 30 seconds with Automox and sleep well knowing you’re covered next month.