Patch Tuesday June 2023: No Zero-Days or Actively Exploited Vulnerabilities, But Exchange is in the Crosshairs

Last month’s Patch Tuesday (May 2023) brought fixes for only 38 vulnerabilities. Such a small number gave some the sense that it was the ‘calm before the storm’ with June likely to bring some surprises. June’s Patch Tuesday has indeed brought a surprise, no zero-days and no vulnerabilities under active exploitation.

A total of 78 vulnerabilities were addressed this month and that number is more inline with the typical number of vulnerabilities that receive fixes from Microsoft. The lack of any zero-days or Actively Exploited Vulnerabilities might provide an initial feeling of relief, but there are some notable vulnerabilities waiting in the wings that are marked as Exploitation More Likely. With Exchange in the crosshairs of two vulnerabilities that could be as impactful as last year’s ProxyNotShell, once attackers start leveraging them.

Microsoft Vulnerabilities

Microsoft has released updates to address 78 vulnerabilities with six of those marked Critical and 11 as Exploitation More Likely. Without any headline vulnerabilities under active exploitation, this month’s focus gets to shift to vulnerabilities that are considered more likely to be exploited—and that’s good because there are some that should be on everyone’s priority list.

Related Product

N‑sight RMM

Comience a trabajar con rapidez con un RMM diseñado para departamentos de TI y MSP pequeños.

Más información

Microsoft Exchange Server vulnerabilities—CVE-2023-32014 and CVE-2023-28310

Microsoft Exchange admins will want to be quick about getting fixes in place to contend with these two vulnerabilities. CVE-2023-32031 and CVE-2023-28310 are both Microsoft Exchange Server Remote Code Execution vulnerabilities. While they require an authenticated user to exploit since they are exploitable by an attacker on the same network, just isolating an Exchange Server from the internet isn’t going to be a sufficient mitigation. An attacker exploiting either of these vulnerabilities will be able to run code on the target Exchange Server. It’s a good idea to start testing the security updates that address these vulnerabilities this week and get them in production ASAP.

CVE-2023-32015, CVE-2023-32014, and CVE2023-29363

If any of the vulnerabilities from this month were going to induce nightmare scenarios for defenders this trio may be it. CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363 all carry CVSS scores of 9.8, can be exploited remotely, and require no user interaction. They are prime candidates for being leveraged by threat actors to move laterally within an environment once proof of concept attacks are developed. These vulnerabilities apply to Windows Pragmatic General Multicast, which is a widely available component that might not be part of the usual rogues gallery of Windows services with vulnerabilities. However, their potential to be in almost any environment, just silently existing without anyone really paying much attention on the defender side, means they might fly under the radar of some defenders. If updates with fixes for these vulnerabilities can’t be implemented in your environment, Microsoft’s recommended mitigation is to disable the Windows Pragmatic General Multicast component.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Más información

CVE-2023-29357

This vulnerability also carries a CVSS score of 9.8 and gives an attacker the ability to gain administrator privileges, allowing them attacker to execute follow-up actions that range such as data exfiltration, ransomware payload delivery, data destruction, or any other number of malicious actions. While CVE-2023-29357 has the potential to be part of a devastating attack on a business since it is a Microsoft SharePoint Server vulnerability, the small deployment base will keep this from being exploited as widely as the other notable vulnerabilities from this month.

Microsoft 365 and Click to Run

As a reminder and review from previous months Microsoft Patch Tuesday coverage, modern Microsoft 365 apps leverage a different update mechanism than older versions of Microsoft Office. Make sure you review your patching tools and processes to ensure M365 Apps have a defined update process in place. We have an automation item available in the Automation Cookbook for N‑sight and N‑central partners to use to update and check Microsoft 365 versions that leverages Microsoft’s Click to Run executable, included in all installs of M365 apps.

• Download Microsoft 365 Update with Version Check for N‑sight
• Download Microsoft 365 Update with Version Check for N‑central

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.  

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd