Patch Tuesday October 2023: HTTP/2 Rapid Reset Sets Record DDoS Attack

October has arrived bringing with it pumpkin-spice versions of everything alongside Microsoft’s latest release of Patch Tuesday fixes and updates. As always Patch Tuesday brings with it a new list of vulnerabilities that will need to be chased down and remediated through patching or mitigated through additional actions. The total amount of vulnerabilities and the risk they present ebbs and flows from month to month, leaving MSPs and sysadmins responsible for patch management with little certainty when it comes to planning resources.

Microsoft Vulnerabilities

Microsoft released security updates addressing a total of 103 vulnerabilities in Windows and other Microsoft products. Three (3) of them are classified as zero-days that are Under Active Exploitation. While the severity for each zero-day is only Important, the fact they are already used in active threat campaigns should raise them to the top of the list for anyone who has systems affected by these vulnerabilities. Luckily for most defenders, two (2) of the zero-days from this month aren’t likely to impact them as they affect systems that are not in wide use. The third does have a very broad deployment base, but exploitation takes additional steps that reduces ease of use.

All three (3) zero-days from this month were also added to CISA’s Known Exploited Vulnerabilities Catalog on October 10^th, 2023 with a target mitigation date of October 31^st, 2023. If you are unfamiliar with CISA’s KEV Catalog it lists, prioritizes, and provides remediation for vulnerabilities that are actively under exploitation or have been exploited in the past. It serves as a valuable reference for IT and cybersecurity professionals when it comes to systematically addressing vulnerabilities to reduce risk exposure.

Related Product

N‑sight RMM

RMM est parfait pour les petites entreprises MSP et les départements informatiques qui souhaitent être opérationnels rapidement.

En savoir plus

CVE-2023-36563

A Microsoft WordPad vulnerability that can lead to unauthorized disclosure of NTLM hashes. Marked with a severity of Important, this zero-day vulnerability is reported to be Under Active Exploitation. Even though WordPad isn’t used as a productivity tool in most organizations it has been present in Windows OS since Windows 95. Exploitation of this vulnerability requires an attacker to already have access to a system or convince an end-user to open a malicious file. Microsoft addressed a similar vulnerability in Microsoft Word last month.

CVE-2023-44487

This vulnerability affects HTTP/2 protocol and allows an attacker to perform a DDoS attack. An active campaign has been leveraging this vulnerability since August 25^th, 2023 and represents the largest HTTP DDoS attack by a significant margin. Cloudflare has the volume as three times bigger than the previous largest attack, and concerningly notes that this was achieved with a botnet of only 20,000 machines. Guidance from Microsoft is to apply updates with potential workarounds available. Since this affects the HTTP/2 protocol and is not limited to just Windows operating systems you will need to audit your environments to ensure you have mitigations or updates applied to any affected systems.

Related Product

N‑central (Updated)

Manage large networks or scale IT operations with RMM made for growing service providers.

En savoir plus

CVE-2023-41763

This month’s final Microsoft zero-day vulnerability affects Skype for Business with an elevation of privilege vulnerability. Successful attacks using this vulnerability could expose information such as IP addresses and port numbers to an attacker. Teams has been the favored solution over Skype for a few years so the deployment base of Skype has shrunk over the years, but there still may be remnants floating around in your environments. This is a great example of why it’s important to remove applications that no longer have a business use case.

Layer 2 Tunneling Protocol

There are nine (9) vulnerabilities affecting the same protocol that received fixes this month. All marked as Exploitation Less Likely, but with a severity rating of Critical, threat actors will likely be spending some effort over the next few days understanding how they can take advantage of these vulnerabilities. They have the potential to become part of attack campaigns that would allow attackers to perform remote code execution against RAS servers by winning a race condition. Applying updates to deal with these CVEs should be on your prioritization lists for the month.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd