Head Nerds
Gestione delle patch
Sicurezza

Patch Tuesday September 2023: Office NLTM Hash Vulnerability Gets Fix

September is turning out to have quite a few zero-day vulnerabilities from vendors other than Microsoft you need to be aware of. While we typically focus on Microsoft’s Patch Tuesday releases, this month will include Adobe, Chrome, Mozilla, Cisco, and iOS fixes that will need to be applied to mitigate against attacks.

Microsoft Vulnerabilities

Microsoft addressed 59 new vulnerabilities this month and updated three previous vulnerabilities. Five are critical and two are zero-days vulnerabilities under active exploitation. While the two actively exploited zero-days are rated as “Important” they could be used in part of a chained attack—relying on other vulnerabilities or compromised systems to be effective. This is a great example of how relying only on the severity rating of a vulnerability to make decisions about when to apply patches could leave you unnecessarily exposed to an active threat campaign.  

Related Product

N‑central

Gestisci reti di grandi dimensioni o amplia le operazioni IT grazie a una soluzione di monitoraggio e gestione da remoto concepita appositamente per i provider di servizi in crescita.

CVE-2023-36802

A Microsoft Streaming Service Proxy Elevation of Privilege vulnerability rated CVSS 7.8, CVE-2023-36802 allows an attacker to gain SYSTEM privileges. Since this was not a publicly disclosed vulnerability information on how this vulnerability is leveraged is limited.

CVE-2023-36761

This is potentially the most impactful vulnerability of the month as it involves the disclosure of NTLM hashes, which an attacker can use to impersonate a user or authenticate to a system without the need to decrypt a hashed version of a password. To trigger the vulnerability a user views a specially crafted Word document in the Windows preview pane. The near ubiquitous nature of Microsoft Word and that this affects versions of Office as far back as 2013 means there is a huge pool of potential targets. CVE-2023-36761 should be on the top of your to-do list this month.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione di monitoraggio e gestione da remoto progettata per MSP e reparti IT di piccole dimensioni.

CVE-2023-38148

A Critical rated vulnerability, CVE-2023-38148 is an Internet Connection Sharing Remote Code Execution vulnerability with a CVSS of 8.8. While Internet Connection Sharing has been around in the Windows world for many years, its use is not as common as it once was—although it is still available in modern versions of Windows. This vulnerability allows for an attacker on the same network to send a specially crafted packet to the target device to execute arbitrary commands, allowing the attacker to easily push malware or take other actions. Since this requires no interaction on the part of the end-user this could easily find its way into the toolkits of attackers.

Cisco

CVE-2023-20269 is a zero-day vulnerability under active exploitation affecting Cisco’s ASA and Firepower Threat Defense VPN features and allowing unauthorized access. As this is being leveraged in active, ongoing threat campaigns please read the Cisco Security Advisory for more info and guidance on remediation.

Adobe

Adobe has released security updates to address CVE-2023-26369, which is a Critical rated zero-day vulnerability under active exploitation. It affects Adobe Acrobat for both Windows and macOS. As this is actively exploited and Adobe has a large install base in most environments, be sure to read Adobe’s Security Bulletin for more info and guidance on remediation.

Mozilla

CVE-2023-4863 is a Critical rated vulnerability that exists in the libwebp code library and affects Mozilla Firefox, Thunderbird, and Brave browsers that received updates. This vulnerability uses specially crafted HTML to allow an attacker to write to memory they otherwise would not be able to access. Because the libweb library is used by multiple products, including Chromium, teams will likely need to update a lot of applications they may not be accustomed to patching; so tracking down updates may be time consuming.

iOS

Turning attention to international espionage and spycraft, Apple fixed a zero-day vulnerability that was part of a zero-click exploit chain that was leveraged in a campaign to infect iPhones with Pegasus spyware. CVE-2023-44064 and CVE-2023-41061 were used in an exploit chain referred to as BLASTPASS by Citizen Lab.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

CVE Number

CVE Title

Severity

Status

CVE-2023-36802

Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

I

ED

CVE-2023-36761

Microsoft Word Information Disclosure Vulnerability

I

ED

CVE-2023-36796

Visual Studio Remote Code Execution Vulnerability

C

ELL

CVE-2023-36793

Visual Studio Remote Code Execution Vulnerability

C

ELL

CVE-2023-36792

Visual Studio Remote Code Execution Vulnerability

C

ELL

CVE-2023-29332

Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

C

ELL

CVE-2023-38161

Windows GDI Elevation of Privilege Vulnerability

I

EML

CVE-2023-38160

Windows TCP/IP Information Disclosure Vulnerability

I

EML

CVE-2023-38152

DHCP Server Service Information Disclosure Vulnerability

I

EML

CVE-2023-38148

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

C

EML

CVE-2023-38144

Windows Common Log File System Driver Elevation of Privilege Vulnerability

I

EML

CVE-2023-38143

Windows Common Log File System Driver Elevation of Privilege Vulnerability

I

EML

CVE-2023-38142

Windows Kernel Elevation of Privilege Vulnerability

I

EML

CVE-2023-36804

Windows GDI Elevation of Privilege Vulnerability

I

EML

CVE-2023-36777

Microsoft Exchange Server Information Disclosure Vulnerability

I

EML

CVE-2023-36756

Microsoft Exchange Server Remote Code Execution Vulnerability

I

EML

CVE-2023-36745

Microsoft Exchange Server Remote Code Execution Vulnerability

I

EML

CVE-2023-36744

Microsoft Exchange Server Remote Code Execution Vulnerability

I

EML

Summary

Ensure that you maintain consistent patching procedures for assessment, testing, and deployment into your production environments. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling for patches related to zero-days, vulnerabilities with detected exploitations, and those with a higher likelihood of exploitation into your Patch Management routines.

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.

Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.

N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.