Patch Tuesday June 2023: No Zero-Days or Actively Exploited Vulnerabilities, But Exchange is in the Crosshairs
 
                  
                  Last month’s Patch Tuesday (May 2023) brought fixes for only 38 vulnerabilities. Such a small number gave some the sense that it was the ‘calm before the storm’ with June likely to bring some surprises. June’s Patch Tuesday has indeed brought a surprise, no zero-days and no vulnerabilities under active exploitation.
A total of 78 vulnerabilities were addressed this month and that number is more inline with the typical number of vulnerabilities that receive fixes from Microsoft. The lack of any zero-days or Actively Exploited Vulnerabilities might provide an initial feeling of relief, but there are some notable vulnerabilities waiting in the wings that are marked as Exploitation More Likely. With Exchange in the crosshairs of two vulnerabilities that could be as impactful as last year’s ProxyNotShell, once attackers start leveraging them.
Microsoft Vulnerabilities
Microsoft has released updates to address 78 vulnerabilities with six of those marked Critical and 11 as Exploitation More Likely. Without any headline vulnerabilities under active exploitation, this month’s focus gets to shift to vulnerabilities that are considered more likely to be exploited—and that’s good because there are some that should be on everyone’s priority list.
Microsoft Exchange Server vulnerabilities—CVE-2023-32014 and CVE-2023-28310
Microsoft Exchange admins will want to be quick about getting fixes in place to contend with these two vulnerabilities. CVE-2023-32031 and CVE-2023-28310 are both Microsoft Exchange Server Remote Code Execution vulnerabilities. While they require an authenticated user to exploit since they are exploitable by an attacker on the same network, just isolating an Exchange Server from the internet isn’t going to be a sufficient mitigation. An attacker exploiting either of these vulnerabilities will be able to run code on the target Exchange Server. It’s a good idea to start testing the security updates that address these vulnerabilities this week and get them in production ASAP.
CVE-2023-32015, CVE-2023-32014, and CVE2023-29363
If any of the vulnerabilities from this month were going to induce nightmare scenarios for defenders this trio may be it. CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363 all carry CVSS scores of 9.8, can be exploited remotely, and require no user interaction. They are prime candidates for being leveraged by threat actors to move laterally within an environment once proof of concept attacks are developed. These vulnerabilities apply to Windows Pragmatic General Multicast, which is a widely available component that might not be part of the usual rogues gallery of Windows services with vulnerabilities. However, their potential to be in almost any environment, just silently existing without anyone really paying much attention on the defender side, means they might fly under the radar of some defenders. If updates with fixes for these vulnerabilities can’t be implemented in your environment, Microsoft’s recommended mitigation is to disable the Windows Pragmatic General Multicast component.
CVE-2023-29357
This vulnerability also carries a CVSS score of 9.8 and gives an attacker the ability to gain administrator privileges, allowing them attacker to execute follow-up actions that range such as data exfiltration, ransomware payload delivery, data destruction, or any other number of malicious actions. While CVE-2023-29357 has the potential to be part of a devastating attack on a business since it is a Microsoft SharePoint Server vulnerability, the small deployment base will keep this from being exploited as widely as the other notable vulnerabilities from this month.
Microsoft 365 and Click to Run
As a reminder and review from previous months Microsoft Patch Tuesday coverage, modern Microsoft 365 apps leverage a different update mechanism than older versions of Microsoft Office. Make sure you review your patching tools and processes to ensure M365 Apps have a defined update process in place. We have an automation item available in the Automation Cookbook for N‑sight and N‑central partners to use to update and check Microsoft 365 versions that leverages Microsoft’s Click to Run executable, included in all installs of M365 apps.
- Download Microsoft 365 Update with Version Check for N‑sight
- Download Microsoft 365 Update with Version Check for N‑central
Microsoft Patch Tuesday Vulnerability Prioritization
As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available
| CVE Number | CVE Title | Severity | Status | 
| Microsoft Exchange Server Remote Code Execution Vulnerability | I | EML | |
| Windows GDI Elevation of Privilege Vulnerability | I | EML | |
| Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | I | EML | |
| Windows TPM Device Driver Elevation of Privilege Vulnerability | I | EML | |
| GDI Elevation of Privilege Vulnerability | I | EML | |
| Windows GDI Elevation of Privilege Vulnerability | I | EML | |
| Microsoft SharePoint Server Elevation of Privilege Vulnerability | C | EML | |
| Microsoft Exchange Server Remote Code Execution Vulnerability | I | EML | |
| Microsoft Excel Spoofing Vulnerability | I | EML | |
| Netlogon RPC Elevation of Privilege Vulnerability | I | EML | |
| Windows Kerberos Elevation of Privilege Vulnerability | C | EML | |
| Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | C | EML | |
| Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | C | EML | |
| Windows Hyper-V Denial of Service Vulnerability | C | ELL | |
| Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | C | ELL | |
| .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | C | ELL | 
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.
Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.
As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.
