On 14 November 2023, Microsoft published their November Security Update with patches for 63 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted five in this bulletin that were either categorised as critical-severity or actively exploited before a patch was released. Three of these vulnerabilities are being actively exploited in the wild.
Impacted Product: Windows
Impacted Versions |
Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition |
Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2, Windows 11 Version 23H2 |
Vulnerabilities Impacting Windows:
CVE-2023-36025 | CVSS: 8.8 – High | Actively Exploited |
Security Feature Bypass Vulnerability – The vulnerability allows for a threat actor to bypass Windows Defender SmartSceen check and their associated prompts. To successfully exploit this vulnerability a threat actor would need to social engineer a victim into clicking a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to a compromised Internet Shortcut file. |
CVE-2023-36033 | CVSS: 7.8 – High | Actively Exploited |
Elevation of Privilege Vulnerability – If successfully exploited, a threat actor could obtain SYSTEM privileges on the vulnerable system. |
CVE-2023-36036 | CVSS: 7.8 – High | Actively Exploited |
Elevation of Privilege Vulnerability – If successfully exploited, a threat actor could obtain SYSTEM privileges on the vulnerable system. |
CVE-2023-36028 | CVSS: 9.8 – Critical | Not Actively Exploited |
Remote Code Execution Vulnerability – An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution by sending specially crafted malicious Protected Extensible Authentication Protocol (PEAP) packets over the network. Exploitation is less likely.
Note: Exploitable if PEAP is configured as an allowed EAP type in an organisation’s network policy. |
CVE-2023-36397 | CVSS: 9.8 – Critical | Not Actively Exploited |
Remote Code Execution Vulnerability – An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution by sending a specially crafted file over the network when the Windows message queuing service is running in a PGM Server environment. Exploitation is less likely
Note: The Windows message queuing service must be enabled for a system to be exploitable. |
Recommendations for CVE-2023-36397 & CVE-2023-36028
Recommendation: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation of these vulnerabilities.
Note: Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Product | CVE | Update |
Windows Server 2022, 23H2 Edition | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032202 |
Windows Server 2022 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032198 |
Windows Server 2019 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032196 |
Windows Server 2016 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032197 |
Windows Server 2012 R2 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36397 |
KB5032249 |
Windows Server 2012 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36397 |
KB5032247 |
Windows Server 2008 Service Pack 2 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36397 |
Monthly: KB5032254
Security: KB5032248 |
Windows Server 2008 R2 Service Pack 1 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36397 |
Monthly: KB5032252
Security: KB5032250 |
Windows 11 Version 21H2 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032192 |
Windows 11 Version 23H2 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032190 |
Windows 11 Version 22H2 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032190 |
Windows 10 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032199 |
Windows 10 Version 22H2 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032189 |
Windows 10 Version 21H2 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032189 |
Windows 10 Version 1809 | CVE-2023-36025
CVE-2023-36033 CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032196 |
Windows 10 Version 1607 | CVE-2023-36025
CVE-2023-36036 CVE-2023-36028 CVE-2023-36397 |
KB5032197 |
Workarounds
Workaround #1: Adjust Network Policy to Stop Using PEAP
CVE-2023-36028 is only exploitable if PEAP is configured as an allowed EAP type in an organization’s network policy. Consider adjusting the network policy to stop using PEAP. Microsoft PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP.
Microsoft recommends reviewing the following documents to configure the policy: Configure the New Wireless Network Policy and Configure Network Policies.
Workaround #2: Disable Message Queuing Service if not Required
To be vulnerable, CVE-2023-36397 requires the Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.
Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.
If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.