CVE-2023-36397 & CVE-2023-36028: Top the list of Microsoft’s November 2023 Patch Tuesday

Share :

On 14 November 2023, Microsoft published their November Security Update with patches for 63 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted five in this bulletin that were either categorised as critical-severity or actively exploited before a patch was released. Three of these vulnerabilities are being actively exploited in the wild. 

Impacted Product: Windows 

Impacted Versions 
Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition 
Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2, Windows 11 Version 23H2 

Vulnerabilities Impacting Windows:  

CVE-2023-36025  CVSS: 8.8 – High  Actively Exploited 
Security Feature Bypass Vulnerability – The vulnerability allows for a threat actor to bypass Windows Defender SmartSceen check and their associated prompts. To successfully exploit this vulnerability a threat actor would need to social engineer a victim into clicking a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to a compromised Internet Shortcut file.  

 

CVE-2023-36033  CVSS: 7.8 – High  Actively Exploited 
Elevation of Privilege Vulnerability – If successfully exploited, a threat actor could obtain SYSTEM privileges on the vulnerable system. 

 

CVE-2023-36036  CVSS: 7.8 – High  Actively Exploited 
Elevation of Privilege Vulnerability – If successfully exploited, a threat actor could obtain SYSTEM privileges on the vulnerable system. 

 

CVE-2023-36028  CVSS: 9.8 – Critical  Not Actively Exploited 
Remote Code Execution Vulnerability – An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution by sending specially crafted malicious Protected Extensible Authentication Protocol (PEAP) packets over the network. Exploitation is less likely. 

Note: Exploitable if PEAP is configured as an allowed EAP type in an organisation’s network policy. 

 

CVE-2023-36397  CVSS: 9.8 – Critical  Not Actively Exploited 
Remote Code Execution Vulnerability – An unauthenticated threat actor could successfully exploit this vulnerability and obtain remote code execution by sending a specially crafted file over the network when the Windows message queuing service is running in a PGM Server environment. Exploitation is less likely 

Note: The Windows message queuing service must be enabled for a system to be exploitable. 

Recommendations for CVE-2023-36397 & CVE-2023-36028

Recommendation: Apply Security Updates to Impacted Products 

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation of these vulnerabilities.  

Note: Please follow your organisation’s patching and testing guidelines to avoid any operational impact. 

Product  CVE  Update 
Windows Server 2022, 23H2 Edition  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032202 
Windows Server 2022  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032198 
Windows Server 2019  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032196 
Windows Server 2016  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032197 
Windows Server 2012 R2  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36397 

KB5032249 
Windows Server 2012  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36397 

KB5032247 
Windows Server 2008 Service Pack 2  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36397 

Monthly: KB5032254 

Security: KB5032248 

Windows Server 2008 R2 Service Pack 1  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36397 

Monthly: KB5032252 

Security: KB5032250 

Windows 11 Version 21H2  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032192 
Windows 11 Version 23H2  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032190 
Windows 11 Version 22H2  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032190 
Windows 10  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032199 
Windows 10 Version 22H2  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032189 
Windows 10 Version 21H2  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032189 
Windows 10 Version 1809  CVE-2023-36025 

CVE-2023-36033 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032196 
Windows 10 Version 1607  CVE-2023-36025 

CVE-2023-36036 

CVE-2023-36028 

CVE-2023-36397 

KB5032197 

Workarounds 

Workaround #1: Adjust Network Policy to Stop Using PEAP 

CVE-2023-36028 is only exploitable if PEAP is configured as an allowed EAP type in an organization’s network policy. Consider adjusting the network policy to stop using PEAP. Microsoft PEAP is only negotiated with the client if NPS is running on the Windows Server and has a network policy configured that allows PEAP. 

Microsoft recommends reviewing the following documents to configure the policy: Configure the New Wireless Network Policy and Configure Network Policies. 

Workaround #2: Disable Message Queuing Service if not Required 

To be vulnerable, CVE-2023-36397 requires the Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation. 

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system. 

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources. 

References 

Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Categories