Multiple Critical & Actively Exploited Vulnerabilities Patched in Microsoft’s July 2023 Patch Tuesday

Share :

On 11 July 2023, Microsoft published their July 2023 Security Update with patches for 130 vulnerabilities and 2 advisories, with 6 of these being actively exploited in the wild.

Windows

Impacted Products
Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Server 2016, Windows Server 2019, Windows Server 2022
Windows 10, Windows 10 Version 22H2, Windows 11 Version 22H2, Windows 10 Version 21H2, Windows 11 Version 21H2, Windows 10 Version 1809

 

CVE-2023-32057 (CVSS 9.8 – Critical): Microsoft Message Queuing Remote Code Execution Vulnerability – A threat actor could successfully exploit this vulnerability and achieve remote code execution on the server side by sending a specially crafted malicious Message Queuing Service (MSMQ) packet to a MSMQ server.

CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 (CVSS 9.8 – Critical): Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability – A threat actor could successfully exploit these vulnerabilities and achieve remote code execution by sending specially crafted packets to a server configured with the Routing and Remote Access Service running.

CVE-2023-32046 (CVSS 7.8 – High): Windows MSHTML Platform Elevation of Privilege Vulnerability – To exploit this vulnerability, a threat actor needs the user to open a malicious file that has been delivered to them via email or a compromised website. Successful execution of this vulnerability results in the threat actor gaining the privileges of the user who opened the malicious file.

  • Note: This vulnerability is being actively exploited.

CVE-2023-32049 (CVSS 8.8 – High): Windows SmartScreen Security Feature Bypass Vulnerability – Exploitation requires the user to click on a specially crafted URL and results in the threat actor being able to bypass the Open File – Security Warning prompt.

  • Note: This vulnerability is being actively exploited.

CVE-2023-36874 (CVSS 7.8 – High): Windows Error Reporting Service Elevation of Privilege Vulnerability – A threat actor with local access to the target machine with restricted, normal user privileges can exploit this vulnerability to gain administrator privileges on the machine.

  • Note: This vulnerability is being actively exploited.

CVE-2023-36884 (CVSS 8.3 – High): Office and Windows HTML Remote Code Execution Vulnerability – A publicly disclosed and unpatched vulnerability involves threat actors convincing a user to open a malicious Microsoft Office document to enable remote code execution.

  • Note: This vulnerability is being actively exploited. Microsoft has observed the threat actor tracked as Storm-0978 exploiting this vulnerability in a phishing campaign targeting defense and government entities in Europe and North America.

ADV230001: Guidance on Microsoft Signed Drivers Being Used Maliciously – Threat actors who had already gained administrator privileges on compromised systems were using drivers certified with Microsoft’s Windows Hardware Developer Program (MWHDP) in post exploitation activity. Microsoft has revoked the code-signing certificates and developer accounts associated with this activity.

  • Note: This flaw is being actively exploited.

Microsoft Office

Impacted Products
Microsoft Word 2013 RT Service Pack 1, Microsoft Word 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Office 2019

 

CVE-2023-33150 (CVSS 9.6 – Critical): Microsoft Outlook Security Feature Bypass Vulnerability – To exploit this vulnerability, a threat actor would require a user to open a malicious file that has been delivered to them via email or a malicious or compromised website and click through Office Security Prompt(s). As a result, the threat actor can escape the Office Protected View.

CVE-2023-35311 (CVSS 8.8 – High): Microsoft Outlook Security Feature Bypass Vulnerability – Exploitation requires the user to click on a specially crafted URL and results in the threat actor being able to bypass the Microsoft Outlook Security Notice prompt.

  • Note: This vulnerability is being actively exploited.

CVE-2023-36884 (CVSS 8.3 – High): Office and Windows HTML Remote Code Execution Vulnerability – A publicly disclosed and unpatched vulnerability involves threat actors convincing a user to open a malicious Microsoft Office document to enable remote code execution.

  • Note: This vulnerability also impacts Microsoft Windows products.

Recommendations

Recommendation #1: Apply Security Updates to Impacted Products

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. For those vulnerable to CVE-2023-32046, Microsoft recommends customers who install Security Only updates install the IE Cumulative updates for this vulnerability.

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.

Product CVE Update
Windows Server 2012 R2 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-36874, ADV230001

Monthly Rollup: 5028228

Security Only: 5028223

IE Cumulative: 5028167

Windows Server 2012 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-36874, ADV230001

Monthly Rollup: 5028232

Security Only: 5028233

IE Cumulative: 5028167

Windows Server 2008 R2 Service Pack 1 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-36874, ADV230001

Monthly Rollup: 5028240

Security Only: 5028224

IE Cumulative: 5028167

Windows Server 2008 Service Pack 2 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-36874, ADV230001

Monthly Rollup: 5028222

Security Only: 5028226

IE Cumulative: 5028167

Windows Server 2016 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028169
Windows 10 Version 1607 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028169
Windows 10 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-36874, ADV230001 Security Update: 5028186
Windows 10 Version 22H2 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028166
Windows 11 Version 22H2 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028185
Windows 10 Version 21H2 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028166
Windows 11 version 21H2 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028182
Windows Server 2022 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028171
Windows Server 2019 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028168
Windows 10 Version 1809 CVE-2023-32057, CVE-2023-35365, CVE-2023-35366, CVE-2023-35367, CVE-2023-32046, CVE-2023-32049, CVE-2023-36874, ADV230001 Security Update: 5028168
Microsoft Word 2013 RT Service Pack 1 (64-Bit) CVE-2023-33150, CVE-2023-35311 Security Update: 5002411
Microsoft Word 2013 RT Service Pack 1 (32-Bit) CVE-2023-33150, CVE-2023-35311 Security Update: 5002411
Microsoft Word 2016 (64-Bit) CVE-2023-33150, CVE-2023-35311 Security Update: 5002406
Microsoft Word 2016 (32-Bit) CVE-2023-33150, CVE-2023-35311 Security Update: 5002406
Microsoft Office LTSC 2021 CVE-2023-33150, CVE-2023-35311 Security Update: Release notes
Microsoft 365 Apps for Enterprise CVE-2023-33150, CVE-2023-35311 Security Update: Release notes
Microsoft Office 2019 CVE-2023-33150, CVE-2023-35311 Security Update: Release notes

 

Recommendation #2: Disable Message Queuing Service (MSMQ) if not Required

To be vulnerable, CVE-2023-32057 requires Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.

Recommendation #3: Disable the Routing and Remote Access Service (RRAS) role if not Required

To be vulnerable, CVE-2023-35367 requires the Routing and Remote Access Service (RRAS) role to be enabled, which is not installed by default. Consider disabling RRAS if the service is not required in your environment to prevent exploitation.

References

Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security and holds a bachelor’s degree in Cybersecurity Engineering.
Share :
Table of Contents
Categories