On August 8th, 2023, Microsoft published their August 2023 Security Update with patches for 74 vulnerabilities and 2 advisories. Among these vulnerabilities and advisories, Arctic Wolf has highlighted 3 in this bulletin that were categorized as critical and 1 being actively exploited in the wild.
Impacted Product #1: Microsoft Office
Microsoft Word 2013 Service Pack 1, Microsoft Word 2013 RT Service Pack 1, Microsoft Word 2016 |
Microsoft Visio 2013 Service Pack 1, Microsoft Visio 2016 |
Microsoft Publisher 2013 Service Pack 1, Microsoft Publisher 2013 Service Pack 1 RT, Microsoft Publisher 2016 |
Microsoft Project 2013 Service Pack 1, Microsoft Project 2016 |
Microsoft PowerPoint 2013 Service Pack 1, Microsoft PowerPoint 2013 RT Service Pack 1, Microsoft PowerPoint 2016 |
Microsoft Office 2013 Service Pack 1, Microsoft Office 2013 RT Service Pack 1, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021 |
Microsoft Excel 2013 Service Pack 1, Microsoft Excel 2013 RT Service Pack 1, Microsoft Excel 2016 |
Microsoft 365 Apps for Enterprise |
Advisory Regarding Microsoft Office:
ADV230003 | Moderate Severity | Actively Exploited |
Microsoft Office Defense in Depth Update – This update is related to CVE-2023-36884, Windows Search security feature bypass vulnerability, which was issued in Microsoft’s July 2023 Patch Tuesday. Installing this update stops the attack chain leading up to this CVE.
|
Impacted Product #2: Windows
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 |
Windows 10, Windows 10 Version 1607, Windows 10 Version 1809, Windows 10 Version 21H2, Windows 10 Version 22H2, Windows 11 Version 21H2, Windows 11 Version 22H2 |
Vulnerabilities Impacting Windows:
CVE-2023-35385, CVE-2023-36911 | CVSS: 9.8 – Critical | Not actively exploited |
Microsoft Message Queuing Remote Code Execution Vulnerability – An unauthenticated threat actor could successfully exploit this vulnerability and achieve remote code execution on a target server. | ||
CVE-2023-36910 | CVSS: 9.8 – Critical | Not actively exploited |
Microsoft Message Queuing Remote Code Execution Vulnerability – A threat actor could successfully exploit this vulnerability and achieve remote code execution on the server side by sending a specially crafted malicious Message Queuing Service (MSMQ) packet to a MSMQ server. |
Recommendations
Recommendation #1: Apply Security Updates to Impacted Products
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. Regarding the actively exploited CVE-2023-36884, Microsoft recommends installing the Office updates discussed in ADV230003 as well as installing the Windows updates from August 2023.
Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.
Product | Vulnerability | Update |
Windows Server 2012 R2 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 |
Monthly Rollup: 5029312 Security Only: 5029304 |
Windows Server 2012 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 |
Monthly Rollup: 5029295 Security Only: 5029308 |
Windows Server 2008 R2 Service Pack 1 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 |
Monthly Rollup: 5029296 Security Only: 5029307 |
Windows Server 2008 Service Pack 2 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 |
Monthly Rollup: 5029318 Security Only: 5029301 |
Windows Server 2016 & Windows 10 Version 1607 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029242 |
Windows 10 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029259 |
Windows 10 Version 22H2 & Windows 10 Version 21H2 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029244 |
Windows 11 Version 22H2 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029263 |
Windows 11 Version 21H2 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029253 |
Windows Server 2022 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029250 Hotpatch Update: 5029367 |
Windows Server 2019 & Windows 10 Version 1809 | CVE-2023-35385, CVE-2023-36910, CVE-2023-36911 | Security Update: 5029247 |
Microsoft Word 2013 Service Pack 1 | ADV230003 | Security Update: 5002445 |
Microsoft Publisher 2013 Service Pack 1 | ADV230003 | Security Update: 5002391 |
Microsoft Office 2013 Service Pack 1 | ADV230003 | Security Update: 5002439 |
Microsoft Excel 2013 Service Pack 1 | ADV230003 | Security Update: 5002451 |
Microsoft Project 2016 | ADV230003 | Security Update: 5002328 |
Microsoft Publisher 2016 | ADV230003 | Security Update: 5002462 |
Microsoft Word 2016 | ADV230003 | Security Update: 5002464 |
Microsoft Visio 2016 | ADV230003 | Security Update: 5002418 |
Microsoft PowerPoint 2016 | ADV230003 | Security Update: 4504720 |
Microsoft Office 2016 | ADV230003 | Security Update: 5002465 |
Microsoft Excel 2016 | ADV230003 | Security Update: 5002463 |
Microsoft Visio 2013 Service Pack 1 | ADV230003 | Security Update: 5002417 |
Microsoft PowerPoint 2013 Service Pack 1 | ADV230003 | Security Update: 5002399 |
Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Office 2019 | ADV230003 | Security Update: Release Notes |
Microsoft Project 2013 Service Pack 1 | ADV230003 | Security Update: 4484489 |
Recommendation #2: Disable Message Queuing Service (MSMQ) if not Required
To be vulnerable, CVE-2023-35385, CVE-2023-36911 and CVE-2023-36910 all require Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.
Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.
If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.
References
- Microsoft Vulnerability Advisories:
- ADV230003
- CVE-2023-35385
- CVE-2023-36911
- CVE-2023-36910