On October 10, 2023, Microsoft published their October 2023 Security Update including patches for 104 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted two with a critical CVSS of 9.8 and three that are actively exploited.
Impacted Product #1: Windows
| Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008, Windows Server 2008 R2 |
| Windows 11 Version 22H2, Windows 11 Version 21H2, Windows 10, Windows 10 Version 1607, Windows 10 Version 22H2, Windows 10 Version 21H2, Windows 10 Version 1809 |
Vulnerabilities Impacting Windows:
| CVE-2023-35349 | CVSS 9.8 – Critical | Exploitation Less Likely |
| Microsoft Message Queuing Remote Code Execution Vulnerability – A remote, unauthenticated threat actor could exploit this vulnerability to achieve RCE on a target with the Windows message queuing service enabled. | ||
| CVE-2023-36434 | CVSS 9.8 – Critical | Exploitation Less Likely |
| Windows IIS Server Elevation of Privilege Vulnerability – In a bruteforcing attack, a threat actor could log into a user’s account and gain their privileges if successfully exploited. | ||
| CVE-2023-36563 | CVSS 6.5 – Medium | Exploitation Detected |
| Microsoft WordPad Information Disclosure Vulnerability – Successful exploitation could result in NTLM hashes being disclosed. In order to exploit this vulnerability either a threat actor logged into the system would need to run a specially crafted application or convince a user to open a malicious file via phishing. | ||
Impacted Product #2: Skype for Business
Skype for Business Server 2019 CU7, Skype for Business Server 2015 CU13
Vulnerabilities Impacting Skype for Business:
| CVE-2023-41763 | CVSS 5.3 – Medium | Exploitation Detected |
| Skype for Business Elevation of Privilege Vulnerability – A threat actor could craft a malicious network call to a Skype for Business server which could disclose IP addresses and/or ports to the threat actor. This vulnerability was labeled elevation of privilege as the information disclosed in this vulnerability could lead to the threat actor gaining access to internal networks. | ||
Impacted Product #3: Microsoft .NET Framework and Microsoft Visual Studio
| Microsoft Visual Studio 2022 version 17.2, 17.4, 17.6, 17.7 |
| .NET 6.0, 7.0 |
| ASP.NET Core 6.0, 7.0 |
Vulnerabilities Impacting Microsoft .NET and Microsoft Visual Studio:
| CVE-2023-44487 | CVSS 7.5 – High | Exploitation Detected |
| A vulnerability exists within the HTTP/2 protocol which could allow threat actors to perform a DDoS attack via HTTP/2’s stream cancellation feature which can be abused to repeatedly send and cancel requests to overwhelm a server. | ||
Recommendations for CVE-2023-35349 & CVE-2023-36434
Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.
Note: Please follow your organization’s patching and testing guidelines to avoid any operational impact.
| Product | CVE | Update |
| Windows Server 2012 R2 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563 | Monthly Rollup: 5031419 Security Only: 5031407 |
| Windows Server 2012 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563 | Monthly Rollup: 5031442 Security Only: 5031427 |
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563 | Monthly Rollup: 5031408 Security Only: 5031441 |
| Windows Server 2008 for Service Pack 2 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563 | Monthly Rollup: 5031416 Security Only: 5031411 |
| Windows Server 2016 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031362 |
| Windows 10 Version 1607 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031362 |
| Windows 10 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563 | Security Update: 5031377 |
| Windows 10 Version 22H2 and 21H2 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031356 |
| Windows 11 Version 22H2 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031354 |
| Windows 11 version 21H2 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031358 |
| Windows Server 2022 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031364 |
| Windows Server 2019 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031361 |
| Windows 10 Version 1809 | CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487 | Security Update: 5031361 |
| Skype for Business Server 2019 CU7 | CVE-2023-41763 | KB Article: 4470124 |
| Skype for Business Server 2015 CU13 | CVE-2023-41763 | KB Article: 3061064 |
| Microsoft Visual Studio 2022 version 17.2, 17.4, 17.6, 17.7 | CVE-2023-44487 | Security Notes: Release Notes |
| ASP.NET Core 6.0, 7.0 | CVE-2023-44487 | 7.0:
Download .NET 7.0 (Linux, macOS, and Windows) 6.0:
|
| .NET 6.0, 7.0 | CVE-2023-44487 | 7.0:
Download .NET 7.0 (Linux, macOS, and Windows) 6.0:
|
Workarounds
Workaround #1: Disable Message Queuing Service if not Required
To be vulnerable, CVE-2023-35349 requires the Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.
Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.
If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.
Workaround #2: Disable HTTP/2 Using the Registry Editor
Note: Using the the Registry Editor can create serious errors that could potential require you to reinstall your entire operating system. Use the Registry Editor at your own risk and ensure you create a backup before you make any changes.
Microsoft provided workaround for CVE-2023-44487 (Disabling HTTP/2 via Registry Editor):
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- Set DWORD type values EnableHttp2TIs and EnableHttp2Cleartext to one of the following:
- Set to 0 to disable HTTP/2
- Set to 1 to enable HTTP/2
- Exit Registry Editor.
- Restart the computer.
Workaround #3: Include a Protocols Setting to Limit Your Application to HTTP/1.1 for Each Kestrel Endpoint
To mitigate CVE-2023-44487, you can limit your application to HTTP/1.1 by editing appsettings.json for each endpoint as follows:
“Kestrel”: {
“Endpoints”: {
“http”: {
// your existing config
“Protocols”: “Http1”
},
“https”: {
// your existing config
“Protocols”: “Http1”
}
}
}
References
- Microsoft October 2023 Patch Tuesday
- Security Update Guide – Microsoft Security Response Center
- Google blog post on CVE-2023-44487
- Google Cloud mitigated largest DDoS attack, peaking above 398 million rps | Google Cloud Blog
