CVE-2023-35349 & CVE-2023-36434: Two Critical Vulnerabilities Headline Microsoft’s October 2023 Patch Tuesday Post

Share :

On October 10, 2023, Microsoft published their October 2023 Security Update including patches for 104 vulnerabilities. Among these vulnerabilities, Arctic Wolf has highlighted two with a critical CVSS of 9.8 and three that are actively exploited.  

Impacted Product #1: Windows 

Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows Server 2008, Windows Server 2008 R2 
Windows 11 Version 22H2, Windows 11 Version 21H2, Windows 10, Windows 10 Version 1607, Windows 10 Version 22H2, Windows 10 Version 21H2, Windows 10 Version 1809 

 

Vulnerabilities Impacting Windows:  

CVE-2023-35349  CVSS 9.8 – Critical  Exploitation Less Likely 
Microsoft Message Queuing Remote Code Execution Vulnerability – A remote, unauthenticated threat actor could exploit this vulnerability to achieve RCE on a target with the Windows message queuing service enabled. 

 

CVE-2023-36434  CVSS 9.8 – Critical  Exploitation Less Likely 
Windows IIS Server Elevation of Privilege Vulnerability – In a bruteforcing attack, a threat actor could log into a user’s account and gain their privileges if successfully exploited. 

 

CVE-2023-36563  CVSS 6.5 – Medium  Exploitation Detected 
Microsoft WordPad Information Disclosure Vulnerability – Successful exploitation could result in NTLM hashes being disclosed. In order to exploit this vulnerability either a threat actor logged into the system would need to run a specially crafted application or convince a user to open a malicious file via phishing. 

Impacted Product #2: Skype for Business 

Skype for Business Server 2019 CU7, Skype for Business Server 2015 CU13 

Vulnerabilities Impacting Skype for Business: 

CVE-2023-41763  CVSS 5.3 – Medium  Exploitation Detected 
Skype for Business Elevation of Privilege Vulnerability – A threat actor could craft a malicious network call to a Skype for Business server which could disclose IP addresses and/or ports to the threat actor. This vulnerability was labeled elevation of privilege as the information disclosed in this vulnerability could lead to the threat actor gaining access to internal networks. 

 

Impacted Product #3: Microsoft .NET Framework and Microsoft Visual Studio 

Microsoft Visual Studio 2022 version 17.2, 17.4, 17.6, 17.7 
.NET 6.0, 7.0 
ASP.NET Core 6.0, 7.0 

 

Vulnerabilities Impacting Microsoft .NET and Microsoft Visual Studio:  

CVE-2023-44487  CVSS 7.5 – High  Exploitation Detected 
A vulnerability exists within the HTTP/2 protocol which could allow threat actors to perform a DDoS attack via HTTP/2’s stream cancellation feature which can be abused to repeatedly send and cancel requests to overwhelm a server. 

 

Recommendations for CVE-2023-35349 & CVE-2023-36434

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. 

Note: Please follow your organization’s patching and testing guidelines to avoid any operational impact. 

Product  CVE  Update 
Windows Server 2012 R2  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563  Monthly Rollup: 5031419Security Only: 5031407 
Windows Server 2012  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563  Monthly Rollup: 5031442Security Only: 5031427 
Windows Server 2008 R2 for x64-based Systems Service Pack 1  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563  Monthly Rollup: 5031408Security Only: 5031441 
Windows Server 2008 for Service Pack 2  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563  Monthly Rollup: 5031416Security Only: 5031411 
Windows Server 2016  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031362 
Windows 10 Version 1607  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031362 
Windows 10  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563  Security Update: 5031377 
Windows 10 Version 22H2 and 21H2  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031356 
Windows 11 Version 22H2  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031354 
Windows 11 version 21H2  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031358 
Windows Server 2022  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031364 
Windows Server 2019  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031361 
Windows 10 Version 1809  CVE-2023-35349, CVE-2023-36434, CVE-2023-36563, CVE-2023-44487  Security Update: 5031361 
Skype for Business Server 2019 CU7  CVE-2023-41763  KB Article: 4470124 
Skype for Business Server 2015 CU13  CVE-2023-41763  KB Article: 3061064 
Microsoft Visual Studio 2022 version 17.2, 17.4, 17.6, 17.7  CVE-2023-44487  Security Notes: Release Notes 
ASP.NET Core 6.0, 7.0  CVE-2023-44487  7.0: 

 

Download .NET 7.0 (Linux, macOS, and Windows) 

6.0: 

 

Download .NET 6.0 (Linux, macOS, and Windows) 

.NET 6.0, 7.0  CVE-2023-44487  7.0: 

 

Download .NET 7.0 (Linux, macOS, and Windows) 

6.0: 

 

Download .NET 6.0 (Linux, macOS, and Windows) 

 

Workarounds  

Workaround #1: Disable Message Queuing Service if not Required 

To be vulnerable, CVE-2023-35349 requires the Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation. 

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system. 

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources. 

Workaround #2: Disable HTTP/2 Using the Registry Editor  

Note: Using the the Registry Editor can create serious errors that could potential require you to reinstall your entire operating system. Use the Registry Editor at your own risk and ensure you create a backup before you make any changes. 

Microsoft provided workaround for CVE-2023-44487 (Disabling HTTP/2 via Registry Editor): 

  1. Click Start, click Run, type Regedit in the Open box, and then click OK. 
  1. Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters 
  1. Set DWORD type values EnableHttp2TIs and EnableHttp2Cleartext to one of the following: 
  • Set to 0 to disable HTTP/2 
  • Set to 1 to enable HTTP/2 
  1. Exit Registry Editor. 
  1. Restart the computer. 

Workaround #3: Include a Protocols Setting to Limit Your Application to HTTP/1.1 for Each Kestrel Endpoint 

To mitigate CVE-2023-44487, you can limit your application to HTTP/1.1 by editing appsettings.json for each endpoint as follows: 

“Kestrel”: { 

   “Endpoints”: {  

     “http”: {  

       // your existing config  

       “Protocols”: “Http1”  

     },  

     “https”: {  

        // your existing config  

       “Protocols”: “Http1”  

     }  

   }  

 } 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter