Multiple Critical & Actively Exploited Vulnerabilities Patched in Microsoft’s July 2023 Patch Tuesday

On July 11, 2023, Microsoft published their July 2023 Security Update with patches for 130 vulnerabilities and 2 advisories, with 6 of these being actively exploited in the wild.

Windows

CVE-2023-32057 (CVSS 9.8 – Critical): Microsoft Message Queuing Remote Code Execution Vulnerability – A threat actor could successfully exploit this vulnerability and achieve remote code execution on the server side by sending a specially crafted malicious Message Queuing Service (MSMQ) packet to a MSMQ server.

CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 (CVSS 9.8 – Critical): Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability – A threat actor could successfully exploit these vulnerabilities and achieve remote code execution by sending specially crafted packets to a server configured with the Routing and Remote Access Service running.

CVE-2023-32046 (CVSS 7.8 – High): Windows MSHTML Platform Elevation of Privilege Vulnerability – To exploit this vulnerability, a threat actor needs the user to open a malicious file that has been delivered to them via email or a compromised website. Successful execution of this vulnerability results in the threat actor gaining the privileges of the user who opened the malicious file.

• Note: This vulnerability is being actively exploited.

CVE-2023-32049 (CVSS 8.8 – High): Windows SmartScreen Security Feature Bypass Vulnerability – Exploitation requires the user to click on a specially crafted URL and results in the threat actor being able to bypass the Open File – Security Warning prompt.

• Note: This vulnerability is being actively exploited.

CVE-2023-36874 (CVSS 7.8 – High): Windows Error Reporting Service Elevation of Privilege Vulnerability – A threat actor with local access to the target machine with restricted, normal user privileges can exploit this vulnerability to gain administrator privileges on the machine.

• Note: This vulnerability is being actively exploited.

CVE-2023-36884 (CVSS 8.3 – High): Office and Windows HTML Remote Code Execution Vulnerability – A publicly disclosed and unpatched vulnerability involves threat actors convincing a user to open a malicious Microsoft Office document to enable remote code execution.

• Note: This vulnerability is being actively exploited. Microsoft has observed the threat actor tracked as Storm-0978 exploiting this vulnerability in a phishing campaign targeting defense and government entities in Europe and North America.

ADV230001: Guidance on Microsoft Signed Drivers Being Used Maliciously – Threat actors who had already gained administrator privileges on compromised systems were using drivers certified with Microsoft’s Windows Hardware Developer Program (MWHDP) in post exploitation activity. Microsoft has revoked the code-signing certificates and developer accounts associated with this activity.

• Note: This flaw is being actively exploited.

Microsoft Office

CVE-2023-33150 (CVSS 9.6 – Critical): Microsoft Outlook Security Feature Bypass Vulnerability – To exploit this vulnerability, a threat actor would require a user to open a malicious file that has been delivered to them via email or a malicious or compromised website and click through Office Security Prompt(s). As a result, the threat actor can escape the Office Protected View.

CVE-2023-35311 (CVSS 8.8 – High): Microsoft Outlook Security Feature Bypass Vulnerability – Exploitation requires the user to click on a specially crafted URL and results in the threat actor being able to bypass the Microsoft Outlook Security Notice prompt.

• Note: This vulnerability is being actively exploited.

CVE-2023-36884 (CVSS 8.3 – High): Office and Windows HTML Remote Code Execution Vulnerability – A publicly disclosed and unpatched vulnerability involves threat actors convincing a user to open a malicious Microsoft Office document to enable remote code execution.

• Note: This vulnerability also impacts Microsoft Windows products.

Recommendations

Recommendation #1: Apply Security Updates to Impacted Products

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation. For those vulnerable to CVE-2023-32046, Microsoft recommends customers who install Security Only updates install the IE Cumulative updates for this vulnerability.

Note: Arctic Wolf recommends following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.

Recommendation #2: Disable Message Queuing Service (MSMQ) if not Required

To be vulnerable, CVE-2023-32057 requires Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.

Recommendation #3: Disable the Routing and Remote Access Service (RRAS) role if not Required

To be vulnerable, CVE-2023-35367 requires the Routing and Remote Access Service (RRAS) role to be enabled, which is not installed by default. Consider disabling RRAS if the service is not required in your environment to prevent exploitation.

References

• Microsoft Vulnerability Advisories:
• CVE-2023-32057
• CVE-2023-33150
• CVE-2023-35365
• CVE-2023-35366
• CVE-2023-35367
• CVE-2023-32046
• CVE-2023-32049
• CVE-2023-35311
• CVE-2023-36874
• CVE-2023-36884
• ADV230001
• CVE-2023-36884 Exploitation Details