Six Critical Vulnerabilities Patched with Microsoft’s June Security Update

On June 13, 2023, Microsoft published their June 2023 Security Update which included patches for six vulnerabilities with a max severity of critical. According to Microsoft’s advisories, none of the vulnerabilities have been actively exploited at this time.

Windows

CVE-2023-32014, CVE-2023-32015, CVE-2023-29363 (CVSS 9.8 – Critical): Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability- A threat actor could successfully exploit this vulnerability and achieve remote code execution by sending a specially crafted file over the network. The threat actor does not need privileges or user interaction to exploit.

Note: The Message Queuing (MSMQ) service must be enabled for a system to be vulnerable. This can be checked by looking for a service running named “Message Queuing” and TCP port 1801 listening on the host machine.

CVE-2023-32013 (CVSS 6.5 – Medium) Microsoft Max Severity- Critical: Windows Hyper-V Denial of Service Vulnerability- A threat actor needs basic user privileges to successfully exploit the vulnerability. Additional steps are needed to improve the reliability of the denial of service exploit.

Microsoft SharePoint

CVE-2023-29357 (CVSS 9.8 – Critical): Microsoft SharePoint Server Elevation of Privilege Vulnerability- A threat actor with access to spoofed JWT authentication tokens could successfully exploit this vulnerability to bypass authentication and obtain privileges of the authenticated user, including administrators. The threat actor does not need privileges or user interaction to exploit.

Microsoft .NET Framework and Microsoft Visual Studio

CVE-2023-24897 (CVSS 7.8 – High) Microsoft Max Severity- Critical: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability- A threat actor could successfully exploit this vulnerability and achieve remote code execution by social engineering the victim into performing downloading or opening a specially crafted file.

Note: User interaction is required to successfully exploit this vulnerability.

Recommendations

Recommendation #1: Apply Security Updates to Impacted Products

Arctic Wolf strongly recommends applying the available security updates to all impacted products to prevent potential exploitation.

Note: Arctic Wolf recommends the following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.

Recommendation #2: Disable Message Queuing Service if not Required

To be vulnerable, CVE-2023-32014, CVE-2023-32015, CVE-2023-29363 require Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.

Recommendation #3: Enable the AMSI Integration Feature with SharePoint Server

According to Microsoft, enabling the AMSI integration feature and using Microsoft Defender across an organization’s SharePoint Server farms will mitigate CVE-2023-29357. Regardless of antivirus/antimalware provider, consider enabling the AMSI integration feature to harden your SharePoint Server environment.

References

• Microsoft Vulnerability Advisories:
  • CVE-2023-29363
  • CVE-2023-32014
  • CVE-2023-32015 
  • CVE-2023-32013
  • CVE-2023-29357
  • CVE-2023-24897