Microsoft Patch Tuesday for November 2023
In this month’s Patch Tuesday edition, Microsoft has addressed a total of 75 vulnerabilities, including five vulnerabilities known to be exploited in the wild. This month’s updates also include three Critical and 57 Important severity vulnerabilities. Microsoft has also included 17 Microsoft Edge (Chromium-based) vulnerabilities in the updates patched earlier this month.
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 11 | Important: 11 |
| Denial of Service Vulnerability | 5 | Important: 5 |
| Elevation of Privilege Vulnerability | 18 | Critical: 1 Important: 17 |
| Information Disclosure Vulnerability | 6 | Critical: 1 Important: 5 |
| Security Feature Bypass Vulnerability | 6 | Important: 6 |
| Remote Code Execution Vulnerability | 19 | Critical: 1 Important: 18 |
Zero-day Vulnerability Patched in November Patch Tuesday Edition
CVE-2023-36413: Microsoft Office Security Feature Bypass Vulnerability
An attacker may exploit this vulnerability to bypass the Office Protected View and open in editing mode instead of protected mode. An attacker must send the user a malicious file and convince them to open it to exploit the vulnerability.
CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
A mini filter driver can filter IRP-based I/O activities along with the fast I/O and file system filter (FSFilter) callback actions. A mini filter driver can register a preoperation and postoperation callback routine, or both, for each I/O operation it wishes to filter.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.
CVE-2023-36038: ASP.NET Core Denial of Service Vulnerability
ASP.NET is a popular web-development framework for creating web applications on the.NET platform. The open-source ASP.NET Core is compatible with Windows, Linux, and macOS. ASP.NET Core redesigns previous ASP.NET versions exclusive to Windows.CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability
Desktop Window Manager (DWM) is a core system file in Microsoft Windows. It is responsible for producing each component visible on a laptop or PC. DWM covers visual effects such as system animations, wallpapers, themes, thumbnails, Windows Aero, Windows Flip, and Windows Flip3D, as well as transparent components.
Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability
Windows SmartScreen is a security feature in Microsoft Windows operating systems that protects against malicious software and websites. SmartScreen is a background application that employs a cloud-based component to scan web pages you visit for security risks updated regularly.CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.
Other Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition
CVE-2023-36052: Azure CLI REST Command Information Disclosure Vulnerability
The Azure CLI is a command-line tool that provides a native CLI interface required when working with Microsoft Azure resources. The Azure CLI can call the Azure REST API to perform actions that each Azure CLI (az) command supports.CVE-2023-36400: Windows HMAC Key Derivation Elevation of Privilege Vulnerability
The Hash-based Message Authentication Code (HMAC) detects if a message received via an insecure channel has been altered when the sender and receiver use secret keys. It’s a cryptographic authentication technique that uses a cryptographic hash function and a shared secret key to encrypt information and protect it from unauthorized access.
An attacker must log on to the system and run a specially crafted application to exploit this vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. PGM provides a reliable sequence of packets to multiple recipients simultaneously.
An attacker may exploit this vulnerability to send a specially crafted file over the network when the Windows message queuing service runs in a PGM Server environment. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution and attempt to trigger malicious code.
Other Microsoft Vulnerability Highlights
- CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.
- CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.
- CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.
- CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.
- CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, .NET Framework, ASP.NET, Azure DevOps, Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Dynamics 365 Sales, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Remote Registry Service, Microsoft WDAC OLE DB provider for SQL, Microsoft Windows Search Component, Microsoft Windows Speech, Windows Compressed Folder, Windows Defender, Windows Deployment Services, Windows DHCP Server, Windows Distributed File System (DFS), Windows DWM Core Library, Windows HMAC Key Derivation, Windows Hyper-V, Windows Installer, Windows Internet Connection Sharing (ICS), Windows Kernel, Windows NTFS, Windows Protected EAP (PEAP), Windows Scripting, Windows SmartScreen, and Windows Storage.
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB). You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid:`110451` OR qid:`110452` OR qid:`379003` OR qid:`379005` OR qid:`50133` OR qid:`92075` OR qid:`92076` OR qid:`92077` OR qid:`92078` OR qid:`92079` OR qid:`92080` OR qid:`92081` OR qid:`92083 )
Rapid Response with Patch Management (PM)
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click. The following QQL will return the missing patches for this Patch Tuesday:
( qid:`110451` OR qid:`110452` OR qid:`379003` OR qid:`379005` OR qid:`50133` OR qid:`92075` OR qid:`92076` OR qid:`92077` OR qid:`92078` OR qid:`92079` OR qid:`92080` OR qid:`92081` OR qid:`92083` )
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of the exploitation of a vulnerability.
A workaround is sometimes used temporarily for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:
CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
This vulnerability has a CVSS:3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs):
- 25699 Status of the ‘Network authentication method’ for Wireless Network IEEE 802.11 group policy
CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
This vulnerability has a CVSS:3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs):
- 4030 Status of the ‘Windows Message Queuing Service’
- 14916 Status of Windows Services
- 14297 Status of the open network connections and listening ports (Qualys Agent only)
The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:
control.id: [25699, 4030, 14916, 14297]
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Custom Assessment and Remediation (CAR) can be leveraged to execute mitigation steps provided by MSRC on vulnerable assets.
Visit the November 2023 Security Updates page to access the full description of each vulnerability and the systems it affects.
Qualys customers can scan their network with QIDs 110451, 110452, 379003, 379005, 50133, 92075, 92076, 92077, 92078, 92079, 92080, 92081, and 92082 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov