The September 2023 Security Update Review

Hello and welcome to another patch Tuesday in what continues to be a hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check it out here.

Apple Patches for September 2023

Apple kicked off the September patch release by patching two bugs in macOS Ventura, iPad and iOS, and watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.

Cisco Advisories for September 2023

You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.   

Adobe Patches for September 2023

For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for Experience Manager and Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.

Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2023

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.

Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.

Two of the CVEs released today are listed as being under active attack at the time of release while only one is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug being exploited:

-       CVE-2023-36761 - Microsoft Word Information Disclosure Vulnerability
This is the bug currently under active attack, but I wouldn’t classify it as “information disclosure”. An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack. Those are usually defined as Spoofing bugs (see Exchange blew). Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.

-       CVE-2023-29332 - Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
This Critical-rated bug in the Azure Kubernetes service could allow a remote, unauthenticated attacker to gain Cluster Administration privileges. We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity. Microsoft gives this an “Exploitation Less Likely” rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.

-       CVE-2023-38148 - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
This Critical-rated bug is the highest-rated CVSS this month (8.8), but it’s not all bad news. First, this is limited to network-adjacent attackers. A successful exploit also relies on ICS being enabled. Most places these days don’t require ICS, and it’s not turned on by default. However, if you’re in one of those places where ICS is used, this could allow an unauthenticated attacker to run their code on affected systems.

-       CVE-2023-38146 - Windows Themes Remote Code Execution Vulnerability
This probably isn’t one of the most severe bugs patched this month, but it kicked off such a wave of nostalgia, that I had to call it out. This bug could allow code execution if an attacker can convince a user to open a specially crafted theme file. If this sounds like screensaver exploits from 20+ years, it’s because it’s just like screensaver bugs from 20+ years ago. Congrats to Pwn2Own winners Thijs Alkemade and Daan Keuper of Computest Sector 7 for helping bring this oldie but goodie to light.

Here’s the full list of CVEs released by Microsoft for September 2023:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

Before we get to the other Critical-rated patches for September, let’s talk about the Exchange fixes released this month. Yes – even though Exchange just received a big update last month, there’s another one* today. There are five different Exchange CVEs today, and all were reported by ZDI researcher Piotr Bazydło. He’s been on quite the Exchange kick recently, including finding bypasses for both patches and silent fixes. The one that concerns me the most is the NTLM relay, which is marked as a Spoofing bug (see my pedantic note above). What’s most concerning about this is that this vulnerability seems to have been patched last month but wasn’t documented. This bug, along with the three RCE bugs, require authentication, but recall that last month’s Exchange patches included an auth bypass. Nifty. The final Exchange patch corrects an info disclosure bug that could disclose “file content.” It’s not clear if that’s a random file or if an attacker can name an arbitrary file. All of these patches require the August update to be installed, so don’t skip that and think you’re protected. And to all those admins rebooting Exchange over the weekend, I wish you Godspeed and good luck.

*UPDATE: Microsoft reached out to let us know these CVEs are not new updates but were released in the August update and are now being documented. They did not state why they were patched silently in August and gave no indication if their omission was intentional or accidental.

The remaining Critical-rated patches are all for Visual Studio. These are all open-and-own bugs that could lead to arbitrary code execution when opening a malicious package file with an affected version of Visual Studio.

Looking at the 15 other RCE getting patches this month, most share that open-and-own exploit scenario as the Critical-rated Visual Studio bugs. Interestingly, there are two Important-rated Visual Studio RCEs that look identical to the Critical-rated ones. There’s no indication why one is more severe than the others. There are six fixes for RCE in 3D Viewer Remote, and four of these were reported by ZDI researcher Mat Powell. The bugs are simple open-and-own vulns, but the product must be updated through the app store. If automatic updates from the store are disabled or if you’re otherwise disconnected, you’ll need to manually update. One of the RCEs in Word has a Preview Pane vector, but a user needs to click the attachment preview to trigger the exploit. There’s a scripting engine (Trident/EdgeHTML) bug that was reported through the ZDI. Under limited circumstances, crafted data in an image can lead to execution of untrusted script. An attacker can leverage this vulnerability to execute code in the context of the current process. There’s a patch for Miracast that could allow an attacker to project to an affected system in limited circumstances. Microsoft lists that as Adjacent, but I would consider it more of a Physical attack. Finally, there’s a fix for Azure DevOps that’s listed as RCE, but I would classify it as a privilege escalation instead. An attacker needs Queue Build permissions on an Azure DevOps pipeline that has an overridable variable. They could then use this to get a code injection by overriding the variable. You decide if it’s RCE or EoP as you patch your affected servers.

Before looking at the privilege escalation bugs, there are some impactful Denial-of-Service (DoS) vulnerability we should address. The first involves TCP/IP. A remote, unauthenticated attacker could take down an affected system by sending specially crafted IPv6 packets. As you might imagine, systems with IPv6 disabled aren’t impacted, but considering IPv6 is enabled by default, this could create some havoc on unpatched systems. Microsoft lists disabling router discovery on the IPv6 as a temporary workaround. As above, patches are permanent while workarounds are temporary. The other DoS bug of note impacts the DHCP server, although Microsoft provides no other details about the bug. The final DoS impact .NET and Visual Studio, but this bug requires someone to open a specially crafted file.

Moving on to the other EoP bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. That’s true for CVE-2023-36802, which is the other bug listed as being under active attack. In most cases, this leads to either administrator privileges or running code at SYSTEM level. In fact, this is true of all of the EoP bugs patched this month outside of the previously mentioned Azure Kubernetes escalation.

Two fixes in this month’s release address security feature bypass (SFB) bugs. The first is in the Windows Defender Attack Surface Reduction blocking feature. The vulnerability could allow attackers to bypass the Windows Defender Attack Surface Reduction blocking feature, which definitely falls into the you-had-one-job category. The other patch impacts Office and corrects a bypass that could allow a potentially dangerous extension from being uploaded and downloaded. Like one of the Office bugs mentioned above, the Preview Pane is an attack vector, but a user would need to click to preview an attachment.

The September release contains eight additional information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. There are two significant exceptions. The first is in Outlook. A successful exploit could allow the disclosure of credentials. Yikes. At least the Preview Pane is not an attack vector here. The other interesting bug resides in the Microsoft Identity Linux Broker. Exploiting this vulnerability could disclose application data on the target. However, encrypted data at rest remains encrypted.

The lone Moderate-rated bug in this month’s release impacts Office components. Successful exploitation would allow an unauthenticated attacker to insert malicious content into a document. This document may then pass an authentication check when a partial signature is present.

Wrapping things up, there are three cross-site scripting (XSS) bugs fixed in this release. One fix is for Dynamics Finance and Operations while the remaining are for the on-prem Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on October 10, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!