In the latest June Patch Tuesday, Microsoft addressed a total of 85 vulnerabilities, out of which seven were updates from previous security updates, leaving a total of 78 new CVEs to be fixed. Among these, six were critical vulnerabilities, emphasizing the importance of applying these patches promptly.
While most of the republished CVEs were for informational purposes, two specifically relate to upcoming protocol changes in Kerberos and Netlogon. These changes may pose operational challenges for organizations that must test their systems to avoid any disruptions due to security hardening efforts from Microsoft.
The first vulnerability, CVE-2022-37967, is related to the Kerberos protocol and involves a privilege escalation issue regarding Privilege Attribute Certificate (PAC) signatures. An attacker could potentially escalate their privileges if they were to modify the PAC signatures. The deployment of the security update from June Patch Tuesday aims to remove the option to disable PAC signature addition through a registry key setting. Furthermore, Microsoft plans to implement the “initial enforcement phase” of PAC signatures in the upcoming July Patch Tuesday, which will allow admins to perform an override. The final stage, due in October, will transition Windows devices to full enforcement mode, preventing the disabling of PAC signatures and denying authentication to devices without new PAC signatures.
The second vulnerability, CVE-2022-38023, pertains to the Netlogon protocol, specifically involving a remote procedure call (RPC) elevation-of-privilege vulnerability. This vulnerability, published on November 8, 2022, has undergone various deployment phases and is currently in the “enforcement by default” phase. The final stage of the Netlogon hardening procedure is scheduled to be released on the July Patch Tuesday, removing the ability to run “compatibility mode”.
In addition to these protocol changes, two vulnerabilities in Microsoft’s Exchange Server were also addressed in June. CVE-2023-28310 and CVE-2023-32031 are both remote-code execution vulnerabilities, rated as important but with high CVSS scores. Although the threat actor needs to be authenticated to carry out any attacks, it is advisable to promptly patch these vulnerabilities due to the sophistication of threat actors who specialize in Exchange Server attacks.
Several security updates for Microsoft developer tools were also released in June, including Visual Studio code editor, the .NET Framework, NuGet Client, and Azure DevOps Server. It is important to note that Microsoft listed three AutoDesk software vulnerabilities and five GitHub CVEs in its Security Update Guide, even though they are not Microsoft products. The updates to Visual Studio were designed to protect it from these third-party vulnerabilities. The increasing complexity of enterprise systems, with various interconnected components, utilities, and libraries, has expanded the attack surface, making it challenging to detect vulnerabilities. Implementing cyber asset attack surface management tools can provide a more comprehensive view of potential vulnerabilities.
Lastly, several other security updates were released, including patches for critical Windows vulnerabilities and a critical elevation-of-privilege vulnerability in Microsoft SharePoint Server. Admins can mitigate some of these vulnerabilities by disabling specific services or by using Microsoft Defender and enabling the Antimalware Scan Interface.
Overall, June Patch Tuesday provided important security fixes and addressed critical vulnerabilities in various Microsoft products. Applying these patches promptly is crucial to ensure the protection and stability of organizations’ systems and networks.