After a period of respite in July, Exchange Server is once again in the crosshairs of attackers as Microsoft releases several fixes for the on-premises email platform. On August Patch Tuesday, Microsoft disclosed a total of 74 new CVEs (Common Vulnerabilities and Exposures), including six rated as critical, with one zero-day vulnerability affecting .NET and Visual Studio. Additionally, there is a vulnerability related to the Zenbleed flaw in some AMD processors.
The zero-day vulnerability, CVE-2023-38180, is a denial-of-service vulnerability affecting .NET and Visual Studio. It is rated as important with a CVSS (Common Vulnerability Scoring System) score of 7.5. What makes this vulnerability particularly concerning is the existence of proof-of-concept code, meaning attackers can exploit it without needing privileges. This makes it easier for threat actors with access to an organization’s infrastructure to launch an attack. To address this vulnerability, administrators need to patch several Microsoft products such as Visual Studio 2022, .NET 7.0, .NET 6.0, and ASP.NET Core 2.1.
Chris Goettl, Vice President of Security Products at Ivanti, advises administrators to prioritize patching for this vulnerability. Despite its lower rating and CVSS score, it is important not to underestimate the potential risks associated with this vulnerability. Organizations should deploy the patches promptly to avoid exposing themselves to undue risk.
Exchange Server, which experienced a brief respite in July with no patches, is once again at the center of attention for threat actors. Microsoft has released security updates to address six vulnerabilities, including remote code execution, elevation of privilege, and spoofing vulnerabilities. These vulnerabilities have been deemed important and have varying CVSS scores. Chris Goettl highlights the severity of these vulnerabilities, stating that they provide all the elements required for threat actors to successfully target Exchange Server once again.
One of the vulnerabilities, CVE-2023-21709, has a high CVSS score but is rated as important. The reason for this rating is that a threat actor would need to brute-force the password, which should be difficult in organizations with strong password policies. However, administrators need to perform an additional step to remove the TokenCacheModule from the IIS (Internet Information Services) server role on affected systems. Microsoft has provided a script to assist with the removal process.
In addition to Exchange Server, Microsoft Teams, the popular unified communication and collaboration platform, is also vulnerable. Microsoft has identified two critical remote code execution vulnerabilities, CVE-2023-29328 and CVE-2023-29330, affecting Microsoft Teams for various operating systems. For threat actors to exploit these vulnerabilities, they would need users to accept malicious meeting invitations. Once accepted, the attackers can then run remote commands to access users’ information, make changes to data, or crash their systems. Administrators are advised to educate users about phishing attempts and to remain vigilant.
Due to its auto-update functionality, Microsoft Teams on Windows desktop systems falls outside the conventional patching regimen. This auto-update mechanism presents challenges for administrators, as the application’s servicing is not as easily controlled. To address this issue, administrators can employ various methods to ensure the Microsoft Teams client is updated, such as automating the delivery of the latest build.
Microsoft has also issued two advisories for August Patch Tuesday. Advisory ADV230003 provides defense-in-depth patches for Microsoft Office products that can be used in conjunction with the Windows Search remote code execution zero-day vulnerability from July Patch Tuesday. Administrators are recommended to deploy both the Microsoft Office patches and the August security updates for Windows systems. The other advisory, ADV230004, is an update for the memory integrity system readiness scan tool defense-in-depth.
Finally, Microsoft updated a July advisory, ADV230001, and urged customers to apply this month’s security updates to add more untrusted drivers and driver-signing certificates to the Windows Driver.STL revocation list. The previous month, Microsoft revealed that certain certified drivers had been used in attacks to gain administrator privileges.
In conclusion, Microsoft’s August Patch Tuesday addresses several critical vulnerabilities affecting Exchange Server, Microsoft Teams, and other products. Administrators are advised to prioritize patching, particularly for the zero-day vulnerability, and to remain vigilant against phishing attempts. Patching and updating systems are crucial in maintaining a secure environment and mitigating potential risks.