Governance & Risk Management , Patch Management
Microsoft's June Patch Tuesday Covers Very Exploitable Bugs
SharePoint, Multicasting and Exchange Figure Prominently This MonthMicrosoft's June dump of patches for the first time in months doesn't include a fix for an actively exploited zero-day in a slew of fixes for 69 vulnerabilities spread across the computing giant's portfolio of products.
Of the patches, six are critical, 62 are important and one is rated moderate.
Among the critical bugs is one that could allow hackers to bypass authentication and gain administrator privileges on a SharePoint server. Microsoft warned that the vulnerability, tracked as CVE-2023-29357, is ripe for exploitation by hackers. The computing giant said an attacker with access to spoofed JSON Web Token authentication tokens could transmit it without first gaining privileges or depending on user action.
Microsoft says on-premises customers who activated Antimalware Scan Interface are safe. AMSI allows endpoint security software to examine and block dangerous requests made to SharePoint servers. "We have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible," wrote Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative.
Microsoft also addressed three critical remote code execution flaws in servers enabled with Pragmatic General Multicast protocol, which Microsoft supports in order to speed up file transfers from a host to multiple computers. Tracked as CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015, the flaws can allow unauthenticated attackers to execute code on an affected system where the Windows message queuing service is running in a PGM environment. The protocol is commonly used for applications such as video streaming and online gaming.
"This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it's beginning to be a bit of a theme. While not enabled by default, PGM isn't an uncommon configuration. Let's hope these bugs get fixed before any active exploitation starts," wrote Childs.
Mike Walters, vice president of vulnerability and threat research and co-founder of the risk-based patch management platform Action1, said the vulnerability poses a serious risk and can be exploited over the network without requiring privileges or user interaction. It affects all versions of Windows Server 2008 and later, as well as Windows 10 and later.
Microsoft also resolved remote code execution vulnerabilities in Microsoft Exchange Server tracked as CVE-2023-32031 and CVE-2023-28310.
CVE-2023-32031 comes with a network attack vector, low complexity of the attack, low privileges required and no user interaction. CVE-2023-28310 comes with an adjacent attack vector, low complexity of the attack, low privilege requirements, and no user interaction.
One cybersecurity executive told Krebs on Security that the bugs closely resemble vulnerabilities known as ProxyNotShell. Microsoft's assurance that an attacker would need to be authenticated shouldn't excuse a lack of urgency, said Kevin Breen, director of cyber threat research at Immersive Labs. Hackers gain network access through phishing and can move laterally to an Exchange server, he said.