Report Name: Microsoft Patch Tuesday, June 2023
Generated: 2023-06-24 19:36:03

Product Name	Prevalence	U	C	H	M	L	Comment
Windows SMB	1			1			Windows component
Remote Procedure Call Runtime	0.9				1		Remote Procedure Call Runtime
Windows Container Manager Service	0.9				1		Windows component
Windows Kernel	0.9				1		Windows Kernel
.NET Framework	0.8			4	1		.NET Framework
Microsoft Edge	0.8		1	7	15		Web browser
Microsoft Exchange	0.8			2			Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft
Sysinternals Process Monitor for Windows	0.8				1		Windows component
Windows Authentication	0.8				1		Windows component
Windows Bus Filter Driver	0.8				1		Windows component
Windows Cloud Files Mini Filter Driver	0.8				1		Windows component
Windows Collaborative Translation Framework	0.8				1		Windows component
Windows CryptoAPI	0.8				2		Windows component
Windows DNS	0.8				1		Windows component
Windows Filtering Platform	0.8				1		Windows component
Windows GDI	0.8				2		Windows component
Windows Geolocation Service	0.8			1			Windows component
Windows Group Policy	0.8				1		Windows component
Windows Hello	0.8			1			Windows component
Windows Installer	0.8				1		Windows component
Windows Media	0.8			2			Windows component
Windows NTFS	0.8				1		The default file system of the Windows NT family
Windows Pragmatic General Multicast (PGM)	0.8			3			Windows component
Windows Remote Desktop	0.8			1			Windows component
Windows Remote Desktop Client	0.8			1			Remote Desktop Protocol Client
Windows Resilient File System (ReFS)	0.8			1			Windows component
Windows Server Service	0.8			1			Windows component
Windows TPM Device Driver	0.8				1		Windows component
Windows iSCSI Discovery Service	0.8				1		Windows component
.NET	0.7			3	2		.NET
Microsoft SharePoint	0.7				5		Microsoft SharePoint
Microsoft Excel	0.6			3			MS Office product
Microsoft Office	0.6			1			Microsoft Office
Microsoft Outlook	0.6			1			MS Office product
Windows Hyper-V	0.6				1		Hardware virtualization component of the client editions of Windows NT
Azure DevOps Server	0.5				2		Azure DevOps Server
DHCP Server Service	0.5				1		DHCP Server Service
Dynamics 365 Finance	0.5				1		Dynamics 365 Finance
GDI	0.5				1		GDI
Microsoft ODBC Driver	0.5			1			Microsoft ODBC Driver
Microsoft OneNote	0.5			1			Microsoft OneNote
Microsoft PostScript Printer Driver	0.5				1		Microsoft PostScript Printer Driver
Microsoft Power Apps	0.5				1		Microsoft Power Apps
Microsoft WDAC OLE DB provider for SQL Server	0.5			1			Microsoft WDAC OLE DB provider for SQL Server
NuGet Client	0.5			1			NuGet Client
Yet Another Reverse Proxy (YARP)	0.5				1		Yet Another Reverse Proxy (YARP)
iSCSI Target WMI Provider	0.5			1			iSCSI Target WMI Provider
Visual Studio	0.3				1		Integrated development environment
Visual Studio Code	0.3				1		Integrated development environment
GitHub	0.2			1		4	GitHub, Inc. is an Internet hosting service for software development and version control using Git
Unknown Product	0				2	1	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0			27	1		Remote Code Execution
Security Feature Bypass	0.9			5			Security Feature Bypass
Denial of Service	0.7			2	8		Denial of Service
Memory Corruption	0.6		1	4	10		Memory Corruption
Elevation of Privilege	0.5				18		Elevation of Privilege
Information Disclosure	0.4				5	1	Information Disclosure
Spoofing	0.4			1	11		Spoofing
Unknown Vulnerability Type	0				2	4	Unknown Vulnerability Type

Urgent (0)

Critical (1)

1. Memory Corruption - Microsoft Edge (CVE-2023-3079) - Critical [633]

Description: Chromium: CVE-2023-3079 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-3079 exists in the wild.

MS PT Extended: CVE-2023-3079 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

zdi: CVE-2023-3079 – Chromium: CVE-2023-3079 Type Confusion in V8. This CVE shouldn’t be news to anyone as it was released by the Chrome team back on June 1. However, since it’s listed as being under active attack, I wanted to highlight it for anyone who may have missed it due to graduations, vacations, or other distractions. This is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. It’s also the second type of confusion bug in Chrome actively exploited this year. Definitely make sure your Chromium-based browsers (including Edge) are up to date.

High (39)

2. Remote Code Execution - GitHub (CVE-2023-29007) - High [580]

Description: {'ms_cve_data_all': 'GitHub: CVE-2023-29007 Arbitrary configuration injection via `git submodule deinit`', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.', 'combined_cve_data_all': ''}

3. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-29363) - High [526]

Description: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

qualys: CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. Windows message queuing service must be running in a PGM Server environment to exploit the vulnerability. When the service is running, an attacker may send a specially crafted file over the network to achieve remote code execution. The Windows message queuing service is a Windows component that needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added with the help of the Control Panel.

qualys: CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 4030 `Status of the ‘Windows Message Queuing Service’ 14916  Status of Windows Services 14297 Status of the open network connections and listening ports (Qualys Agent only)

qualys: CVE-2023-29363, CVE-2023-32014, CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. The next Patch Tuesday falls on July 11, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches webinar.’

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are RCEs in Windows operating systems that were each given a CVSSv3 of 9.8 and rated critical. The vulnerability lies in the operating systems’ implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows message queueing service component. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.

tenable: CVE-2023-29363 is credited to Jarvis_1oop of vulnerability research institute, who also disclosed CVE-2023-28250, another critical RCE vulnerability affecting Windows PGM that was patched in April’s Patch Tuesday release.

rapid7: All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

zdi: CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. These three bugs look identical on paper, and all are listed as a CVSS 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it’s beginning to be a bit of a theme. While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts.

4. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-32014) - High [526]

Description: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

qualys: CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. Windows message queuing service must be running in a PGM Server environment to exploit the vulnerability. When the service is running, an attacker may send a specially crafted file over the network to achieve remote code execution. The Windows message queuing service is a Windows component that needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added with the help of the Control Panel.

qualys: CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 4030 `Status of the ‘Windows Message Queuing Service’ 14916  Status of Windows Services 14297 Status of the open network connections and listening ports (Qualys Agent only)

qualys: CVE-2023-29363, CVE-2023-32014, CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. The next Patch Tuesday falls on July 11, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches webinar.’

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are RCEs in Windows operating systems that were each given a CVSSv3 of 9.8 and rated critical. The vulnerability lies in the operating systems’ implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows message queueing service component. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.

rapid7: All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

5. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-32015) - High [526]

Description: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

qualys: CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. Windows message queuing service must be running in a PGM Server environment to exploit the vulnerability. When the service is running, an attacker may send a specially crafted file over the network to achieve remote code execution. The Windows message queuing service is a Windows component that needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added with the help of the Control Panel.

qualys: CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 4030 `Status of the ‘Windows Message Queuing Service’ 14916  Status of Windows Services 14297 Status of the open network connections and listening ports (Qualys Agent only)

qualys: CVE-2023-29363, CVE-2023-32014, CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. The next Patch Tuesday falls on July 11, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches webinar.’

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are RCEs in Windows operating systems that were each given a CVSSv3 of 9.8 and rated critical. The vulnerability lies in the operating systems’ implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows message queueing service component. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.

rapid7: All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

6. Remote Code Execution - Windows Remote Desktop Client (CVE-2023-29362) - High [526]

Description: Remote Desktop Client Remote Code Execution Vulnerability

tenable: CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability

tenable: CVE-2023-29362 is a RCE in Windows operating systems that was given a CVSSv3 score of 8.8 and rated as important. The flaw lies in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop application. The vulnerability can be exploited by a remote, unauthenticated attacker with control over a Remote Desktop Server, when a user connects to an attacker controlled Server using the vulnerable client.

7. Remote Code Execution - Microsoft Exchange (CVE-2023-32031) - High [502]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

tenable: CVE-2023-28310 and CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability

tenable: CVE-2023-28310 and CVE-2023-32031 are RCEs in several versions of Microsoft Exchange Server that are both rated as important and assigned CVSSv3 scores of 8.0 and 8.8 respectively.

tenable: CVE-2023-28310 can be exploited by an authenticated attacker on the local network to execute commands on the target through a remote PowerShell Session. CVE-2023-32031 allows a remote, authenticated attacker to target server accounts using network calls to trigger arbitrary code execution. Both CVE-2023-32031 and CVE-2023-28310 were given a rating of “Exploitation More Likely” and affect Microsoft Exchange Server 2016 Cumulative Update 23 and 2019 Cumulative Updates 12 and 13.

rapid7: After a brief reprieve last month, Exchange admins will want to patch a pair of RCE vulnerabilities this month. While neither CVE-2023-28310 nor CVE-2023-32031 quite manages to rank as critical vulnerabilities, either via CVSSv3 base score, or via Microsoft’s proprietary severity scale, they’re not far off. Only the requirement that the attacker has previously achieved an authenticated role on the Exchange server prevents these vulnerabilities from scoring higher – but that’s just the sort of issue that exploit chains are designed to overcome.

zdi: CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability was discovered by ZDI researcher Piotr Bazydło and is a bypass of both CVE-2022-41082 and CVE-2023-21529. The former was listed as being under active exploit. The specific flaw exists within the Command class. The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. While this does require the attacker to have an account on the Exchange server, successful exploitation could lead to executing code with SYSTEM privileges.

8. Remote Code Execution - Microsoft Outlook (CVE-2023-33131) - High [492]

Description: Microsoft Outlook Remote Code Execution Vulnerability

9. Spoofing - Microsoft OneNote (CVE-2023-33140) - High [488]

Description: Microsoft OneNote Spoofing Vulnerability

10. Remote Code Execution - .NET (CVE-2023-33126) - High [483]

Description: .NET and Visual Studio Remote Code Execution Vulnerability

11. Remote Code Execution - .NET (CVE-2023-33128) - High [483]

Description: .NET and Visual Studio Remote Code Execution Vulnerability

12. Remote Code Execution - Microsoft ODBC Driver (CVE-2023-29373) - High [476]

Description: Microsoft ODBC Driver Remote Code Execution Vulnerability

13. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2023-29372) - High [476]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

14. Denial of Service - .NET Framework (CVE-2023-29331) - High [470]

Description: .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

15. Security Feature Bypass - Windows SMB (CVE-2023-32021) - High [458]

Description: Windows SMB Witness Service Security Feature Bypass Vulnerability

qualys: CVE-2023-32021: Windows SMB Witness Service Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 7.1 / 6.2 Policy Compliance Control IDs (CIDs): 26239 Status of the AD-detached clusters configured on the host (Qualys Agent Only) The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [4030,14916,14297,19494,26238,26239]

16. Remote Code Execution - .NET Framework (CVE-2023-24895) - High [454]

Description: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

17. Remote Code Execution - .NET Framework (CVE-2023-24897) - High [454]

Description: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

qualys: CVE-2023-24897: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability To exploit this vulnerability, an attacker must convince a user to download and open a specially crafted file from a website through social engineering. The malicious link will lead to a local attack on their computer and allow an attacker to perform remote code execution.

rapid7: Rounding out this month’s critical RCE list is CVE-2023-24897: a flaw in .NET, .NET Framework and Visual Studio. Exploitation requires an attacker to convince the victim to open a specially-crafted malicious file, typically from a website.

18. Remote Code Execution - .NET Framework (CVE-2023-29326) - High [454]

Description: .NET Framework Remote Code Execution Vulnerability

19. Remote Code Execution - Microsoft Edge (CVE-2023-2929) - High [454]

Description: Chromium: CVE-2023-2929 Out of bounds write in Swiftshader. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2929 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

20. Remote Code Execution - Windows Geolocation Service (CVE-2023-29366) - High [454]

Description: Windows Geolocation Service Remote Code Execution Vulnerability

21. Remote Code Execution - Windows Hello (CVE-2023-32018) - High [454]

Description: Windows Hello Remote Code Execution Vulnerability

22. Remote Code Execution - Windows Media (CVE-2023-29365) - High [454]

Description: Windows Media Remote Code Execution Vulnerability

23. Remote Code Execution - Windows Media (CVE-2023-29370) - High [454]

Description: Windows Media Remote Code Execution Vulnerability

24. Remote Code Execution - Windows Resilient File System (ReFS) (CVE-2023-32008) - High [454]

Description: Windows Resilient File System (ReFS) Remote Code Execution Vulnerability

25. Denial of Service - .NET (CVE-2023-32030) - High [453]

Description: .NET and Visual Studio Denial of Service Vulnerability

26. Security Feature Bypass - Windows Server Service (CVE-2023-32022) - High [448]

Description: <div data-wrapper="true" style="font-family:'Segoe UI','Helvetica Neue',sans-serif; font-size:9pt"> <div>Windows Server Service Security Feature Bypass Vulnerability</div> </div>

qualys: CVE-2023-32022: Windows Server Service Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 7.6 / 6.6 Policy Compliance Control IDs (CIDs): 26239 Status of the AD-detached clusters configured on the host (Qualys Agent Only)

27. Security Feature Bypass - Windows Remote Desktop (CVE-2023-29352) - High [436]

Description: Windows Remote Desktop Security Feature Bypass Vulnerability

28. Remote Code Execution - Microsoft Exchange (CVE-2023-28310) - High [430]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

tenable: CVE-2023-28310 and CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability

tenable: CVE-2023-28310 and CVE-2023-32031 are RCEs in several versions of Microsoft Exchange Server that are both rated as important and assigned CVSSv3 scores of 8.0 and 8.8 respectively.

tenable: CVE-2023-28310 can be exploited by an authenticated attacker on the local network to execute commands on the target through a remote PowerShell Session. CVE-2023-32031 allows a remote, authenticated attacker to target server accounts using network calls to trigger arbitrary code execution. Both CVE-2023-32031 and CVE-2023-28310 were given a rating of “Exploitation More Likely” and affect Microsoft Exchange Server 2016 Cumulative Update 23 and 2019 Cumulative Updates 12 and 13.

rapid7: After a brief reprieve last month, Exchange admins will want to patch a pair of RCE vulnerabilities this month. While neither CVE-2023-28310 nor CVE-2023-32031 quite manages to rank as critical vulnerabilities, either via CVSSv3 base score, or via Microsoft’s proprietary severity scale, they’re not far off. Only the requirement that the attacker has previously achieved an authenticated role on the Exchange server prevents these vulnerabilities from scoring higher – but that’s just the sort of issue that exploit chains are designed to overcome.

29. Remote Code Execution - Microsoft Excel (CVE-2023-32029) - High [421]

Description: Microsoft Excel Remote Code Execution Vulnerability

30. Remote Code Execution - Microsoft Excel (CVE-2023-33133) - High [421]

Description: Microsoft Excel Remote Code Execution Vulnerability

31. Remote Code Execution - Microsoft Excel (CVE-2023-33137) - High [421]

Description: Microsoft Excel Remote Code Execution Vulnerability

32. Remote Code Execution - Microsoft Office (CVE-2023-33146) - High [421]

Description: Microsoft Office Remote Code Execution Vulnerability

33. Memory Corruption - Microsoft Edge (CVE-2023-2721) - High [407]

Description: Chromium: CVE-2023-2721 Use after free in Navigation. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2721 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

34. Memory Corruption - Microsoft Edge (CVE-2023-2722) - High [407]

Description: Chromium: CVE-2023-2722 Use after free in Autofill UI. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2722 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

35. Memory Corruption - Microsoft Edge (CVE-2023-2723) - High [407]

Description: Chromium: CVE-2023-2723 Use after free in DevTools. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2723 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

36. Memory Corruption - Microsoft Edge (CVE-2023-2724) - High [407]

Description: Chromium: CVE-2023-2724 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2724 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

37. Remote Code Execution - NuGet Client (CVE-2023-29337) - High [404]

Description: NuGet Client Remote Code Execution Vulnerability

38. Remote Code Execution - iSCSI Target WMI Provider (CVE-2023-29367) - High [404]

Description: iSCSI Target WMI Provider Remote Code Execution Vulnerability

39. Security Feature Bypass - Microsoft Edge (CVE-2023-29345) - High [401]

Description: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

MS PT Extended: CVE-2023-29345 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

40. Security Feature Bypass - Microsoft Edge (CVE-2023-2939) - High [401]

Description: Chromium: CVE-2023-2939 Insufficient data validation in Installer. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2939 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

Medium (55)

41. Elevation of Privilege - Windows Authentication (CVE-2023-29364) - Medium [398]

Description: Windows Authentication Elevation of Privilege Vulnerability

42. Denial of Service - Yet Another Reverse Proxy (YARP) (CVE-2023-33141) - Medium [396]

Description: Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability

43. Elevation of Privilege - .NET (CVE-2023-33135) - Medium [394]

Description: .NET and Visual Studio Elevation of Privilege Vulnerability

44. Denial of Service - Windows iSCSI Discovery Service (CVE-2023-32011) - Medium [389]

Description: Windows iSCSI Discovery Service Denial of Service Vulnerability

45. Elevation of Privilege - Microsoft SharePoint (CVE-2023-29357) - Medium [384]

Description: Microsoft SharePoint Server Elevation of Privilege Vulnerability

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability Microsoft SharePoint is a web-based document management and collaboration platform that helps share files, data, news, and resources. The application transforms business processes by providing simple sharing and seamless collaboration. An attacker with access to spoofed JWT authentication tokens may exploit this vulnerability to execute a network attack. A successful network attack will bypass authentication and allow an attacker to gain access as an authenticated user. On successful exploitation of the vulnerability, an attacker would gain administrator privileges.

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability  This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 19494 Status of Anti-Malware Scan Interface (AMSI) protection

tenable: Microsoft’s June 2023 Patch Tuesday Addresses 70 CVEs (CVE-2023-29357)

tenable: CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability

tenable: CVE-2023-29357 is an EoP vulnerability in Microsoft SharePoint Server 2019 that was assigned a CVSSv3 score of 9.8 and rated critical. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to the advisory, no user interaction is required in order for an attacker to exploit this flaw. Microsoft also provides mitigation guidance for the vulnerability that says users that use Microsoft Defender in their SharePoint Server farm(s) and have AMSI enabled are not affected. CVE-2023-29357 was given a rating of “Exploitation More Likely” according to Microsoft’s Exploitability Index.

tenable: According to Trend Micro’s Zero Day Initiative (ZDI), CVE-2023-29357 was used during the March Pwn2Own Vancouver contest during a successful demonstration of a chained attack. ZDI notes that while Microsoft recommends enabling AMSI as a mitigation, they have “not tested the efficacy of this action.”

rapid7: SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely.

rapid7: Complicating matters further, KB5002404 does not mention CVE-2023-29357, and the advisory for CVE-2023-29357 still does not mention any patch for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow developments here closely; on present evidence, the only safe assumption is that there is no patch yet which addresses CVE-2023-29357 for SharePoint 2016.

zdi: CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability. This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft recommends enabling the AMSI feature to mitigate this vulnerability, but we have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible.

46. Memory Corruption - Microsoft Edge (CVE-2023-2931) - Medium [383]

Description: Chromium: CVE-2023-2931 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2931 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

47. Memory Corruption - Microsoft Edge (CVE-2023-2932) - Medium [383]

Description: Chromium: CVE-2023-2932 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2932 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

48. Memory Corruption - Microsoft Edge (CVE-2023-2933) - Medium [383]

Description: Chromium: CVE-2023-2933 Use after free in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2933 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

49. Memory Corruption - Microsoft Edge (CVE-2023-2934) - Medium [383]

Description: Chromium: CVE-2023-2934 Out of bounds memory access in Mojo. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-29345 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2934 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

50. Memory Corruption - Microsoft Edge (CVE-2023-2935) - Medium [383]

Description: Chromium: CVE-2023-2935 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2935 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability Microsoft SharePoint is a web-based document management and collaboration platform that helps share files, data, news, and resources. The application transforms business processes by providing simple sharing and seamless collaboration. An attacker with access to spoofed JWT authentication tokens may exploit this vulnerability to execute a network attack. A successful network attack will bypass authentication and allow an attacker to gain access as an authenticated user. On successful exploitation of the vulnerability, an attacker would gain administrator privileges.

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability  This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 19494 Status of Anti-Malware Scan Interface (AMSI) protection

qualys: CVE-2023-29355: DHCP Server Service Information Disclosure Vulnerability This vulnerability has a CVSSv3.1 5.3 / 4.6 Policy Compliance Control IDs (CIDs): 26238 Status of the DHCP Failover Configuration

tenable: Microsoft’s June 2023 Patch Tuesday Addresses 70 CVEs (CVE-2023-29357)

tenable: CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability

tenable: CVE-2023-29357 is an EoP vulnerability in Microsoft SharePoint Server 2019 that was assigned a CVSSv3 score of 9.8 and rated critical. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to the advisory, no user interaction is required in order for an attacker to exploit this flaw. Microsoft also provides mitigation guidance for the vulnerability that says users that use Microsoft Defender in their SharePoint Server farm(s) and have AMSI enabled are not affected. CVE-2023-29357 was given a rating of “Exploitation More Likely” according to Microsoft’s Exploitability Index.

tenable: According to Trend Micro’s Zero Day Initiative (ZDI), CVE-2023-29357 was used during the March Pwn2Own Vancouver contest during a successful demonstration of a chained attack. ZDI notes that while Microsoft recommends enabling AMSI as a mitigation, they have “not tested the efficacy of this action.”

rapid7: SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely.

rapid7: Complicating matters further, KB5002404 does not mention CVE-2023-29357, and the advisory for CVE-2023-29357 still does not mention any patch for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow developments here closely; on present evidence, the only safe assumption is that there is no patch yet which addresses CVE-2023-29357 for SharePoint 2016.

zdi: CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability. This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft recommends enabling the AMSI feature to mitigate this vulnerability, but we have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible.

51. Memory Corruption - Microsoft Edge (CVE-2023-2936) - Medium [383]

Description: Chromium: CVE-2023-2936 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2936 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

qualys: CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. Windows message queuing service must be running in a PGM Server environment to exploit the vulnerability. When the service is running, an attacker may send a specially crafted file over the network to achieve remote code execution. The Windows message queuing service is a Windows component that needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added with the help of the Control Panel.

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

qualys: CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 4030 `Status of the ‘Windows Message Queuing Service’ 14916  Status of Windows Services 14297 Status of the open network connections and listening ports (Qualys Agent only)

qualys: CVE-2023-29363, CVE-2023-32014, CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. The next Patch Tuesday falls on July 11, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches webinar.’

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are RCEs in Windows operating systems that were each given a CVSSv3 of 9.8 and rated critical. The vulnerability lies in the operating systems’ implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows message queueing service component. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.

tenable: CVE-2023-29363 is credited to Jarvis_1oop of vulnerability research institute, who also disclosed CVE-2023-28250, another critical RCE vulnerability affecting Windows PGM that was patched in April’s Patch Tuesday release.

tenable: CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability

tenable: CVE-2023-29362 is a RCE in Windows operating systems that was given a CVSSv3 score of 8.8 and rated as important. The flaw lies in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop application. The vulnerability can be exploited by a remote, unauthenticated attacker with control over a Remote Desktop Server, when a user connects to an attacker controlled Server using the vulnerable client.

rapid7: All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

zdi: CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. These three bugs look identical on paper, and all are listed as a CVSS 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it’s beginning to be a bit of a theme. While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts.

52. Denial of Service - Remote Procedure Call Runtime (CVE-2023-29369) - Medium [382]

Description: Remote Procedure Call Runtime Denial of Service Vulnerability

53. Elevation of Privilege - .NET (CVE-2023-32032) - Medium [382]

Description: .NET and Visual Studio Elevation of Privilege Vulnerability

54. Remote Code Execution - Microsoft PostScript Printer Driver (CVE-2023-32017) - Medium [380]

Description: Microsoft PostScript Printer Driver Remote Code Execution Vulnerability

55. Elevation of Privilege - .NET Framework (CVE-2023-24936) - Medium [377]

Description: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

56. Memory Corruption - Microsoft Edge (CVE-2023-2725) - Medium [371]

Description: Chromium: CVE-2023-2725 Use after free in Guest View. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2725 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

57. Memory Corruption - Microsoft Edge (CVE-2023-2930) - Medium [371]

Description: Chromium: CVE-2023-2930 Use after free in Extensions. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-2930 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

58. Denial of Service - Windows CryptoAPI (CVE-2023-24937) - Medium [365]

Description: Windows CryptoAPI Denial of Service Vulnerability

59. Denial of Service - Windows CryptoAPI (CVE-2023-24938) - Medium [365]

Description: Windows CryptoAPI Denial of Service Vulnerability

60. Denial of Service - Sysinternals Process Monitor for Windows (CVE-2023-29353) - Medium [353]

Description: Sysinternals Process Monitor for Windows Denial of Service Vulnerability

61. Elevation of Privilege - Microsoft Edge (CVE-2023-33143) - Medium [353]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2023-33143 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

62. Denial of Service - Microsoft SharePoint (CVE-2023-33129) - Medium [348]

Description: Microsoft SharePoint Denial of Service Vulnerability

63. Elevation of Privilege - Windows Collaborative Translation Framework (CVE-2023-32009) - Medium [341]

Description: Windows Collaborative Translation Framework Elevation of Privilege Vulnerability

64. Elevation of Privilege - Windows Group Policy (CVE-2023-29351) - Medium [341]

Description: Windows Group Policy Elevation of Privilege Vulnerability

65. Information Disclosure - Microsoft Edge (CVE-2023-33145) - Medium [335]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

66. Denial of Service - Windows Hyper-V (CVE-2023-32013) - Medium [332]

Description: Windows Hyper-V Denial of Service Vulnerability

qualys: CVE-2023-32013: Windows Hyper-V Denial of Service Vulnerability Windows Hyper-V is a piece of software that allows hardware virtualization. IT professionals and software developers use virtualization to test software on multiple operating systems. Hyper-V enables working professionals to perform these tasks smoothly. With the help of Hyper-V, one can create virtual hard drives, virtual switches, and numerous different virtual devices, all of which can be added to virtual machines. To exploit this vulnerability, an attacker must prepare the target environment to improve exploit reliability. A network attacker with low privileges may exploit this vulnerability in a low-complexity attack to cause a denial of service (DoS) situation.

67. Elevation of Privilege - Windows GDI (CVE-2023-29358) - Medium [329]

Description: Windows GDI Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

68. Elevation of Privilege - Windows GDI (CVE-2023-29371) - Medium [329]

Description: Windows GDI Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

69. Elevation of Privilege - Windows NTFS (CVE-2023-29346) - Medium [329]

Description: NTFS Elevation of Privilege Vulnerability

70. Elevation of Privilege - Windows TPM Device Driver (CVE-2023-29360) - Medium [329]

Description: Windows TPM Device Driver Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

71. Elevation of Privilege - Windows Container Manager Service (CVE-2023-32012) - Medium [322]

Description: Windows Container Manager Service Elevation of Privilege Vulnerability

72. Elevation of Privilege - Windows Bus Filter Driver (CVE-2023-32010) - Medium [317]

Description: Windows Bus Filter Driver Elevation of Privilege Vulnerability

73. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2023-29361) - Medium [317]

Description: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

74. Elevation of Privilege - Windows Filtering Platform (CVE-2023-29368) - Medium [317]

Description: Windows Filtering Platform Elevation of Privilege Vulnerability

75. Elevation of Privilege - Microsoft SharePoint (CVE-2023-33142) - Medium [313]

Description: Microsoft SharePoint Server Elevation of Privilege Vulnerability

76. Information Disclosure - DHCP Server Service (CVE-2023-29355) - Medium [297]

Description: DHCP Server Service Information Disclosure Vulnerability

qualys: CVE-2023-29355: DHCP Server Service Information Disclosure Vulnerability This vulnerability has a CVSSv3.1 5.3 / 4.6 Policy Compliance Control IDs (CIDs): 26238 Status of the DHCP Failover Configuration

77. Information Disclosure - Visual Studio (CVE-2023-33139) - Medium [297]

Description: Visual Studio Information Disclosure Vulnerability

78. Spoofing - Visual Studio Code (CVE-2023-33144) - Medium [297]

Description: Visual Studio Code Spoofing Vulnerability

79. Information Disclosure - Windows Kernel (CVE-2023-32019) - Medium [292]

Description: Windows Kernel Information Disclosure Vulnerability

80. Information Disclosure - Windows Installer (CVE-2023-32016) - Medium [288]

Description: Windows Installer Information Disclosure Vulnerability

81. Spoofing - Microsoft Edge (CVE-2023-2937) - Medium [288]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2937 Inappropriate implementation in Picture In Picture. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Picture In Picture in Google Chrome prior to 114.0.5735.90 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-2937 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

82. Spoofing - Microsoft Edge (CVE-2023-2938) - Medium [288]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2938 Inappropriate implementation in Picture In Picture. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Picture In Picture in Google Chrome prior to 114.0.5735.90 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-2938 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

83. Spoofing - Windows DNS (CVE-2023-32020) - Medium [288]

Description: Windows DNS Spoofing Vulnerability

84. Spoofing - Microsoft SharePoint (CVE-2023-33130) - Medium [283]

Description: Microsoft SharePoint Server Spoofing Vulnerability

85. Elevation of Privilege - GDI (CVE-2023-29359) - Medium [279]

Description: GDI Elevation of Privilege Vulnerability

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

86. Spoofing - Microsoft Edge (CVE-2023-2941) - Medium [276]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2941 Inappropriate implementation in Extensions API. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Extensions API in Google Chrome prior to 114.0.5735.90 allowed an attacker who convinced a user to install a malicious extension to spoof the contents of the UI via a crafted Chrome Extension. (Chromium security severity: Low)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-2941 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

87. Spoofing - Microsoft SharePoint (CVE-2023-33132) - Medium [271]

Description: Microsoft SharePoint Server Spoofing Vulnerability

88. Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2726) - Medium [264]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2726 Inappropriate implementation in WebApp Installs. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in WebApp Installs in Google Chrome prior to 113.0.5672.126 allowed an attacker who convinced a user to install a malicious web app to bypass install dialog via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-2726 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

89. Spoofing - Azure DevOps Server (CVE-2023-21565) - Medium [250]

Description: Azure DevOps Server Spoofing Vulnerability

rapid7: A vulnerability in Azure DevOps server could lead to an attacker accessing detailed data such as organization/project configuration, groups, teams, projects, pipelines, boards, and wiki. CVE-2023-21565 requires an attacker to have existing valid credentials for the service, but no elevated privilege is required. The advisory lists patches for 2020.1.2, 2022 and 2022.0.1.

90. Spoofing - Azure DevOps Server (CVE-2023-21569) - Medium [250]

Description: Azure DevOps Server Spoofing Vulnerability

91. Unknown Vulnerability Type - Microsoft Edge (CVE-2023-2940) - Medium [240]

Description: {'ms_cve_data_all': 'Chromium: CVE-2023-2940 Inappropriate implementation in Downloads. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.\n', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in Downloads in Google Chrome prior to 114.0.5735.90 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)', 'combined_cve_data_all': ''}

MS PT Extended: CVE-2023-2940 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

92. Memory Corruption - Unknown Product (CVE-2023-27910) - Medium [226]

Description: {'ms_cve_data_all': 'AutoDesk: CVE-2023-27910 stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A user may be tricked into opening a malicious FBX file that may exploit a stack buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior which may lead to code execution.', 'combined_cve_data_all': ''}

93. Memory Corruption - Unknown Product (CVE-2023-27911) - Medium [226]

Description: {'ms_cve_data_all': 'AutoDesk: CVE-2023-27911 Heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'A user may be tricked into opening a malicious FBX file that may exploit a heap buffer overflow vulnerability in Autodesk® FBX® SDK 2020 or prior which may lead to code execution.', 'combined_cve_data_all': ''}

94. Spoofing - Dynamics 365 Finance (CVE-2023-24896) - Medium [214]

Description: Dynamics 365 Finance Spoofing Vulnerability

95. Spoofing - Microsoft Power Apps (CVE-2023-32024) - Medium [202]

Description: Microsoft Power Apps Spoofing Vulnerability

Low (5)

96. Information Disclosure - Unknown Product (CVE-2023-27909) - Low [190]

Description: {'ms_cve_data_all': 'AutoDesk: CVE-2023-27909 Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK 2020 or prior', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'An Out-Of-Bounds Write Vulnerability in Autodesk® FBX® SDK version 2020 or prior may lead to code execution through maliciously crafted FBX files or information disclosure.', 'combined_cve_data_all': ''}

97. Unknown Vulnerability Type - GitHub (CVE-2023-25652) - Low [164]

Description: {'ms_cve_data_all': 'GitHub: CVE-2023-25652 "git apply --reject" partially-controlled arbitrary file write', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.', 'combined_cve_data_all': ''}

98. Unknown Vulnerability Type - GitHub (CVE-2023-29011) - Low [152]

Description: {'ms_cve_data_all': 'GitHub: CVE-2023-29011 The config file of `connect.exe` is susceptible to malicious placing', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Git for Windows, the Windows port of Git, ships with an executable called `connect.exe`, which implements a SOCKS5 proxy that can be used to connect e.g. to SSH servers via proxies when certain ports are blocked for outgoing connections. The location of `connect.exe`'s config file is hard-coded as `/etc/connectrc` which will typically be interpreted as `C:\\etc\\connectrc`. Since `C:\\etc` can be created by any authenticated user, this makes `connect.exe` susceptible to malicious files being placed there by other users on the same multi-user machine. The problem has been patched in Git for Windows v2.40.1. As a workaround, create the folder `etc` on all drives where Git commands are run, and remove read/write access from those folders. Alternatively, watch out for malicious `<drive>:\\etc\\connectrc` files on multi-user machines.', 'combined_cve_data_all': ''}

99. Unknown Vulnerability Type - GitHub (CVE-2023-29012) - Low [152]

Description: {'ms_cve_data_all': 'GitHub: CVE-2023-29012 Git CMD erroneously executes `doskey.exe` in current directory, if it exists', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Git for Windows is the Windows port of Git. Prior to version 2.40.1, any user of Git CMD who starts the command in an untrusted directory is impacted by an Uncontrolles Search Path Element vulnerability. Maliciously-placed `doskey.exe` would be executed silently upon running Git CMD. The problem has been patched in Git for Windows v2.40.1. As a workaround, avoid using Git CMD or, if using Git CMD, avoid starting it in an untrusted directory.', 'combined_cve_data_all': ''}

100. Unknown Vulnerability Type - GitHub (CVE-2023-25815) - Low [69]

Description: {'ms_cve_data_all': 'GitHub: CVE-2023-25815 Git looks for localized messages in an unprivileged place', 'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\\mingw64\\share\\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\\` (and since `C:\\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1.\n\nThis vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\\`.', 'combined_cve_data_all': ''}

Exploitation in the wild detected (1)

Memory Corruption (1)

• Microsoft Edge (CVE-2023-3079)

MS PT Extended: CVE-2023-3079 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

zdi: CVE-2023-3079 – Chromium: CVE-2023-3079 Type Confusion in V8. This CVE shouldn’t be news to anyone as it was released by the Chrome team back on June 1. However, since it’s listed as being under active attack, I wanted to highlight it for anyone who may have missed it due to graduations, vacations, or other distractions. This is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. It’s also the second type of confusion bug in Chrome actively exploited this year. Definitely make sure your Chromium-based browsers (including Edge) are up to date.

Public exploit exists, but exploitation in the wild is NOT detected (2)

Remote Code Execution (1)

• GitHub (CVE-2023-29007)

Spoofing (1)

• Microsoft OneNote (CVE-2023-33140)

Other Vulnerabilities (97)

Remote Code Execution (27)

• Windows Pragmatic General Multicast (PGM) (CVE-2023-29363, CVE-2023-32014, CVE-2023-32015)

qualys: CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. Windows message queuing service must be running in a PGM Server environment to exploit the vulnerability. When the service is running, an attacker may send a specially crafted file over the network to achieve remote code execution. The Windows message queuing service is a Windows component that needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added with the help of the Control Panel.

qualys: CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 4030 `Status of the ‘Windows Message Queuing Service’ 14916  Status of Windows Services 14297 Status of the open network connections and listening ports (Qualys Agent only)

qualys: CVE-2023-29363, CVE-2023-32014, CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. The next Patch Tuesday falls on July 11, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches webinar.’

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are RCEs in Windows operating systems that were each given a CVSSv3 of 9.8 and rated critical. The vulnerability lies in the operating systems’ implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows message queueing service component. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.

tenable: CVE-2023-29363 is credited to Jarvis_1oop of vulnerability research institute, who also disclosed CVE-2023-28250, another critical RCE vulnerability affecting Windows PGM that was patched in April’s Patch Tuesday release.

rapid7: All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

zdi: CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. These three bugs look identical on paper, and all are listed as a CVSS 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it’s beginning to be a bit of a theme. While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts.

• Windows Remote Desktop Client (CVE-2023-29362)

tenable: CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability

tenable: CVE-2023-29362 is a RCE in Windows operating systems that was given a CVSSv3 score of 8.8 and rated as important. The flaw lies in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop application. The vulnerability can be exploited by a remote, unauthenticated attacker with control over a Remote Desktop Server, when a user connects to an attacker controlled Server using the vulnerable client.

• Microsoft Exchange (CVE-2023-28310, CVE-2023-32031)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

tenable: CVE-2023-28310 and CVE-2023-32031 | Microsoft Exchange Server Remote Code Execution Vulnerability

tenable: CVE-2023-28310 and CVE-2023-32031 are RCEs in several versions of Microsoft Exchange Server that are both rated as important and assigned CVSSv3 scores of 8.0 and 8.8 respectively.

tenable: CVE-2023-28310 can be exploited by an authenticated attacker on the local network to execute commands on the target through a remote PowerShell Session. CVE-2023-32031 allows a remote, authenticated attacker to target server accounts using network calls to trigger arbitrary code execution. Both CVE-2023-32031 and CVE-2023-28310 were given a rating of “Exploitation More Likely” and affect Microsoft Exchange Server 2016 Cumulative Update 23 and 2019 Cumulative Updates 12 and 13.

rapid7: After a brief reprieve last month, Exchange admins will want to patch a pair of RCE vulnerabilities this month. While neither CVE-2023-28310 nor CVE-2023-32031 quite manages to rank as critical vulnerabilities, either via CVSSv3 base score, or via Microsoft’s proprietary severity scale, they’re not far off. Only the requirement that the attacker has previously achieved an authenticated role on the Exchange server prevents these vulnerabilities from scoring higher – but that’s just the sort of issue that exploit chains are designed to overcome.

zdi: CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability. This vulnerability was discovered by ZDI researcher Piotr Bazydło and is a bypass of both CVE-2022-41082 and CVE-2023-21529. The former was listed as being under active exploit. The specific flaw exists within the Command class. The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. While this does require the attacker to have an account on the Exchange server, successful exploitation could lead to executing code with SYSTEM privileges.

• Microsoft Outlook (CVE-2023-33131)
• .NET (CVE-2023-33126, CVE-2023-33128)
• Microsoft ODBC Driver (CVE-2023-29373)
• Microsoft WDAC OLE DB provider for SQL Server (CVE-2023-29372)
• .NET Framework (CVE-2023-24895, CVE-2023-24897, CVE-2023-29326)

qualys: CVE-2023-24897: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability To exploit this vulnerability, an attacker must convince a user to download and open a specially crafted file from a website through social engineering. The malicious link will lead to a local attack on their computer and allow an attacker to perform remote code execution.

rapid7: Rounding out this month’s critical RCE list is CVE-2023-24897: a flaw in .NET, .NET Framework and Visual Studio. Exploitation requires an attacker to convince the victim to open a specially-crafted malicious file, typically from a website.

• Microsoft Edge (CVE-2023-2929)

MS PT Extended: CVE-2023-2929 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

• Windows Geolocation Service (CVE-2023-29366)
• Windows Hello (CVE-2023-32018)
• Windows Media (CVE-2023-29365, CVE-2023-29370)
• Windows Resilient File System (ReFS) (CVE-2023-32008)
• Microsoft Excel (CVE-2023-32029, CVE-2023-33133, CVE-2023-33137)
• Microsoft Office (CVE-2023-33146)
• NuGet Client (CVE-2023-29337)
• iSCSI Target WMI Provider (CVE-2023-29367)
• Microsoft PostScript Printer Driver (CVE-2023-32017)

Denial of Service (10)

• .NET Framework (CVE-2023-29331)
• .NET (CVE-2023-32030)
• Yet Another Reverse Proxy (YARP) (CVE-2023-33141)
• Windows iSCSI Discovery Service (CVE-2023-32011)
• Remote Procedure Call Runtime (CVE-2023-29369)
• Windows CryptoAPI (CVE-2023-24937, CVE-2023-24938)
• Sysinternals Process Monitor for Windows (CVE-2023-29353)
• Microsoft SharePoint (CVE-2023-33129)
• Windows Hyper-V (CVE-2023-32013)

qualys: CVE-2023-32013: Windows Hyper-V Denial of Service Vulnerability Windows Hyper-V is a piece of software that allows hardware virtualization. IT professionals and software developers use virtualization to test software on multiple operating systems. Hyper-V enables working professionals to perform these tasks smoothly. With the help of Hyper-V, one can create virtual hard drives, virtual switches, and numerous different virtual devices, all of which can be added to virtual machines. To exploit this vulnerability, an attacker must prepare the target environment to improve exploit reliability. A network attacker with low privileges may exploit this vulnerability in a low-complexity attack to cause a denial of service (DoS) situation.

Security Feature Bypass (5)

• Windows SMB (CVE-2023-32021)

qualys: CVE-2023-32021: Windows SMB Witness Service Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 7.1 / 6.2 Policy Compliance Control IDs (CIDs): 26239 Status of the AD-detached clusters configured on the host (Qualys Agent Only) The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [4030,14916,14297,19494,26238,26239]

• Windows Server Service (CVE-2023-32022)

qualys: CVE-2023-32022: Windows Server Service Security Feature Bypass Vulnerability This vulnerability has a CVSSv3.1 7.6 / 6.6 Policy Compliance Control IDs (CIDs): 26239 Status of the AD-detached clusters configured on the host (Qualys Agent Only)

• Windows Remote Desktop (CVE-2023-29352)
• Microsoft Edge (CVE-2023-29345, CVE-2023-2939)

MS PT Extended: CVE-2023-2939 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-29345 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

Memory Corruption (14)

• Microsoft Edge (CVE-2023-2721, CVE-2023-2722, CVE-2023-2723, CVE-2023-2724, CVE-2023-2725, CVE-2023-2930, CVE-2023-2931, CVE-2023-2932, CVE-2023-2933, CVE-2023-2934, CVE-2023-2935, CVE-2023-2936)

MS PT Extended: CVE-2023-2935 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2724 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2933 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2722 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2725 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2931 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2932 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2721 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-29345 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2936 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2934 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2723 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2930 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability Microsoft SharePoint is a web-based document management and collaboration platform that helps share files, data, news, and resources. The application transforms business processes by providing simple sharing and seamless collaboration. An attacker with access to spoofed JWT authentication tokens may exploit this vulnerability to execute a network attack. A successful network attack will bypass authentication and allow an attacker to gain access as an authenticated user. On successful exploitation of the vulnerability, an attacker would gain administrator privileges.

qualys: CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. Windows message queuing service must be running in a PGM Server environment to exploit the vulnerability. When the service is running, an attacker may send a specially crafted file over the network to achieve remote code execution. The Windows message queuing service is a Windows component that needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added with the help of the Control Panel.

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability  This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 19494 Status of Anti-Malware Scan Interface (AMSI) protection

qualys: CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 4030 `Status of the ‘Windows Message Queuing Service’ 14916  Status of Windows Services 14297 Status of the open network connections and listening ports (Qualys Agent only)

qualys: CVE-2023-29355: DHCP Server Service Information Disclosure Vulnerability This vulnerability has a CVSSv3.1 5.3 / 4.6 Policy Compliance Control IDs (CIDs): 26238 Status of the DHCP Failover Configuration

qualys: CVE-2023-29363, CVE-2023-32014, CVE-2023-32015 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability This vulnerability has a CVSSv3.1 score of 9.8/10. The next Patch Tuesday falls on July 11, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches webinar.’

tenable: Microsoft’s June 2023 Patch Tuesday Addresses 70 CVEs (CVE-2023-29357)

tenable: CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability

tenable: CVE-2023-29357 is an EoP vulnerability in Microsoft SharePoint Server 2019 that was assigned a CVSSv3 score of 9.8 and rated critical. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to the advisory, no user interaction is required in order for an attacker to exploit this flaw. Microsoft also provides mitigation guidance for the vulnerability that says users that use Microsoft Defender in their SharePoint Server farm(s) and have AMSI enabled are not affected. CVE-2023-29357 was given a rating of “Exploitation More Likely” according to Microsoft’s Exploitability Index.

tenable: According to Trend Micro’s Zero Day Initiative (ZDI), CVE-2023-29357 was used during the March Pwn2Own Vancouver contest during a successful demonstration of a chained attack. ZDI notes that while Microsoft recommends enabling AMSI as a mitigation, they have “not tested the efficacy of this action.”

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

tenable: CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015 are RCEs in Windows operating systems that were each given a CVSSv3 of 9.8 and rated critical. The vulnerability lies in the operating systems’ implementation of Pragmatic General Multicast (PGM), an experimental multicast protocol, in the Windows message queueing service component. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.

tenable: CVE-2023-29363 is credited to Jarvis_1oop of vulnerability research institute, who also disclosed CVE-2023-28250, another critical RCE vulnerability affecting Windows PGM that was patched in April’s Patch Tuesday release.

tenable: CVE-2023-29362 | Remote Desktop Client Remote Code Execution Vulnerability

tenable: CVE-2023-29362 is a RCE in Windows operating systems that was given a CVSSv3 score of 8.8 and rated as important. The flaw lies in the Remote Desktop Client component of Windows operating systems and the Remote Desktop Client for Windows Desktop application. The vulnerability can be exploited by a remote, unauthenticated attacker with control over a Remote Desktop Server, when a user connects to an attacker controlled Server using the vulnerable client.

rapid7: SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely.

rapid7: Complicating matters further, KB5002404 does not mention CVE-2023-29357, and the advisory for CVE-2023-29357 still does not mention any patch for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow developments here closely; on present evidence, the only safe assumption is that there is no patch yet which addresses CVE-2023-29357 for SharePoint 2016.

rapid7: All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250.

zdi: CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability. This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft recommends enabling the AMSI feature to mitigate this vulnerability, but we have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible.

zdi: CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. These three bugs look identical on paper, and all are listed as a CVSS 9.8. They allow a remote, unauthenticated attacker to execute code on an affected system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it’s beginning to be a bit of a theme. While not enabled by default, PGM isn’t an uncommon configuration. Let’s hope these bugs get fixed before any active exploitation starts.

• Unknown Product (CVE-2023-27910, CVE-2023-27911)

Elevation of Privilege (18)

• Windows Authentication (CVE-2023-29364)
• .NET (CVE-2023-32032, CVE-2023-33135)
• Microsoft SharePoint (CVE-2023-29357, CVE-2023-33142)

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability Microsoft SharePoint is a web-based document management and collaboration platform that helps share files, data, news, and resources. The application transforms business processes by providing simple sharing and seamless collaboration. An attacker with access to spoofed JWT authentication tokens may exploit this vulnerability to execute a network attack. A successful network attack will bypass authentication and allow an attacker to gain access as an authenticated user. On successful exploitation of the vulnerability, an attacker would gain administrator privileges.

qualys: CVE-2023-29357: Microsoft SharePoint Server Elevation of Privilege Vulnerability  This vulnerability has a CVSSv3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 19494 Status of Anti-Malware Scan Interface (AMSI) protection

tenable: Microsoft’s June 2023 Patch Tuesday Addresses 70 CVEs (CVE-2023-29357)

tenable: CVE-2023-29357 | Microsoft SharePoint Server Elevation of Privilege Vulnerability

tenable: CVE-2023-29357 is an EoP vulnerability in Microsoft SharePoint Server 2019 that was assigned a CVSSv3 score of 9.8 and rated critical. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to the advisory, no user interaction is required in order for an attacker to exploit this flaw. Microsoft also provides mitigation guidance for the vulnerability that says users that use Microsoft Defender in their SharePoint Server farm(s) and have AMSI enabled are not affected. CVE-2023-29357 was given a rating of “Exploitation More Likely” according to Microsoft’s Exploitability Index.

tenable: According to Trend Micro’s Zero Day Initiative (ZDI), CVE-2023-29357 was used during the March Pwn2Own Vancouver contest during a successful demonstration of a chained attack. ZDI notes that while Microsoft recommends enabling AMSI as a mitigation, they have “not tested the efficacy of this action.”

rapid7: SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely.

rapid7: Complicating matters further, KB5002404 does not mention CVE-2023-29357, and the advisory for CVE-2023-29357 still does not mention any patch for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow developments here closely; on present evidence, the only safe assumption is that there is no patch yet which addresses CVE-2023-29357 for SharePoint 2016.

zdi: CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability. This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. This particular bug was used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft recommends enabling the AMSI feature to mitigate this vulnerability, but we have not tested the efficacy of this action. The best bet is to test and deploy the update as soon as possible.

• .NET Framework (CVE-2023-24936)
• Microsoft Edge (CVE-2023-33143)

MS PT Extended: CVE-2023-33143 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

• Windows Collaborative Translation Framework (CVE-2023-32009)
• Windows Group Policy (CVE-2023-29351)
• Windows GDI (CVE-2023-29358, CVE-2023-29371)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

• Windows NTFS (CVE-2023-29346)
• Windows TPM Device Driver (CVE-2023-29360)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

• Windows Container Manager Service (CVE-2023-32012)
• Windows Bus Filter Driver (CVE-2023-32010)
• Windows Cloud Files Mini Filter Driver (CVE-2023-29361)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

• Windows Filtering Platform (CVE-2023-29368)
• GDI (CVE-2023-29359)

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

Information Disclosure (6)

• Microsoft Edge (CVE-2023-33145)
• DHCP Server Service (CVE-2023-29355)

qualys: CVE-2023-29355: DHCP Server Service Information Disclosure Vulnerability This vulnerability has a CVSSv3.1 5.3 / 4.6 Policy Compliance Control IDs (CIDs): 26238 Status of the DHCP Failover Configuration

• Visual Studio (CVE-2023-33139)
• Windows Kernel (CVE-2023-32019)
• Windows Installer (CVE-2023-32016)
• Unknown Product (CVE-2023-27909)

Spoofing (11)

• Visual Studio Code (CVE-2023-33144)
• Microsoft Edge (CVE-2023-2937, CVE-2023-2938, CVE-2023-2941)

MS PT Extended: CVE-2023-2941 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2938 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2937 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

qualys: Other Microsoft Vulnerability Highlights CVE-2023-28310 exists in Exchange Server that may allow an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability. CVE-2023-29358 and CVE-2023-29359 affect the Microsoft Windows graphics device interface (GDI) that allows applications to use graphics and formatted texts on video displays and printers. An attacker could gain SYSTEM privileges on successful exploitation of the vulnerabilities. CVE-2023-29360 is an elevation of privilege vulnerability that affects the Windows Trusted Platform Module (TPM) Device Driver. On successful exploitation of the vulnerability, an attacker could gain SYSTEM privileges. CVE-2023-29361 is an elevation of privilege vulnerability that affects Windows Cloud Files Mini Filter Driver. To exploit this vulnerability, an attacker must win a race condition. An attacker who exploits this vulnerability could gain SYSTEM privileges on the affected system.  CVE-2023-29371 exists in the Microsoft Windows graphics device interface (GDI). The vulnerability may allow an attacker to gain SYSTEM privileges on successful exploitation. CVE-2023-32031 is a remote code execution vulnerability that affects Microsoft Exchange Server. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call.

• Windows DNS (CVE-2023-32020)
• Microsoft SharePoint (CVE-2023-33130, CVE-2023-33132)
• Azure DevOps Server (CVE-2023-21565, CVE-2023-21569)

rapid7: A vulnerability in Azure DevOps server could lead to an attacker accessing detailed data such as organization/project configuration, groups, teams, projects, pipelines, boards, and wiki. CVE-2023-21565 requires an attacker to have existing valid credentials for the service, but no elevated privilege is required. The advisory lists patches for 2020.1.2, 2022 and 2022.0.1.

• Dynamics 365 Finance (CVE-2023-24896)
• Microsoft Power Apps (CVE-2023-32024)

Unknown Vulnerability Type (6)

• Microsoft Edge (CVE-2023-2726, CVE-2023-2940)

MS PT Extended: CVE-2023-2940 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

MS PT Extended: CVE-2023-2726 was published before June 2023 Patch Tuesday from 2023-05-10 to 2023-06-12

• GitHub (CVE-2023-25652, CVE-2023-25815, CVE-2023-29011, CVE-2023-29012)