Report Name: Microsoft Patch Tuesday, November 2023
Generated: 2024-01-29 19:23:59

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9			2	1		3	Windows Kernel
ASP.NET	0.8			1			1	An open-source, server-side web-application framework designed for web development
ASP.NET Core	0.8			1			1	An open-source, server-side web-application framework designed for web development
Chromium	0.8			19	10		29	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Edge	0.8			6	2		8	Web browser
Microsoft Office	0.8			1			1	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Microsoft Windows Defender	0.8				1		1	Windows component
Open Management Infrastructure	0.8			1			1	An open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards
Windows Authentication	0.8				2		2	Windows component
Windows Cloud Files Mini Filter Driver	0.8		1				1	Windows component
Windows Common Log File System Driver	0.8				1		1	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows Compressed Folder	0.8			1			1	Windows component
Windows DWM Core Library	0.8		1				1	Windows component
Windows Deployment Services	0.8			1			1	Windows component
Windows Distributed File System (DFS)	0.8			1			1	Windows component
Windows HMAC Key Derivation	0.8			1			1	Windows component
Windows Installer	0.8				1		1	Windows component
Windows NTFS	0.8				1		1	The default file system of the Windows NT family
Windows Pragmatic General Multicast (PGM)	0.8			1			1	Windows component
Windows Scripting Engine	0.8			1			1	Windows component
Windows Search Service	0.8				1		1	Windows component
Windows SmartScreen	0.8	1					1	SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products, including operating systems Windows 8 and later, the applications Internet Explorer, Microsoft Edge
Windows Storage	0.8				1		1	Windows component
Windows User Interface Application Core	0.8			1			1	Windows component
Microsoft Excel	0.6		1		1		2	MS Office product
Microsoft Office Graphics	0.6			1			1	Microsoft Office Graphics
Windows Hyper-V	0.6		1		3		4	Hardware virtualization component of the client editions of Windows NT
.NET, .NET Framework, and Visual Studio	0.5			1			1	.NET, .NET Framework, and Visual Studio
ASP.NET Core -	0.5			1			1	ASP.NET Core -
Adobe: CVE-2023-44323 Adobe PDF	0.5				1		1	Adobe: CVE-2023-44323 Adobe PDF
Azure CLI REST Command	0.5				1		1	Azure CLI REST Command
Azure DevOps Server	0.5			1			1	Azure DevOps Server
Curl	0.5			1			1	Product detected by a:haxx:curl (exists in CPE dict)
DHCP Server Service	0.5				1		1	DHCP Server Service
Dynamics 365	0.5				3		3	Product detected by a:microsoft:dynamics_365 (exists in CPE dict)
Microsoft Dynamics 365 Sales	0.5				1		1	Microsoft Dynamics 365 Sales
Microsoft Exchange	0.5				4		4	Microsoft Exchange
Microsoft Host Integration Server 2020	0.5			1			1	Microsoft Host Integration Server 2020
Microsoft Local Security Authority Subsystem Service	0.5				1		1	Microsoft Local Security Authority Subsystem Service
Microsoft On-Prem Data Gateway	0.5				1		1	Microsoft On-Prem Data Gateway
Microsoft Protected Extensible Authentication Protocol (PEAP)	0.5			1			1	Microsoft Protected Extensible Authentication Protocol (PEAP)
Microsoft Remote Registry Service	0.5			2			2	Microsoft Remote Registry Service
Microsoft Send Customer Voice survey from Dynamics 365	0.5				1		1	Microsoft Send Customer Voice survey from Dynamics 365
Microsoft SharePoint Server	0.5				1		1	Microsoft SharePoint Server
Microsoft Speech Application Programming Interface (SAPI)	0.5				1		1	Microsoft Speech Application Programming Interface (SAPI)
Microsoft WDAC OLE DB provider for SQL Server	0.5			1			1	Microsoft WDAC OLE DB provider for SQL Server
Visual Studio Code Jupyter Extension	0.5				1		1	Visual Studio Code Jupyter Extension
bluetooth_core_specification	0.5					1	1	Product detected by a:bluetooth:bluetooth_core_specification (exists in CPE dict)
libcurl	0.5			1			1	Product detected by a:haxx:libcurl (exists in CPE dict)
Visual Studio	0.3				1		1	Integrated development environment

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		1	15	3		19
Security Feature Bypass	0.9	1		13	5		19
Elevation of Privilege	0.85		3	5	10		18
Information Disclosure	0.83			3	4		7
Cross Site Scripting	0.8				3		3
Denial of Service	0.7			3	3		6
Incorrect Calculation	0.5			1			1
Memory Corruption	0.5			9	3		12
Spoofing	0.4				12		12
Unknown Vulnerability Type	0					1	1

Source	U	C	H	M	L	A
MS PT Extended			27	13		40
Qualys	1	2	5	9		17
Tenable	1	2	3	4	1	11
Rapid7	1	2	5	5		13
ZDI	1	2	1	1		5

Urgent (1)

1. Security Feature Bypass - Windows SmartScreen (CVE-2023-36025) - Urgent [913]

Description: Windows SmartScreen Security Feature Bypass Vulnerability

Qualys: CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability  Windows SmartScreen is a security feature in Microsoft Windows operating systems that protects against malicious software and websites. SmartScreen is a background application that employs a cloud-based component to scan web pages you visit for security risks updated regularly.   To exploit the vulnerability, an attacker must convince a user to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by them. An attacker may bypass Windows Defender SmartScreen checks and associated prompts on successful exploitation.  CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.

Tenable: Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs (CVE-2023-36025)

Tenable: CVE-2023-36025 | Windows SmartScreen Security Feature Bypass Vulnerability

Tenable: CVE-2023-36025 is a security feature bypass vulnerability in Windows SmartScreen. It was assigned a CVSSv3 score of 8.8 and is rated important. According to Microsoft, it was exploited in the wild as a zero-day. An attacker could exploit this flaw by crafting a malicious Internet Shortcut (.URL) file and convincing a target to click on the file or a hyperlink pointing to a.URL file. Successful exploitation would result in a bypass of the security checks in Windows Defender SmartScreen.

Rapid7: Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Rapid7: CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious Internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

ZDI: CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability. This is the final bug listed as under active attack this month, but this is a bypass rather than a privilege escalation. An attack that exploits this bug would be able to bypass Windows Defender SmartScreen checks and other prompts. That means this bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen. I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document.

Critical (4)

2. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2023-36036) - Critical [727]

Description: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Qualys: CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability  A mini filter driver can filter IRP-based I/O activities along with the fast I/O and file system filter (FSFilter) callback actions. A mini filter driver can register a preoperation and postoperation callback routine, or both, for each I/O operation it wishes to filter.  Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.

Tenable: CVE-2023-36036 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Tenable: CVE-2023-36036 is an EoP vulnerability in Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft says it has been exploited in the wild and is credited to both the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC). While Microsoft did not provide specific details around this vulnerability, like most EoP flaws, if a local attacker exploits this flaw, they would be able to elevate privileges to SYSTEM.

Rapid7: Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Rapid7: Microsoft is patching CVE-2023-36036, an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. No details of the attack mechanism are provided in the advisory, but exploitation leads to SYSTEM privileges.

ZDI: CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. This is another privilege escalation bug under active attack, and just like the DWM bug, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly.

3. Elevation of Privilege - Windows DWM Core Library (CVE-2023-36033) - Critical [687]

Description: Windows DWM Core Library Elevation of Privilege Vulnerability

Qualys: CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability  Desktop Window Manager (DWM) is a core system file in Microsoft Windows. It is responsible for producing each component visible on a laptop or PC. DWM covers visual effects such as system animations, wallpapers, themes, thumbnails, Windows Aero, Windows Flip, and Windows Flip3D, as well as transparent components.  Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.

Tenable: CVE-2023-36033 | Windows DWM Core Library Elevation of Privilege Vulnerability

Tenable: CVE-2023-36033 is an EoP vulnerability in the DWM Core Library in Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft noted that it was exploited in the wild as a zero-day and was publicly disclosed prior to a patch being available. A local attacker with a presence on a vulnerable system could exploit it to gain SYSTEM privileges. It was disclosed to Microsoft by security researcher Quan Jin of DBAPPSecurity WeBin Lab, who is credited with discovering two other EoP zero-day vulnerabilities in 2023:

Rapid7: Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Rapid7: Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033, an elevation of privilege (EoP) vulnerability which Microsoft notes is both publicly disclosed and exploited in the wild. Exploitation leads to SYSTEM privileges, but Microsoft does not provide any further guidance on the attack mechanism.

ZDI: CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability. This bug allows a privilege escalation through the Windows Desktop Manager (DWM) and is listed as being under active attack. Microsoft doesn’t provide any indication of how widespread the attacks are at this point, but these types of exploits typically begin with small outbreaks before spreading wider. An attacker who uses this can gain SYSTEM privileges, which is why these types of bugs are often paired with some form of code execution bug to compromise a system.

4. Remote Code Execution - Microsoft Excel (CVE-2023-36041) - Critical [635]

Description: Microsoft Excel Remote Code Execution Vulnerability

5. Elevation of Privilege - Windows Hyper-V (CVE-2023-36427) - Critical [608]

Description: Windows Hyper-V Elevation of Privilege Vulnerability

High (49)

6. Denial of Service - Curl (CVE-2023-38039) - High [553]

Description: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

MS PT Extended: CVE-2023-38039 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

7. Memory Corruption - libcurl (CVE-2023-38545) - High [553]

Description: This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

MS PT Extended: CVE-2023-38545 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

Tenable: Update November 14: This blog has been updated to note the availability of fixes for Windows and Windows Server for CVE-2023-38545, a heap buffer overflow vulnerability in curl.

Tenable: CVE-2023-38545 | SOCKS5 Heap Buffer Overflow in curl

Tenable: CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl. This flaw was disclosed and patched on October 11. Curl is one of the most widely used open source projects and Microsoft includes curl.exe in Windows and Windows Server. On October 19, Microsoft published an initial advisory for this vulnerability though no fixes were available at the time. However, a fixed version of curl.exe, version 8.4.0, was included in the Windows updates as part of this month's Patch Tuesday release.

Tenable: Update November 14: This blog has been updated to note the availability of fixes for Windows and Windows Server for CVE-2023-38545, a heap buffer overflow vulnerability in curl.

Rapid7: Microsoft admins who have been waiting for a patch for last month’s cURL SOCKS5 vulnerability CVE-2023-38545 will be pleased to see that Microsoft has included curl.exe 8.4.0 as part of the November updates for current versions of Windows. Many observers ultimately concluded that this vulnerability was perhaps of more limited scope and attacker value than the pre-publication buzz may have suggested, but a patch is always appreciated.

8. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-36397) - High [526]

Description: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Qualys: CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. PGM provides a reliable sequence of packets to multiple recipients simultaneously.  An attacker may exploit this vulnerability to send a specially crafted file over the network when the Windows message queuing service runs in a PGM Server environment. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution and attempt to trigger malicious code. 

Qualys: CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  25699 Status of the ‘Network authentication method’ for Wireless Network IEEE 802.11 group policy  CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  4030 Status of the ‘Windows Message Queuing Service’  14916 Status of Windows Services  14297 Status of the open network connections and listening ports (Qualys Agent only)  The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:  control.id: [25699, 4030, 14916, 14297] 

Rapid7: CVE-2023-36397 describes an RCE vulnerability in Windows PGM. As with other similar previous vulnerabilities, an attacker can send a specially-crafted file over the network to attempt malicious code execution on the target asset. Only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t added to a default Windows installation. However, as Rapid7 has noted previously, administrators should be aware that a number of applications — including Microsoft Exchange — quietly introduce MSMQ as part of their own installation routine.

ZDI: CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. With a CVSS of 9.8, this is the highest-rated bug for the month, and it deserves the rating. It would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment. There shouldn’t be a lot of those out there, but if you are one of them, definitely test and apply this update quickly.

9. Remote Code Execution - Chromium (CVE-2023-5857) - High [502]

Description: Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially execute arbitrary code via a malicious file. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5857 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

10. Remote Code Execution - Windows Distributed File System (DFS) (CVE-2023-36425) - High [502]

Description: Windows Distributed File System (DFS) Remote Code Execution Vulnerability

11. Remote Code Execution - Microsoft Protected Extensible Authentication Protocol (PEAP) (CVE-2023-36028) - High [500]

Description: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

Qualys: CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  25699 Status of the ‘Network authentication method’ for Wireless Network IEEE 802.11 group policy  CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  4030 Status of the ‘Windows Message Queuing Service’  14916 Status of Windows Services  14297 Status of the open network connections and listening ports (Qualys Agent only)  The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:  control.id: [25699, 4030, 14916, 14297] 

12. Information Disclosure - Open Management Infrastructure (CVE-2023-36043) - High [498]

Description: Open Management Infrastructure Information Disclosure Vulnerability

13. Remote Code Execution - Microsoft Host Integration Server 2020 (CVE-2023-38151) - High [476]

Description: Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability

14. Remote Code Execution - Microsoft WDAC OLE DB provider for SQL Server (CVE-2023-36402) - High [476]

Description: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

15. Elevation of Privilege - .NET, .NET Framework, and Visual Studio (CVE-2023-36049) - High [470]

Description: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability

16. Security Feature Bypass - Chromium (CVE-2023-5482) - High [460]

Description: Chromium: CVE-2023-5482 Insufficient data validation in USB. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5482 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

17. Remote Code Execution - Windows Compressed Folder (CVE-2023-36396) - High [454]

Description: Windows Compressed Folder Remote Code Execution Vulnerability

18. Remote Code Execution - Windows User Interface Application Core (CVE-2023-36393) - High [454]

Description: Windows User Interface Application Core Remote Code Execution Vulnerability

19. Security Feature Bypass - ASP.NET (CVE-2023-36560) - High [448]

Description: ASP.NET Security Feature Bypass Vulnerability

20. Remote Code Execution - Microsoft Edge (CVE-2023-36014) - High [442]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2023-36014 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

21. Remote Code Execution - Microsoft Edge (CVE-2023-36034) - High [442]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2023-36034 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

22. Remote Code Execution - Azure DevOps Server (CVE-2023-36437) - High [440]

Description: Azure DevOps Server Remote Code Execution Vulnerability

23. Remote Code Execution - Microsoft Remote Registry Service (CVE-2023-36423) - High [440]

Description: Microsoft Remote Registry Service Remote Code Execution Vulnerability

24. Remote Code Execution - Microsoft Edge (CVE-2023-36022) - High [430]

Description: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

MS PT Extended: CVE-2023-36022 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

25. Security Feature Bypass - Chromium (CVE-2023-5483) - High [425]

Description: Inappropriate implementation in Intents in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5483 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

26. Security Feature Bypass - Microsoft Office (CVE-2023-36413) - High [425]

Description: Microsoft Office Security Feature Bypass Vulnerability

Qualys: CVE-2023-36413: Microsoft Office Security Feature Bypass Vulnerability An attacker may exploit this vulnerability to bypass the Office Protected View and open in editing mode instead of protected mode. An attacker must send the user a malicious file and convince them to open it to exploit the vulnerability. 

Tenable: CVE-2023-36413 | Microsoft Office Security Feature Bypass Vulnerability

Tenable: CVE-2023-36413 is a security feature bypass vulnerability in Microsoft Office. It was assigned a CVSSv3 score of 6.5 and is rated as important. An attacker could exploit this vulnerability using social engineering tactics to convince a target to open a malicious Microsoft Office file on a vulnerable system. Successful exploitation would result in a bypass of security features of Microsoft Office designed to protect users including Protected View and the file would be opened in editing mode instead of protected mode. Microsoft says details about this flaw have been publicly disclosed prior to a patch being available.

Rapid7: CVE-2023-36413 describes a publicly disclosed Microsoft Office security feature bypass. A user who opens a specially crafted malicious file would find themselves in Editing mode, rather than Protected View, and would thus lose out on warning banners and other defenses designed to detect and quarantine malicious code in Office documents.

27. Remote Code Execution - Microsoft Office Graphics (CVE-2023-36045) - High [421]

Description: Microsoft Office Graphics Remote Code Execution Vulnerability

28. Elevation of Privilege - Windows Kernel (CVE-2023-36403) - High [420]

Description: Windows Kernel Elevation of Privilege Vulnerability

29. Remote Code Execution - Microsoft Remote Registry Service (CVE-2023-36401) - High [416]

Description: Microsoft Remote Registry Service Remote Code Execution Vulnerability

30. Denial of Service - ASP.NET Core (CVE-2023-36038) - High [413]

Description: ASP.NET Core Denial of Service Vulnerability

Qualys: CVE-2023-36038: ASP.NET Core Denial of Service Vulnerability  ASP.NET is a popular web-development framework for creating web applications on the.NET platform. The open-source ASP.NET Core is compatible with Windows, Linux, and macOS. ASP.NET Core redesigns previous ASP.NET versions exclusive to Windows.  An attacker may exploit the vulnerability when HTTP requests to .NET 8 RC 1 running on the IIS InProcess hosting model are canceled. 

Tenable: CVE-2023-36038 | ASP.NET Core Denial of Service Vulnerability

Tenable: CVE-2023-36038 is a denial of service (DoS) vulnerability in the open-source web application framework, ASP.NET. It was assigned a CVSSv3 score of 8.2 and rated as important. Microsoft rates it as Exploitation Less Likely according to the Microsoft Exploitability Index. An attacker that could successfully exploit this vulnerability could trigger an OutOfMemoryException, resulting in a DoS condition. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed.

Rapid7: CVE-2023-36038 describes an ASP.NET Core denial of service (DoS) attack, which affects only .NET 8 RC 1 running on the IIS InProcess hosting model. The mechanism of the attack is resource exhaustion on the web server via cancellation of requests; this sounds very similar to last month’s CVE-2023-44487, dubbed “Rapid Reset”. However, there’s no mention of HTTP/2 in the advisory for CVE-2023-36038.

31. Denial of Service - Windows Deployment Services (CVE-2023-36395) - High [413]

Description: Windows Deployment Services Denial of Service Vulnerability

32. Memory Corruption - Windows Scripting Engine (CVE-2023-36017) - High [413]

Description: Windows Scripting Engine Memory Corruption Vulnerability

33. Security Feature Bypass - Chromium (CVE-2023-5475) - High [413]

Description: Inappropriate implementation in DevTools in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5475 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

34. Security Feature Bypass - Chromium (CVE-2023-5480) - High [413]

Description: Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to bypass XSS preventions via a malicious file. (Chromium security severity: High)

MS PT Extended: CVE-2023-5480 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

35. Security Feature Bypass - Chromium (CVE-2023-5487) - High [413]

Description: Inappropriate implementation in Fullscreen in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5487 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

36. Security Feature Bypass - Chromium (CVE-2023-5853) - High [413]

Description: Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5853 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

37. Security Feature Bypass - Chromium (CVE-2023-5859) - High [413]

Description: Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2023-5859 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

38. Security Feature Bypass - ASP.NET Core - (CVE-2023-36558) - High [408]

Description: ASP.NET Core - Security Feature Bypass Vulnerability

39. Information Disclosure - Windows Kernel (CVE-2023-36404) - High [405]

Description: Windows Kernel Information Disclosure Vulnerability

40. Elevation of Privilege - Microsoft Edge (CVE-2023-36024) - High [404]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2023-36024 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

41. Elevation of Privilege - Microsoft Edge (CVE-2023-36027) - High [404]

Description: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

MS PT Extended: CVE-2023-36027 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

42. Elevation of Privilege - Windows HMAC Key Derivation (CVE-2023-36400) - High [404]

Description: Windows HMAC Key Derivation Elevation of Privilege Vulnerability

Qualys: CVE-2023-36400: Windows HMAC Key Derivation Elevation of Privilege Vulnerability  The Hash-based Message Authentication Code (HMAC) detects if a message received via an insecure channel has been altered when the sender and receiver use secret keys. It’s a cryptographic authentication technique that uses a cryptographic hash function and a shared secret key to encrypt information and protect it from unauthorized access.  An attacker must log on to the system and run a specially crafted application to exploit this vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. 

Rapid7: Attackers looking to escape from a low privilege Hyper-V guest OS and execute code as SYSTEM on the Hyper-V host system will take note of CVE-2023-36400. Successful exploitation requires running a specially crafted application in the context of the guest OS to exploit a weakness in Windows HMAC Key Derivation, so some prior access is required.

43. Incorrect Calculation - Chromium (CVE-2023-5849) - High [401]

Description: Chromium: CVE-2023-5849 Integer overflow in USB. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5849 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

44. Memory Corruption - Chromium (CVE-2023-5218) - High [401]

Description: Chromium: CVE-2023-5218 Use after free in Site Isolation. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5218 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

45. Memory Corruption - Chromium (CVE-2023-5472) - High [401]

Description: Chromium: CVE-2023-5472: Use after free in Profiles. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5472 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

46. Memory Corruption - Chromium (CVE-2023-5852) - High [401]

Description: Chromium: CVE-2023-5852 Use after free in Printing. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5852 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

47. Memory Corruption - Chromium (CVE-2023-5854) - High [401]

Description: Chromium: CVE-2023-5854 Use after free in Profiles. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5854 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

48. Memory Corruption - Chromium (CVE-2023-5855) - High [401]

Description: Chromium: CVE-2023-5855 Use after free in Reading Mode. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5855 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

49. Memory Corruption - Chromium (CVE-2023-5856) - High [401]

Description: Chromium: CVE-2023-5856 Use after free in Side Panel. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5856 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

50. Memory Corruption - Chromium (CVE-2023-5996) - High [401]

Description: Chromium: CVE-2023-5996 Use after free in WebAudio. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5996 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

51. Security Feature Bypass - Chromium (CVE-2023-5479) - High [401]

Description: Inappropriate implementation in Extensions API in Google Chrome prior to 118.0.5993.70 allowed an attacker who convinced a user to install a malicious extension to bypass an enterprise policy via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5479 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

52. Security Feature Bypass - Chromium (CVE-2023-5851) - High [401]

Description: Inappropriate implementation in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5851 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

53. Security Feature Bypass - Chromium (CVE-2023-5858) - High [401]

Description: Inappropriate implementation in WebApp Provider in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2023-5858 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

54. Information Disclosure - Microsoft Edge (CVE-2023-36409) - High [400]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2023-36409 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

Medium (43)

55. Information Disclosure - Azure CLI REST Command (CVE-2023-36052) - Medium [398]

Description: Azure CLI REST Command Information Disclosure Vulnerability

Qualys: CVE-2023-36052: Azure CLI REST Command Information Disclosure Vulnerability  The Azure CLI is a command-line tool that provides a native CLI interface required when working with Microsoft Azure resources. The Azure CLI can call the Azure REST API to perform actions that each Azure CLI (az) command supports.  Successful exploitation of the vulnerability may allow an unauthenticated attacker to retrieve plaintext passwords and usernames from log files stored in open-source repositories. 

Rapid7: The Azure CLI tool prior to version 2.53.1 does not sufficiently redact information published to log files in certain contexts, allowing recovery of plaintext(!) usernames and passwords. The advisory for CVE-2023-36052 notes that log files stored in open-source repositories are a potential avenue for credential leaks in this context. Although Microsoft understandably hasn’t provided any specific examples, it’s unlikely that they would mention this if they weren’t aware of one or more real world examples.

56. Elevation of Privilege - Windows Kernel (CVE-2023-36405) - Medium [397]

Description: Windows Kernel Elevation of Privilege Vulnerability

57. Elevation of Privilege - Microsoft Windows Defender (CVE-2023-36422) - Medium [392]

Description: Microsoft Windows Defender Elevation of Privilege Vulnerability

58. Elevation of Privilege - Windows Authentication (CVE-2023-36047) - Medium [392]

Description: Windows Authentication Elevation of Privilege Vulnerability

59. Elevation of Privilege - Windows Common Log File System Driver (CVE-2023-36424) - Medium [392]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

60. Elevation of Privilege - Windows Installer (CVE-2023-36705) - Medium [392]

Description: Windows Installer Elevation of Privilege Vulnerability

61. Memory Corruption - Chromium (CVE-2023-5474) - Medium [389]

Description: Chromium: CVE-2023-5474 Heap buffer overflow in PDF. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5474 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

62. Memory Corruption - Chromium (CVE-2023-5476) - Medium [389]

Description: Chromium: CVE-2023-5476 Use after free in Blink History. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5476 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

63. Security Feature Bypass - Chromium (CVE-2023-5478) - Medium [389]

Description: Inappropriate implementation in Autofill in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2023-5478 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

64. Security Feature Bypass - Chromium (CVE-2023-5485) - Medium [389]

Description: Inappropriate implementation in Autofill in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2023-5485 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

65. Security Feature Bypass - Microsoft On-Prem Data Gateway (CVE-2023-36021) - Medium [386]

Description: Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability

66. Elevation of Privilege - Windows Search Service (CVE-2023-36394) - Medium [380]

Description: Windows Search Service Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

67. Elevation of Privilege - Windows Storage (CVE-2023-36399) - Medium [380]

Description: Windows Storage Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

68. Remote Code Execution - Microsoft Exchange (CVE-2023-36439) - Medium [380]

Description: Microsoft Exchange Server Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

Tenable: CVE-2023-36439 | Microsoft Exchange Server Remote Code Execution Vulnerability

Tenable: CVE-2023-36439 is an RCE vulnerability in Microsoft Exchange Server. It was assigned a CVSSv3 score of 8.0 and rated as important. An attacker authenticated to a vulnerable Exchange Server as a valid user could exploit this vulnerability to gain RCE as NT AUTHORITY\SYSTEM on the backend of the server mailbox. Microsoft rates this vulnerability as Exploitation More Likely. It is one of four vulnerabilities in Microsoft Exchange Server patched in this month’s Patch Tuesday release. With the significant historical exploitation of Microsoft Exchange Server by attackers, we continue to monitor for and highlight flaws in Exchange Server in each Patch Tuesday release.

Rapid7: Patch Tuesday typically sees at least one Exchange remote code execution vulnerability fixed, and this month is no exception. Exploitation of CVE-2023-36439 requires that the attacker have valid credentials for an Exchange user, and be present on the local network, but grants execution as NT AUTHORITY\SYSTEM on Exchange server host; this is a built-in account with extensive privileges, including the ability to act as the computer on the network.

69. Security Feature Bypass - Microsoft Excel (CVE-2023-36037) - Medium [379]

Description: Microsoft Excel Security Feature Bypass Vulnerability

70. Information Disclosure - Windows NTFS (CVE-2023-36398) - Medium [376]

Description: Windows NTFS Information Disclosure Vulnerability

71. Denial of Service - DHCP Server Service (CVE-2023-36392) - Medium [363]

Description: DHCP Server Service Denial of Service Vulnerability

72. Elevation of Privilege - Windows Hyper-V (CVE-2023-36407) - Medium [358]

Description: Windows Hyper-V Elevation of Privilege Vulnerability

73. Elevation of Privilege - Windows Hyper-V (CVE-2023-36408) - Medium [358]

Description: Windows Hyper-V Elevation of Privilege Vulnerability

74. Remote Code Execution - Adobe: CVE-2023-44323 Adobe PDF (CVE-2023-44323) - Medium [357]

Description: Adobe: CVE-2023-44323 Adobe PDF Remote Code Execution Vulnerability

MS PT Extended: CVE-2023-44323 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

75. Remote Code Execution - Microsoft SharePoint Server (CVE-2023-38177) - Medium [357]

Description: Microsoft SharePoint Server Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

76. Denial of Service - Windows Authentication (CVE-2023-36046) - Medium [353]

Description: Windows Authentication Denial of Service Vulnerability

77. Security Feature Bypass - Chromium (CVE-2023-5477) - Medium [353]

Description: Inappropriate implementation in Installer in Google Chrome prior to 118.0.5993.70 allowed a local attacker to bypass discretionary access control via a crafted command. (Chromium security severity: Low)

MS PT Extended: CVE-2023-5477 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

78. Spoofing - Chromium (CVE-2023-5484) - Medium [347]

Description: Inappropriate implementation in Navigation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5484 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

79. Cross Site Scripting - Dynamics 365 (CVE-2023-36031) - Medium [345]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

80. Cross Site Scripting - Dynamics 365 (CVE-2023-36410) - Medium [345]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

81. Elevation of Privilege - Microsoft Speech Application Programming Interface (SAPI) (CVE-2023-36719) - Medium [342]

Description: Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability

82. Memory Corruption - Chromium (CVE-2023-5473) - Medium [341]

Description: Chromium: CVE-2023-5473 Use after free in Cast. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2023-5473 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

83. Spoofing - Chromium (CVE-2023-5481) - Medium [335]

Description: Inappropriate implementation in Downloads in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5481 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

84. Information Disclosure - Windows Hyper-V (CVE-2023-36406) - Medium [331]

Description: Windows Hyper-V Information Disclosure Vulnerability

85. Cross Site Scripting - Dynamics 365 (CVE-2023-36016) - Medium [321]

Description: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

86. Information Disclosure - Microsoft Local Security Authority Subsystem Service (CVE-2023-36428) - Medium [314]

Description: Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

87. Spoofing - Chromium (CVE-2023-5850) - Medium [311]

Description: Incorrect security UI in Downloads in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium)

MS PT Extended: CVE-2023-5850 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

88. Spoofing - Visual Studio Code Jupyter Extension (CVE-2023-36018) - Medium [309]

Description: Visual Studio Code Jupyter Extension Spoofing Vulnerability

89. Spoofing - Chromium (CVE-2023-5486) - Medium [300]

Description: Inappropriate implementation in Input in Google Chrome prior to 118.0.5993.70 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2023-5486 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

90. Spoofing - Microsoft Edge (CVE-2023-36029) - Medium [288]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2023-36029 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

91. Spoofing - Microsoft Edge (CVE-2023-36559) - Medium [288]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2023-36559 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

92. Spoofing - Microsoft Exchange (CVE-2023-36035) - Medium [273]

Description: Microsoft Exchange Server Spoofing Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

Tenable: CVE-2023-36035, CVE-2023-36039, CVE-2023-36050 | Microsoft Exchange Server Spoofing Vulnerability

Tenable: CVE-2023-36035, CVE-2023-36039 and CVE-2023-36050 are spoofing vulnerabilities in Microsoft Exchange Server. All three vulnerabilities were assigned a CVSSv3 score of 8.0 and are rated as important. An attacker could exploit these flaws by possessing valid credentials for an Exchange user on a vulnerable Exchange Server instance. Exploitation of CVE-2023-36035 and CVE-2023-36039 would allow an attacker to access the Net-NTLMv2 hash of the user account which could be utilized in NTLM Relay attacks against other services.

Rapid7: A trio of Exchange server spoofing vulnerabilities — CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050 — are also patched today. Successful exploitation requires that an attacker be present on the local network with valid Exchange credentials, but can lead to exposure of credentials or an NTLM hash for other users. Two of these vulnerabilities are exploited via PowerShell remoting.

ZDI: There are several spoofing bugs getting addressed this month, and for obvious reasons, the Exchange bugs stand out the most. These were reported by ZDI vulnerability researcher Piotr Bazydlo and act as NTLM relay bugs. One (CVE-2023-36035) results from a failed patch. These bugs do require authentication, but an insider could exploit these to relay NTLM credentials and gain further access. The bugs in Dynamics 365 both occur in the webserver. However, they allow malicious scripts to execute in the victim’s browser. The final spoofing bug in Visual Studio reads more like a privilege escalation as Microsoft states it could allow an attacker to gain high privileges, which include read, write, and delete functionality.

93. Spoofing - Microsoft Exchange (CVE-2023-36039) - Medium [273]

Description: Microsoft Exchange Server Spoofing Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

Tenable: CVE-2023-36035, CVE-2023-36039, CVE-2023-36050 | Microsoft Exchange Server Spoofing Vulnerability

Tenable: CVE-2023-36035, CVE-2023-36039 and CVE-2023-36050 are spoofing vulnerabilities in Microsoft Exchange Server. All three vulnerabilities were assigned a CVSSv3 score of 8.0 and are rated as important. An attacker could exploit these flaws by possessing valid credentials for an Exchange user on a vulnerable Exchange Server instance. Exploitation of CVE-2023-36035 and CVE-2023-36039 would allow an attacker to access the Net-NTLMv2 hash of the user account which could be utilized in NTLM Relay attacks against other services.

Rapid7: A trio of Exchange server spoofing vulnerabilities — CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050 — are also patched today. Successful exploitation requires that an attacker be present on the local network with valid Exchange credentials, but can lead to exposure of credentials or an NTLM hash for other users. Two of these vulnerabilities are exploited via PowerShell remoting.

94. Spoofing - Microsoft Exchange (CVE-2023-36050) - Medium [273]

Description: Microsoft Exchange Server Spoofing Vulnerability

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

Tenable: CVE-2023-36035, CVE-2023-36039, CVE-2023-36050 | Microsoft Exchange Server Spoofing Vulnerability

Tenable: CVE-2023-36035, CVE-2023-36039 and CVE-2023-36050 are spoofing vulnerabilities in Microsoft Exchange Server. All three vulnerabilities were assigned a CVSSv3 score of 8.0 and are rated as important. An attacker could exploit these flaws by possessing valid credentials for an Exchange user on a vulnerable Exchange Server instance. Exploitation of CVE-2023-36035 and CVE-2023-36039 would allow an attacker to access the Net-NTLMv2 hash of the user account which could be utilized in NTLM Relay attacks against other services.

Rapid7: A trio of Exchange server spoofing vulnerabilities — CVE-2023-36035 CVE-2023-36039 and CVE-2023-36050 — are also patched today. Successful exploitation requires that an attacker be present on the local network with valid Exchange credentials, but can lead to exposure of credentials or an NTLM hash for other users. Two of these vulnerabilities are exploited via PowerShell remoting.

95. Spoofing - Microsoft Send Customer Voice survey from Dynamics 365 (CVE-2023-36007) - Medium [273]

Description: Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability

96. Spoofing - Microsoft Dynamics 365 Sales (CVE-2023-36030) - Medium [261]

Description: Microsoft Dynamics 365 Sales Spoofing Vulnerability

97. Denial of Service - Visual Studio (CVE-2023-36042) - Medium [258]

Description: Visual Studio Denial of Service Vulnerability

Low (1)

98. Unknown Vulnerability Type - bluetooth_core_specification (CVE-2023-24023) - Low [178]

Description: {'ms_cve_data_all': 'Mitre: CVE-2023-24023 Bluetooth Vulnerability. Microsoft is aware of the Bluetooth Forward and Future Secrecy Attacks and Defenses (BLUFFS) vulnerability. For more information regarding the vulnerability, please see this statement from the Bluetooth SIG.\nTo address the vulnerability, Microsoft has released a software update that enforces the use of BR/EDR Secure Connections defined encryption and authentication algorithms for Bluetooth pairings that have used BR/EDR Secure Connections. If a paired device used BR/EDR Secure Connection at some point, Windows will enforce all subsequent BR/EDR connections to use BR/EDR Secure Connections.\nAs defined by the BR/EDR Secure Connections protocol, the new BR/EDR Secure Connections algorithms will only be used when the local system and the remote paired device both support BR/EDR Secure Connections. Connections between the local system and the remote paired device will remain vulnerable if either the local system or the remote paired device never declare support for BR/EDR Secure Connections during encryption or authentication..\nAdditionally, it is advised to increase the minimum encryption key size as described in Windows guidance for Bluetooth key length enforcement. Increasing the minimum encryption key size does not require support for BR/EDR Secure Connections.\n', 'nvd_cve_data_all': 'Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

Tenable: Microsoft patched 57 CVEs in its November 2023 Patch Tuesday release, with three rated critical and 54 rated important. We omitted one vulnerability from our counts this month, CVE-2023-24023, a Bluetooth Vulnerability as this flaw was reported through MITRE.

Exploitation in the wild detected (3)

Security Feature Bypass (1)

• Windows SmartScreen (CVE-2023-36025)

Qualys: CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability  Windows SmartScreen is a security feature in Microsoft Windows operating systems that protects against malicious software and websites. SmartScreen is a background application that employs a cloud-based component to scan web pages you visit for security risks updated regularly.   To exploit the vulnerability, an attacker must convince a user to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by them. An attacker may bypass Windows Defender SmartScreen checks and associated prompts on successful exploitation.  CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.

Tenable: Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs (CVE-2023-36025)

Tenable: CVE-2023-36025 | Windows SmartScreen Security Feature Bypass Vulnerability

Tenable: CVE-2023-36025 is a security feature bypass vulnerability in Windows SmartScreen. It was assigned a CVSSv3 score of 8.8 and is rated important. According to Microsoft, it was exploited in the wild as a zero-day. An attacker could exploit this flaw by crafting a malicious Internet Shortcut (.URL) file and convincing a target to click on the file or a hyperlink pointing to a.URL file. Successful exploitation would result in a bypass of the security checks in Windows Defender SmartScreen.

Rapid7: Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Rapid7: CVE-2023-36025 describes a Windows SmartScreen security feature bypass. An attacker who convinces a user to open a specially crafted malicious Internet Shortcut file could bypass the anti-phishing and anti-malware protection provided by Windows SmartScreen. This could be abused as an early stage in a more complex attack chain.

ZDI: CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability. This is the final bug listed as under active attack this month, but this is a bypass rather than a privilege escalation. An attack that exploits this bug would be able to bypass Windows Defender SmartScreen checks and other prompts. That means this bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen. I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document.

Elevation of Privilege (2)

• Windows Cloud Files Mini Filter Driver (CVE-2023-36036)

Qualys: CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability  A mini filter driver can filter IRP-based I/O activities along with the fast I/O and file system filter (FSFilter) callback actions. A mini filter driver can register a preoperation and postoperation callback routine, or both, for each I/O operation it wishes to filter.  Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.

Tenable: CVE-2023-36036 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Tenable: CVE-2023-36036 is an EoP vulnerability in Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft says it has been exploited in the wild and is credited to both the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC). While Microsoft did not provide specific details around this vulnerability, like most EoP flaws, if a local attacker exploits this flaw, they would be able to elevate privileges to SYSTEM.

Rapid7: Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Rapid7: Microsoft is patching CVE-2023-36036, an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. No details of the attack mechanism are provided in the advisory, but exploitation leads to SYSTEM privileges.

ZDI: CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. This is another privilege escalation bug under active attack, and just like the DWM bug, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly.

• Windows DWM Core Library (CVE-2023-36033)

Qualys: CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability  Desktop Window Manager (DWM) is a core system file in Microsoft Windows. It is responsible for producing each component visible on a laptop or PC. DWM covers visual effects such as system animations, wallpapers, themes, thumbnails, Windows Aero, Windows Flip, and Windows Flip3D, as well as transparent components.  Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 12, 2023.

Tenable: CVE-2023-36033 | Windows DWM Core Library Elevation of Privilege Vulnerability

Tenable: CVE-2023-36033 is an EoP vulnerability in the DWM Core Library in Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft noted that it was exploited in the wild as a zero-day and was publicly disclosed prior to a patch being available. A local attacker with a presence on a vulnerable system could exploit it to gain SYSTEM privileges. It was disclosed to Microsoft by security researcher Quan Jin of DBAPPSecurity WeBin Lab, who is credited with discovering two other EoP zero-day vulnerabilities in 2023:

Rapid7: Three vulnerabilities patched today are already present on the CISA Known Exploited Vulnerabilities (KEV) list: CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

Rapid7: Originally introduced in Windows Vista, the Windows Dynamic Window Manager (DWM) enables many of the modern UI features which users have come to expect from a Windows OS. This month, the DWM Core Library receives a patch for CVE-2023-36033, an elevation of privilege (EoP) vulnerability which Microsoft notes is both publicly disclosed and exploited in the wild. Exploitation leads to SYSTEM privileges, but Microsoft does not provide any further guidance on the attack mechanism.

ZDI: CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability. This bug allows a privilege escalation through the Windows Desktop Manager (DWM) and is listed as being under active attack. Microsoft doesn’t provide any indication of how widespread the attacks are at this point, but these types of exploits typically begin with small outbreaks before spreading wider. An attacker who uses this can gain SYSTEM privileges, which is why these types of bugs are often paired with some form of code execution bug to compromise a system.

Public exploit exists, but exploitation in the wild is NOT detected (4)

Remote Code Execution (1)

• Microsoft Excel (CVE-2023-36041)

Elevation of Privilege (1)

• Windows Hyper-V (CVE-2023-36427)

Denial of Service (1)

• Curl (CVE-2023-38039)

MS PT Extended: CVE-2023-38039 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

Memory Corruption (1)

• libcurl (CVE-2023-38545)

MS PT Extended: CVE-2023-38545 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

Tenable: Update November 14: This blog has been updated to note the availability of fixes for Windows and Windows Server for CVE-2023-38545, a heap buffer overflow vulnerability in curl.

Tenable: CVE-2023-38545 | SOCKS5 Heap Buffer Overflow in curl

Tenable: CVE-2023-38545 is a heap-based buffer overflow vulnerability in the SOCKS5 proxy handshake in libcurl and curl. This flaw was disclosed and patched on October 11. Curl is one of the most widely used open source projects and Microsoft includes curl.exe in Windows and Windows Server. On October 19, Microsoft published an initial advisory for this vulnerability though no fixes were available at the time. However, a fixed version of curl.exe, version 8.4.0, was included in the Windows updates as part of this month's Patch Tuesday release.

Tenable: Update November 14: This blog has been updated to note the availability of fixes for Windows and Windows Server for CVE-2023-38545, a heap buffer overflow vulnerability in curl.

Rapid7: Microsoft admins who have been waiting for a patch for last month’s cURL SOCKS5 vulnerability CVE-2023-38545 will be pleased to see that Microsoft has included curl.exe 8.4.0 as part of the November updates for current versions of Windows. Many observers ultimately concluded that this vulnerability was perhaps of more limited scope and attacker value than the pre-publication buzz may have suggested, but a patch is always appreciated.

Other Vulnerabilities (91)

Remote Code Execution (18)

• Windows Pragmatic General Multicast (PGM) (CVE-2023-36397)

Qualys: CVE-2023-36397: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  Pragmatic General Multicast (PGM) is a multicast computer network transport protocol appropriate for multi-receiver file transfer applications. PGM provides a reliable sequence of packets to multiple recipients simultaneously.  An attacker may exploit this vulnerability to send a specially crafted file over the network when the Windows message queuing service runs in a PGM Server environment. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution and attempt to trigger malicious code. 

Qualys: CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  25699 Status of the ‘Network authentication method’ for Wireless Network IEEE 802.11 group policy  CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  4030 Status of the ‘Windows Message Queuing Service’  14916 Status of Windows Services  14297 Status of the open network connections and listening ports (Qualys Agent only)  The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:  control.id: [25699, 4030, 14916, 14297] 

Rapid7: CVE-2023-36397 describes an RCE vulnerability in Windows PGM. As with other similar previous vulnerabilities, an attacker can send a specially-crafted file over the network to attempt malicious code execution on the target asset. Only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t added to a default Windows installation. However, as Rapid7 has noted previously, administrators should be aware that a number of applications — including Microsoft Exchange — quietly introduce MSMQ as part of their own installation routine.

ZDI: CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability. With a CVSS of 9.8, this is the highest-rated bug for the month, and it deserves the rating. It would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment. There shouldn’t be a lot of those out there, but if you are one of them, definitely test and apply this update quickly.

• Chromium (CVE-2023-5857)

MS PT Extended: CVE-2023-5857 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

• Windows Distributed File System (DFS) (CVE-2023-36425)
• Microsoft Protected Extensible Authentication Protocol (PEAP) (CVE-2023-36028)

Qualys: CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  25699 Status of the ‘Network authentication method’ for Wireless Network IEEE 802.11 group policy  CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability  This vulnerability has a CVSS:3.1 9.8 / 8.5  Policy Compliance Control IDs (CIDs):  4030 Status of the ‘Windows Message Queuing Service’  14916 Status of Windows Services  14297 Status of the open network connections and listening ports (Qualys Agent only)  The following QQL will return a posture assessment for the CIDs for this Patch Tuesday:  control.id: [25699, 4030, 14916, 14297] 

• Microsoft Host Integration Server 2020 (CVE-2023-38151)
• Microsoft WDAC OLE DB provider for SQL Server (CVE-2023-36402)
• Windows Compressed Folder (CVE-2023-36396)
• Windows User Interface Application Core (CVE-2023-36393)
• Microsoft Edge (CVE-2023-36014, CVE-2023-36022, CVE-2023-36034)

MS PT Extended: CVE-2023-36022 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-36014 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-36034 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

• Azure DevOps Server (CVE-2023-36437)
• Microsoft Remote Registry Service (CVE-2023-36401, CVE-2023-36423)
• Microsoft Office Graphics (CVE-2023-36045)
• Microsoft Exchange (CVE-2023-36439)

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

Tenable: CVE-2023-36439 | Microsoft Exchange Server Remote Code Execution Vulnerability

Tenable: CVE-2023-36439 is an RCE vulnerability in Microsoft Exchange Server. It was assigned a CVSSv3 score of 8.0 and rated as important. An attacker authenticated to a vulnerable Exchange Server as a valid user could exploit this vulnerability to gain RCE as NT AUTHORITY\SYSTEM on the backend of the server mailbox. Microsoft rates this vulnerability as Exploitation More Likely. It is one of four vulnerabilities in Microsoft Exchange Server patched in this month’s Patch Tuesday release. With the significant historical exploitation of Microsoft Exchange Server by attackers, we continue to monitor for and highlight flaws in Exchange Server in each Patch Tuesday release.

Rapid7: Patch Tuesday typically sees at least one Exchange remote code execution vulnerability fixed, and this month is no exception. Exploitation of CVE-2023-36439 requires that the attacker have valid credentials for an Exchange user, and be present on the local network, but grants execution as NT AUTHORITY\SYSTEM on Exchange server host; this is a built-in account with extensive privileges, including the ability to act as the computer on the network.

• Adobe: CVE-2023-44323 Adobe PDF (CVE-2023-44323)

MS PT Extended: CVE-2023-44323 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

• Microsoft SharePoint Server (CVE-2023-38177)

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

Information Disclosure (7)

• Open Management Infrastructure (CVE-2023-36043)
• Windows Kernel (CVE-2023-36404)
• Microsoft Edge (CVE-2023-36409)

MS PT Extended: CVE-2023-36409 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

• Azure CLI REST Command (CVE-2023-36052)

Qualys: CVE-2023-36052: Azure CLI REST Command Information Disclosure Vulnerability  The Azure CLI is a command-line tool that provides a native CLI interface required when working with Microsoft Azure resources. The Azure CLI can call the Azure REST API to perform actions that each Azure CLI (az) command supports.  Successful exploitation of the vulnerability may allow an unauthenticated attacker to retrieve plaintext passwords and usernames from log files stored in open-source repositories. 

Rapid7: The Azure CLI tool prior to version 2.53.1 does not sufficiently redact information published to log files in certain contexts, allowing recovery of plaintext(!) usernames and passwords. The advisory for CVE-2023-36052 notes that log files stored in open-source repositories are a potential avenue for credential leaks in this context. Although Microsoft understandably hasn’t provided any specific examples, it’s unlikely that they would mention this if they weren’t aware of one or more real world examples.

• Windows NTFS (CVE-2023-36398)
• Windows Hyper-V (CVE-2023-36406)
• Microsoft Local Security Authority Subsystem Service (CVE-2023-36428)

Elevation of Privilege (15)

• .NET, .NET Framework, and Visual Studio (CVE-2023-36049)
• Windows Kernel (CVE-2023-36403, CVE-2023-36405)
• Microsoft Edge (CVE-2023-36024, CVE-2023-36027)

MS PT Extended: CVE-2023-36024 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-36027 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

• Windows HMAC Key Derivation (CVE-2023-36400)

Qualys: CVE-2023-36400: Windows HMAC Key Derivation Elevation of Privilege Vulnerability  The Hash-based Message Authentication Code (HMAC) detects if a message received via an insecure channel has been altered when the sender and receiver use secret keys. It’s a cryptographic authentication technique that uses a cryptographic hash function and a shared secret key to encrypt information and protect it from unauthorized access.  An attacker must log on to the system and run a specially crafted application to exploit this vulnerability. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. 

Rapid7: Attackers looking to escape from a low privilege Hyper-V guest OS and execute code as SYSTEM on the Hyper-V host system will take note of CVE-2023-36400. Successful exploitation requires running a specially crafted application in the context of the guest OS to exploit a weakness in Windows HMAC Key Derivation, so some prior access is required.

• Microsoft Windows Defender (CVE-2023-36422)
• Windows Authentication (CVE-2023-36047)
• Windows Common Log File System Driver (CVE-2023-36424)

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

• Windows Installer (CVE-2023-36705)
• Windows Search Service (CVE-2023-36394)

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

• Windows Storage (CVE-2023-36399)

Qualys: Other Microsoft Vulnerability Highlights  CVE-2023-36424 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. Successful exploitation of the vulnerability may allow an attacker to elevate privileges from a Medium Integrity Level to a High Integrity Level.  CVE-2023-38177 is a remote code execution vulnerability in the Microsoft SharePoint server. An authenticated attacker may exploit the vulnerability to gain access to create a site and execute code remotely within the SharePoint Server.  CVE-2023-36439 is a remote code execution vulnerability in the Microsoft Exchange server. An authenticated attacker can exploit the vulnerability as a valid exchange user with LAN access. On successful exploitation, an attacker may perform remote code execution on the server mailbox backend as NT AUTHORITY\SYSTEM.  CVE-2023-36399 is an elevation of privilege vulnerability in Windows Storage. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36394 is an elevation of privilege vulnerability in Windows Search Service. To exploit the vulnerability, an attacker must win a race condition. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.  CVE-2023-36035 and CVE-2023-36039 are spoofing vulnerabilities in Microsoft Exchange Server. To exploit the vulnerabilities, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker may exploit the vulnerability by using a PowerShell remoting session to the server. On successful exploitation, an attacker could access a user’s Net-NTLMv2 hash as a basis of an NTLM Relay attack against another service to authenticate as the user.  CVE-2023-36050 is a spoofing vulnerability in Microsoft Exchange Server. To exploit the vulnerability, an attacker must be authenticated with LAN access and have credentials for a valid Exchange user. An attacker could exploit the vulnerability by exploiting the known (Type 4) UnitySerializationHolder gadget through deserialization of untrusted data. 

• Windows Hyper-V (CVE-2023-36407, CVE-2023-36408)
• Microsoft Speech Application Programming Interface (SAPI) (CVE-2023-36719)

Security Feature Bypass (18)

• Chromium (CVE-2023-5475, CVE-2023-5477, CVE-2023-5478, CVE-2023-5479, CVE-2023-5480, CVE-2023-5482, CVE-2023-5483, CVE-2023-5485, CVE-2023-5487, CVE-2023-5851, CVE-2023-5853, CVE-2023-5858, CVE-2023-5859)

MS PT Extended: CVE-2023-5483 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5859 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5480 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5858 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5482 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5853 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5479 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5475 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5478 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5485 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5851 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5487 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5477 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

• ASP.NET (CVE-2023-36560)
• Microsoft Office (CVE-2023-36413)

Qualys: CVE-2023-36413: Microsoft Office Security Feature Bypass Vulnerability An attacker may exploit this vulnerability to bypass the Office Protected View and open in editing mode instead of protected mode. An attacker must send the user a malicious file and convince them to open it to exploit the vulnerability. 

Tenable: CVE-2023-36413 | Microsoft Office Security Feature Bypass Vulnerability

Tenable: CVE-2023-36413 is a security feature bypass vulnerability in Microsoft Office. It was assigned a CVSSv3 score of 6.5 and is rated as important. An attacker could exploit this vulnerability using social engineering tactics to convince a target to open a malicious Microsoft Office file on a vulnerable system. Successful exploitation would result in a bypass of security features of Microsoft Office designed to protect users including Protected View and the file would be opened in editing mode instead of protected mode. Microsoft says details about this flaw have been publicly disclosed prior to a patch being available.

Rapid7: CVE-2023-36413 describes a publicly disclosed Microsoft Office security feature bypass. A user who opens a specially crafted malicious file would find themselves in Editing mode, rather than Protected View, and would thus lose out on warning banners and other defenses designed to detect and quarantine malicious code in Office documents.

• ASP.NET Core - (CVE-2023-36558)
• Microsoft On-Prem Data Gateway (CVE-2023-36021)
• Microsoft Excel (CVE-2023-36037)

Denial of Service (5)

• ASP.NET Core (CVE-2023-36038)

Qualys: CVE-2023-36038: ASP.NET Core Denial of Service Vulnerability  ASP.NET is a popular web-development framework for creating web applications on the.NET platform. The open-source ASP.NET Core is compatible with Windows, Linux, and macOS. ASP.NET Core redesigns previous ASP.NET versions exclusive to Windows.  An attacker may exploit the vulnerability when HTTP requests to .NET 8 RC 1 running on the IIS InProcess hosting model are canceled. 

Tenable: CVE-2023-36038 | ASP.NET Core Denial of Service Vulnerability

Tenable: CVE-2023-36038 is a denial of service (DoS) vulnerability in the open-source web application framework, ASP.NET. It was assigned a CVSSv3 score of 8.2 and rated as important. Microsoft rates it as Exploitation Less Likely according to the Microsoft Exploitability Index. An attacker that could successfully exploit this vulnerability could trigger an OutOfMemoryException, resulting in a DoS condition. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed.

Rapid7: CVE-2023-36038 describes an ASP.NET Core denial of service (DoS) attack, which affects only .NET 8 RC 1 running on the IIS InProcess hosting model. The mechanism of the attack is resource exhaustion on the web server via cancellation of requests; this sounds very similar to last month’s CVE-2023-44487, dubbed “Rapid Reset”. However, there’s no mention of HTTP/2 in the advisory for CVE-2023-36038.

• Windows Deployment Services (CVE-2023-36395)
• DHCP Server Service (CVE-2023-36392)
• Windows Authentication (CVE-2023-36046)
• Visual Studio (CVE-2023-36042)

Memory Corruption (11)

• Windows Scripting Engine (CVE-2023-36017)
• Chromium (CVE-2023-5218, CVE-2023-5472, CVE-2023-5473, CVE-2023-5474, CVE-2023-5476, CVE-2023-5852, CVE-2023-5854, CVE-2023-5855, CVE-2023-5856, CVE-2023-5996)

MS PT Extended: CVE-2023-5476 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5218 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5996 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5855 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5474 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5473 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5856 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5472 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5854 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13

MS PT Extended: CVE-2023-5852 was published before November 2023 Patch Tuesday from 2023-10-11 to 2023-11-13