VERT Threat Alert: August 2023 Patch Tuesday Analysis


Today’s VERT Alert addresses Microsoft’s August 2023 Security Updates, which includes a recently introduced release notes format. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1068 on Wednesday, August 9th.

In-The-Wild & Disclosed CVEs

CVE-2023-38180

A vulnerability in Kestrel could allow for a denial of service. Kestrel is the cross-platform web server that is included with (and enabled by default in) ASP.NET Core. When detecting a potentially malicious client, Kestrel will sometimes fail to disconnect said client, resulting in the denial of service. Microsoft has reported this vulnerability as Exploitation More Likely (but has also listed it as Exploited).

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.

  • Traditional Software
  • Mobile Software
  • Cloud or Cloud Adjacent
  • Vulnerabilities that are being exploited or that have been disclosed will be highlighted.

Tag

CVE Count

CVEs

Windows System Assessment Tool

1

CVE-2023-36903

Microsoft Windows

1

CVE-2023-20569

Windows Cryptographic Services

2

CVE-2023-36906, CVE-2023-36907

Windows Common Log File System Driver

1

CVE-2023-36900

Azure Arc

1

CVE-2023-38176

Microsoft Office SharePoint

4

CVE-2023-36890, CVE-2023-36891, CVE-2023-36892, CVE-2023-36894

Windows Cloud Files Mini Filter Driver

1

CVE-2023-36904

Microsoft Windows Codecs Library

1

CVE-2023-38170

Windows LDAP – Lightweight Directory Access Protocol

1

CVE-2023-38184

SQL Server

1

CVE-2023-38169

Microsoft Office Visio

3

CVE-2023-36865, CVE-2023-36866, CVE-2023-35372

Microsoft Teams

2

CVE-2023-29328, CVE-2023-29330

Microsoft Office Excel

2

CVE-2023-35371, CVE-2023-36896

Windows Wireless Wide Area Network Service

1

CVE-2023-36905

Dynamics Business Central Control

1

CVE-2023-38167

.NET Core

2

CVE-2023-35390, CVE-2023-38178

Tablet Windows User Interface

1

CVE-2023-36898

Windows Kernel

5

CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, CVE-2023-38154

ASP.NET and Visual Studio

1

CVE-2023-35391

Microsoft Exchange Server

6

CVE-2023-35368, CVE-2023-38185, CVE-2023-21709, CVE-2023-35388, CVE-2023-38182, CVE-2023-38181

Microsoft Office

1

CVE-2023-36897

Windows Defender

1

CVE-2023-38175

Windows Bluetooth A2DP driver

1

CVE-2023-35387

Windows Projected File System

1

CVE-2023-35378

ASP .NET

1

CVE-2023-38180

.NET Framework

1

CVE-2023-36873

Microsoft WDAC OLE DB provider for SQL

1

CVE-2023-36882

Microsoft Office Outlook

2

CVE-2023-36893, CVE-2023-36895

Mariner

1

CVE-2023-35945

Azure HDInsights

5

CVE-2023-35393, CVE-2023-35394, CVE-2023-38188, CVE-2023-36877, CVE-2023-36881

Windows Message Queuing

11

CVE-2023-36909, CVE-2023-36910, CVE-2023-36911, CVE-2023-36912, CVE-2023-36913, CVE-2023-35376, CVE-2023-38254, CVE-2023-35377, CVE-2023-35383, CVE-2023-35385, CVE-2023-38172

Windows Mobile Device Management

1

CVE-2023-38186

Windows Group Policy

1

CVE-2023-36889

Role: Windows Hyper-V

1

CVE-2023-36908

ASP.NET

1

CVE-2023-36899

Windows HTML Platform

1

CVE-2023-35384

Microsoft Edge (Chromium-based)

12

CVE-2023-4068, CVE-2023-4069, CVE-2023-4070, CVE-2023-4071, CVE-2023-4072, CVE-2023-4073, CVE-2023-4074, CVE-2023-4075, CVE-2023-4076, CVE-2023-4077, CVE-2023-4078, CVE-2023-38157

Windows Smart Card

1

CVE-2023-36914

Windows Reliability Analysis Metrics Calculation Engine

1

CVE-2023-35379

Azure DevOps

1

CVE-2023-36869

Windows Fax and Scan Service

1

CVE-2023-35381

Microsoft Dynamics

1

CVE-2023-35389

Reliability Analysis Metrics Calculation Engine

1

CVE-2023-36876

Other Information

At the time of publication, there were two new advisories included with the August Security Guidance.

Microsoft Office Defense in Depth Update [ADV230003]

Microsoft has released a defense in depth update for Microsoft Office that helps to stop the attack chain that allows for successful exploitation of the Windows Search security feature bypass (CVE-2023-36884).

Memory Integrity System Readiness Scan Tool Defense in Depth Update [ADV230004]

Microsoft has released a defense in depth update for the Memory Integrity System Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe). When this tool, which checks for compatibility issues with memory integrity, was released, it was published without the resource information (the RSRC section). A new version has been released that addresses this issue.



Source link