Patch Tuesday notes: June 2023.

Microsoft and Adobe have both issued patches for critical vulnerabilities. Microsoft patched six critical flaws, none of which appear to have been exploited in the wild, SecurityWeek reports. Four of these bugs could lead to remote code execution, according to Naked Security.

Adobe has patched twelve vulnerabilities in Adobe Commerce that could lead to “arbitrary code execution, security feature bypass, and arbitrary file system read,” SecurityWeek says. Magento Open Source is also affected by these flaws.

Tom Marsland, VP of Technology at Cloud Range, offered the following observations:

“Microsoft's latest patch Tuesday brings crucial attention to a significant vulnerability, namely CVE-2023-32019, impacting Windows 11 Home and Professional (version 22H2). This vulnerability poses a concerning risk as it enables a user, without requiring elevated privileges, to access heap memory from another privileged process. Exploiting this vulnerability opens the door for potential privilege escalation.

“To put it simply, this flaw could potentially empower a local user to gain administrator access to a computer by leveraging the exploit. It's important to note that the user must already have local access to the machine for this vulnerability to be exploited. Microsoft has not yet observed any instances of this exploit occurring in the wild.

“This patch is a critical step towards safeguarding vulnerable systems and ensuring the continued security of Windows 11 Home and Professional users. It is strongly advised to apply the patch promptly to mitigate the risk of potential exploitation. Stay informed, stay protected.”

 Adam Barnett, Lead Software Engineer at Rapid7, commented:

“It’s June, and it’s Patch Tuesday. The volume of patches is typical compared with recent months: 94 in total. For the first time in a while, Microsoft isn’t offering patches for any zero-day vulnerabilities, but we do get fixes for four critical Remote Code Execution (RCE) vulnerabilities: one in .NET/Visual Studio, and three in Windows Pragmatic General Multicast (PGM). Also patched: a critical SharePoint Elevation of Privilege vulnerability.

“SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens. Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely. At time of writing, the FAQ provided with Microsoft’s advisory suggests that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, but neither the advisory nor the SharePoint 2016 Release history list any related patches for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency. Microsoft also explains that there may be more than one patch listed for a particular version of SharePoint, and that every patch must be installed to remediate this vulnerability (although order of patching doesn’t matter).

“This is the third month in a row where Patch Tuesday features at least one critical RCE in Windows PGM, and June adds three to the pile. Microsoft hasn’t detected exploitation or disclosure for any of these, and considers exploitation less likely, but a trio of critical RCEs with CVSS 3.1 base score of 9.8 will deservedly attract a degree of attention.

“All three PGM critical RCEs – CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015 – require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. Defenders who successfully navigated last month’s batch of PGM vulnerabilities will find both risk profile and mitigation/remediation guidance very similar; indeed, CVE-2023-29363 was reported to Microsoft by the same researcher as last month’s CVE-2023-28250. As with previous similar vulnerabilities, only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn’t enabled by default. As Rapid7 has noted previously, however, a number of applications – including Microsoft Exchange – quietly introduce MSMQ as part of their own installation routine. With several prolific researchers active in this area, we should expect further PGM vulnerabilities in the future.

“Rounding out this month’s critical RCE list is CVE-2023-24897: a flaw in .NET, .NET Framework and Visual Studio. Exploitation requires an attacker to convince the victim to open a specially-crafted malicious file, typically from a website. Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years. Somewhat unusually for this class of vulnerability, Microsoft doesn’t give any indication of filetype. However, a boilerplate qualifier is present: ‘remote’ refers here to the location of the attacker, rather than the attack, since local user interaction is required.”