Virtual Administrator’s August 2023 Patch Recommendations
This month Microsoft released patches for 88 vulnerabilities with 6 rated “Critical” in severity.
All patches will be approved in our patch policy.
Fewer patches this month with only a couple known issues. A patch for July’s CVE-2023-36884 has been released – see FYI below. ADV230003 is tied to this as it “stops the attack chain” that leads to CVE-2023-36884. CVE-2023-38180 is a weakness in .NET and Visual Studio that leads to a denial-of-service condition on vulnerable servers. Six vulnerabilities in Microsoft Exchange Server. CVE-2023-21709 is an elevation of privilege flaw and requires additional action – See “Heads Up” below. CVE-2023-35385/36910/36911 are Remote Code Execution vulnerabilities with the Microsoft Message Queuing service. The service needs to be enabled to make systems vulnerable. Two new advisories ADV230003 and ADV230004. New SSU for Windows Server 2012/2012 R2.
Disclosed: ADV230003, ADV230004
Exploited: ADV230003, CVE-2023-38180
Heads Up! Exchange Server 2016/2019 protection requires additional action
CVE-2023-21709 | Microsoft Exchange Server Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21709
Microsoft Exchange Server 2019 and 2016: August 8, 2023 (KB5029388)
“In a network-based attack, an attacker could brute force user account passwords to log in as that user.
Yes, in addition to installing the updates a script must be run.” Download the latest release: CVE-2023-21709.ps1 here: https://aka.ms/CVE-2023-21709ScriptDoc
“Although Microsoft recommends installing the security updates as soon as possible, running the script or the commands on a supported version of Exchange Server prior to installing the updates will address this vulnerability.”
FYI Last month’s CVE-2023-36884 finally patched
“Storm-0978 attacks reveal financial and espionage motives”
“August 8, 2023 update: Microsoft released security updates to address CVE-2023-36884. Customers are advised to apply patches, which supersede the mitigations listed in this blog, as soon as possible.”
CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:08/08/2023)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
ADV230003 | Microsoft Office Defense in Depth Update (Published:08/08/2023)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV230003
Executive Summary: Microsoft has released an update for Microsoft Office that provides enhanced security as a defense in depth measure. This defense in depth update is not a vulnerability update, but installing this update stops the attack chain leading to the Windows Search Remote Code Execution Vulnerability (CVE-2023-36884).
Recommended Actions: Microsoft recommends installing the Office updates discussed in this advisory as well as installing the Windows updates from August 2023.
ADV230004 | Memory Integrity System Readiness Scan Tool Defense in Depth Update (Published:08/08/2023)
https://msrc.microsoft.com/update-guide/vulnerability/ADV230004
Executive Summary: The Memory Integrity System Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe) is used to check for compatibility issues with memory integrity, also known as hypervisor-protected code integrity (HVCI). The original version was published without a RSRC section, which contains resource information for a module.
Recommended Actions: The new version addresses this issue. Please see Driver compatibility with memory integrity and VBS (https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard) for more information.
Known Issues
Two newly reported issues. One with SharePoint Server 2016/2019 and the other with KB5029388 on non-English versions of Exchange Server 2016/2019
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operating systems
Description of the security update for Microsoft Exchange Server 2019 and 2016: August 8, 2023 (KB5029388)
Symptom: When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state.
Status: Microsoft temporarily removed non-English versions of the update from distribution. There is also a Workaround detailed in the link above.
Web part or web form control cannot be displayed on SharePoint web part page (KB5029605)
Symptom: A web part or web form control on the web part page cannot be displayed. Additionally, the web part or web form control generates the following error message and “6ipo0” event tag in SharePoint Unified Logging System (ULS) logs: Found an unsafe PropertyName: <UnsafePropertyName>
Status: Workaround detailed in the link above.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5029296 – Windows Server 2008 R2 (ESU)
- KB5029312 – Windows Server 2012 R2
- KB5029295 – Windows Server 2012
- KB5029318 – Windows Server 2008 (ESU)
Security Only Update
- KB5029307 – Windows Server 2008 R2 (ESU)
- KB5029304 – Windows Server 2012 R2
- KB5029308 – Windows Server 2012
- KB5029301 – Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
- KB5029259 – Original release version 1507 (OS Build 10240)
- KB5029242 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5029247 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5029244 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5029244 – Version 22H2 “November 2022 Update” (OS Build 19045)
- (Versions 1511,1703,1709,1803,1903,2004, 20H2 are no longer under support)
Windows 11
- KB5029253 – 21H2 (OS Build 22000) Original release
- KB5029263 – 22H2 (OS Build 22621)
Windows Server
- KB5029242 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5029247 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5029250 – Server 2022 (OS Build 20348)
August 2023 updates for Microsoft Office
Notable CVEs
CVE-2023-21709 | Microsoft Exchange Server Elevation of Privilege Vulnerability (5029388)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21709
“In a network-based attack, an attacker could brute force user account passwords to log in as that user.”
CVE-2023-29328/29330 | Microsoft Teams Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29328
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29330
“A user would need to join a malicious Microsoft Teams meeting set up by the attacker. An attacker would be required to trick the victim into joining a Teams meeting which would enable them to perform remote code execution in the context of the victim user. The attacker does not need privileges to attempt to exploit this vulnerability.”
CVE-2023-35385/36910/36911 | Microsoft Message Queuing Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35385
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36910
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36911
“Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.”
CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability. In any case an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker’s site or send a malicious attachment.”
CVE-2023-36895 | Microsoft Outlook Remote Code Execution Vulnerability (KB5002445,KB5002445)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36895
“The Preview Pane is an attack vector. The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”
CVE-2023-38180 | .NET and Visual Studio Denial of Service Vulnerability (KB5029688,KB5029689)
https://www.tenable.com/blog/microsofts-august-2023-patch-tuesday-addresses-73-cves-cve-2023-38180
A Denial of Service (DoS) vulnerability in Microsoft Visual Studio,.NET versions 6.0 and 7.0, and ASP.NET Core 2.1.
