Microsoft Patch Tuesday: Six critical RCEs but no zero-days this time

Microsoft Patch Tuesday: Six critical RCEs but no zero-days this time

June round-up fixes 94 vulnerabilities, including 32 remote code execution and 17 elevation of privilege flaws

In June's Patch Tuesday round-up, Microsoft has released software updates to address security vulnerabilities in Windows, SharePoint and Exchange Server.

This month's Patch Tuesday includes fixes for a total of 94 vulnerabilities, including 32 remote code execution (RCE) and 17 Elevation of Privilege vulnerabilities. Six of the flaws are rated "critical".

One critical bug, CVE-2023-29357, affects Microsoft SharePoint Server and can be exploited by an unauthenticated attacker on the same network. Microsoft's notes suggest that SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.

"SharePoint administrators should start by looking at critical Elevation of Privilege vulnerability CVE-2023-29357, which provides attackers with a chance at Administrator privileges on the SharePoint host, provided they come prepared with spoofed JWT tokens," said Adam Barnett, lead software engineer at Rapid7.

Three other vulnerabilities, CVE-2023-32015, CVE-2023-32014 and CVE-2023-29363, each with a CVSS score of 9.8, are found in the widely-deployed Windows Pragmatic General Multicast (PGM) component, which is used for delivering multicast data for streaming and gaming. These are all remote code execution (RCE) bugs that require no privilege escalation.

"This is the third month in a row where Patch Tuesday features at least one critical RCE in Windows PGM," commented Barnett, adding that the advice for Microsoft is similar to that for the previous bugs.

"All three PGM critical RCEs require an attacker to send a specially-crafted file over the network in the hope of executing malicious code on the target asset. As with previous similar vulnerabilities, only systems where Windows Message Queueing Service (MSMQ) is enabled are exploitable, and it isn't enabled by default."

Also patched this month are two RCE vulnerabilities - CVE-2023-32031 and CVE-2023-28310 - in Microsoft Exchange Server.

According to Microsoft, to exploit these bugs an attacker must already have gained access to a vulnerable host in the network, initial access having been achieved through social engineering attacks like spear phishing or similar.

"This pair of vulnerabilities affects the MS Exchange server are standouts, as they closely mirror the vulnerabilities identified as part of ProxyNotShell exploits where an authenticated user in the network could exploit a vulnerability in the Exchange PowerShell Remoting Protocol PSRP to gain code execution on the server," said Kev Breen, director of cyber threat research at Immersive Labs.

Three of the vulnerabilities reported this month - CVE-2023-29358, CVE-2023-29359 and CVE-2023-29371 - concern Windows GDI Elevation of Privilege Vulnerability. While these are not RCE flaws, the consequence of their exploitation means they should be taken seriously, said Breen.

"Don't be fooled by their low score into thinking they are less important. Privilege escalation vulnerabilities appear in almost every cyber security incident, where once an attacker has gained initial access as a low level user their next tasks is to gain System or domain-level access, through misconfiguration or exploiting a privilege escalation vulnerability.

Unusually for recent Patch Tuesday updates, this months' contains no publicly known or actively attacked zero-day vulnerabilities.