Microsoft Patch Tuesday June 2023: Edge type confusion, Git RCE, OneNote Spoofing, PGM RCE, Exchange RCE, SharePoint EoP

Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays.

Alternative video link (for Russia): <https://vk.com/video-149273431_456239127&gt;

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there were only 3 vulnerabilities used in attacks or with a public exploit. And only one of them is more or less relevant.

$ cat comments_links.txt 
ZDI|THE JUNE 2023 SECURITY UPDATE REVIEW|https://www.thezdi.com/blog/2023/6/13/the-june-2023-security-update-review
Qualys|Microsoft Patch Tuesday, June 2023 Security Update Review|https://blog.qualys.com/vulnerabilities-threat-research/2023/06/13/microsoft-patch-tuesday-june-2023-security-update-review

$ python3 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2023 --mspt-month "June" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
...
Creating Patch Tuesday profile...
MS PT Year: 2023
MS PT Month: June
MS PT Date: 2023-06-13
MS PT CVEs found: 78
Ext MS PT Date from: 2023-05-10
Ext MS PT Date to: 2023-06-12
Ext MS PT CVEs found: 22
ALL MS PT CVEs: 100
...

• All vulnerabilities: 100
• Urgent: 0
• Critical: 1
• High: 39
• Medium: 55
• Low: 5

Let's see the TOP of the Vulristics report:

1. Memory Corruption - Microsoft Edge (CVE-2023-3079). Exploitation in the wild is mentioned on Vulners (cisa_kev object), AttackerKB websites. This is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. It’s also the second type of confusion bug in Chrome actively exploited this year. Definitely make sure your Chromium-based browsers (including Edge) are up to date.
2. Remote Code Execution - GitHub (CVE-2023-29007). GitHub, of course, was patched a long time ago. This is a Git vulnerability and it is critical because there is a public exploit. The existence of a publicly available exploit is mentioned on Vulners website. If your organization uses Git, it's a good reason to update it. Although this is not directly related to Microsoft Patch Tuesday.

I would also like to draw attention to another vulnerability with a public exploit:

1. Spoofing - Microsoft OneNote (CVE-2023-33140). Exploitation requires the user to open a specially crafted file in an affected version of Microsoft OneNote and then click on a specially crafted URL.

For 10 vulnerabilities, the existence of exploits was indicated in CVSS Temporal Metrics ("Proof-of-Concept Exploit"):

1. Remote Code Execution - .NET (CVE-2023-33128, CVE-2023-29331).
2. Denial of Service - .NET (CVE-2023-32030, CVE-2023-29331)
3. Denial of Service - Yet Another Reverse Proxy (YARP) (CVE-2023-33141)
4. Elevation of Privilege - Windows Authentication (CVE-2023-29364)
5. Elevation of Privilege - .NET (CVE-2023-33135, CVE-2023-32032)
6. Information Disclosure - Visual Studio (CVE-2023-33139, CVE-2023-33144)

Now let's look at some of the other vulnerabilities for which there were no exploits or signs of exploitation in the wild:

1. Remote Code Execution - Windows Pragmatic General Multicast (PGM) (CVE-2023-29363, CVE-2023-32014, CVE-2023-32015). Pragmatic General Multicast (PGM), a.k.a. ‘reliable multicast,’ is a scalable receiver-reliable protocol. PGM allows receivers to detect loss, request retransmission of lost data, or notify an application of unrecoverable loss. PGM is best suited for applications that require duplicate-free multicast data delivery from multiple sources to multiple receivers. A remote, unauthenticated attacker could exploit these flaws by sending a malicious file to a vulnerable target. Microsoft’s mitigation guidance states that for a system to be vulnerable, it must have message queueing services enabled.
2. Remote Code Execution - Microsoft Exchange (CVE-2023-32031, CVE-2023-28310). CVE-2023-32031 was discovered by ZDI researcher Piotr Bazydło and is a bypass of both CVE-2022-41082 and CVE-2023-21529. The former was listed as being under active exploit. The specific flaw exists within the Command class. The issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. An authenticated attacker may use the vulnerability to trigger malicious code in the context of the server’s account through a network call. Successful exploitation could lead to executing code with SYSTEM privileges. CVE-2023-28310 allows an authenticated attacker to perform remote code execution on the affected system with the help of a PowerShell remoting session. An attacker must be connected to the same internet as the Exchange server to exploit the vulnerability.
3. Elevation of Privilege - Microsoft SharePoint (CVE-2023-29357). This bug was one of the bugs chained together during the Pwn2Own Vancouver contest held back in March. A remote, unauthenticated attacker can exploit the vulnerability by sending a spoofed JWT authentication token to a vulnerable server giving them the privileges of an authenticated user on the target. According to the advisory, no user interaction is required in order for an attacker to exploit this flaw. Microsoft also provides mitigation guidance for the vulnerability that says users that use Microsoft Defender in their SharePoint Server farm(s) and have AMSI enabled are not affected. "Exploitation More Likely" according to Microsoft’s Exploitability Index.

Full Vulristics report: ms_patch_tuesday_june2023