Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.

What is most notable is that this batch of vulnerabilities includes 12 that are considered "critical," nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.

Two other vulnerabilities that Microsoft is fixing Tuesday – CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform – have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered "important."

The nine Layer 2 Tunneling Protocol vulnerabilities all require an attacker to win a race condition. A race condition is when two threads in a piece of code try to reach the same piece of data at the same time, and thus one action must be completed before the other.

In this scenario, an attacker could exploit the Tunneling Protocol by sending a specially crafted protocol message to a Routing and Remote Access Service (RAS) server, which could lead to remote code execution on the RAS server machine. The vulnerabilities Microsoft disclosed and patched on Tuesday are:

• CVE-2023-38166
• CVE-2023-41765
• CVE-2023-41767
• CVE-2023-41768
• CVE-2023-41769
• CVE-2023-41770
• CVE-2023-41771
• CVE-2023-41773
• CVE-2023-41774

The Layer 2 Tunneling Protocol allows remote users to connect to a machine, or site-to-site connectivity via a VPN. Vulnerabilities involving VPNs have come under a microscope since the discovery of the VPNFilter malware in 2018 that affected thousands of devices across the globe.

A vulnerability in Fortinet's SSL VPN, CVE-2018-13379, topped the U.S. Cybersecurity and Infrastructure Security Agency's list of the most-exploited vulnerabilities in 2022, despite being disclosed back in 2018. U.S. officials also warned earlier this year of Volt Typhoon, a large APT believed to be backed by China's government that is targeting networking devices to possibly gain a foothold onto U.S. military networks and critical infrastructure.

Another critical remote execution vulnerability disclosed Tuesday, CVE-2023-35349, exists in the Microsoft Message Queuing service. An unauthenticated attacker could exploit this vulnerability to execute code on the targeted server.

However, this vulnerability is only exploitable if the user has Message Queuing enabled. Microsoft stated in its advisory that users should check to see if there is a service running named "Message Queuing" and if TCP port 1801 is listening on the machine.

One of the other critical vulnerabilities fixed this month is CVE-2023-36718, a remote code execution vulnerability in the Microsoft Virtual Trusted Platform Module. An attacker who exploits this vulnerability could perform a contained execution environment escape.

The attack complexity is considered "high" and therefore less likely to be exploited, Microsoft said, because exploitation relies on complex memory shaping techniques and the attacker must at least be authenticated as a guest first.

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62486 - 62493 and 62508 - 62511, and Snort 3 signatures 300719 - 300722.