Several Exchange Server flaws fixed on August Patch Tuesday
Microsoft addresses 74 vulnerabilities this month with the on-premises email server platform returning to the spotlight with corrections to close six security holes.
After a short summer break, Exchange Server is once again a target for attackers as Microsoft released several fixes for the long-suffering on-premises email platform.
On August Patch Tuesday, Microsoft disclosed 74 new CVEs, including six rated critical, with one zero-day that affects .NET and Visual Studio. One vulnerability, CVE-2023-20593, falls outside the Microsoft product line and relates to the Zenbleed flaw in some AMD processors, which will require administrators to install a microcode patch or BIOS update for affected systems.
Microsoft corrects 1 zero-day
The zero-day for August Patch Tuesday is a .NET and Visual Studio denial-of-service vulnerability, CVE-2023-38180, rated important with a CVSS score of 7.5. Microsoft's CVE notes indicated proof-of-concept code exists. An attacker does not need privileges to trigger the exploit, which makes it easier for a threat actor with a foothold in the organization's infrastructure to launch an attack.
Administrators will need to patch Microsoft Visual Studio 2022, .NET 7.0, .NET 6.0 and ASP.NET Core 2.1, which can take some time if they lack a comprehensive patch management system.
"Administrators might be required to update multiple parts of their organization's development stack, depending on what they're using," said Chris Goettl, vice president of security products at Ivanti.
Goettl said the relatively low rating and CVSS score should not lull administrators into waiting to deploy the patches for this vulnerability.
"They should focus on this as a higher priority, just to make sure that they don't expose the organization to undue risk," he said.
Microsoft corrects 6 Exchange Server vulnerabilities
After a brief respite in July with no patches, Exchange Server is once again the center of unwelcome attention for persistent threat actors looking to develop exploits for the on-premises product. For August Patch Tuesday, Microsoft released security updates to address six vulnerabilities:
- CVE-2023-35368, a Microsoft Exchange remote code execution vulnerability rated important with an 8.8 CVSS score.
- CVE-2023-21709, a Microsoft Exchange Server elevation-of-privilege vulnerability rated important with a 9.8 CVSS score.
- CVE-2023-35388, a Microsoft Exchange Server remote code execution vulnerability rated important with an 8.0 CVSS score.
- CVE-2023-38182, a Microsoft Exchange Server remote code execution vulnerability rated important with an 8.0 CVSS score.
- CVE-2023-38185, a Microsoft Exchange Server remote code execution vulnerability rated important with an 8.8 CVSS score.
- CVE-2023-38181, a Microsoft Exchange Server spoofing vulnerability rated important with an 8.8 CVSS score.
"You've got remote code execution, spoofing, elevation of privilege -- it's all the things needed to make a perfect cocktail to target Exchange again," Goettl said.
Despite having one of the highest CVSS scores this month, CVE-2023-21709 is only rated important because a threat actor would need to brute-force the password, which should be difficult in organizations with strong password policies.
Administrators will also need to perform an extra step on affected systems to remove the TokenCacheModule from the IIS server role. This step can be done manually, but Microsoft provided a script with instructions to handle the removal on all or selected Exchange Server systems, with the ability to roll back if necessary.
Phishing campaigns hit Microsoft Teams
Microsoft Teams, the popular unified communication and collaboration platform, has two remote code execution vulnerabilities, CVE-2023-29328 and CVE-2023-29330, both rated critical with the same 8.8 CVSS score this month. The flaws affect Microsoft Teams for iOS, macOS, Android and Windows systems.
To exploit either vulnerability, the attacker would have to get a user to accept a malicious meeting invitation. The attacker could then run remote commands to access the user's information and make changes to the data or crash the user's system. Administrators will have to alert their users to be on the lookout for these types of phishing attempts.
"With enough information about the organization, the attacker could absolutely create a situation where they could convince somebody to click on that meeting link," Goettl said.
On Windows desktop systems, Microsoft Teams falls outside the conventional patching regimen due to its auto-update functionality, which gives administrators less control over the servicing of this application.
"Microsoft is trying to force this newer kind of automatic updates model, but we've seen this with Zoom and many other types of Microsoft Store apps. There's a lot of ways the auto-update mechanism can fail, such as when a user never closes the application," Goettl said.
To avoid this issue, industrious administrators can force the Microsoft Teams client to update in a variety of ways, such as automating the delivery of the latest Microsoft Teams build to the Windows machine.
Microsoft issues 2 advisories for August Patch Tuesday
In advisory ADV230003, Microsoft detailed the defense-in-depth patches for Microsoft Office products that could be used in an attack chain that also incorporates the Windows Search remote code execution zero-day, CVE-2023-36884, from July Patch Tuesday. Microsoft recommended administrators deploy both the Microsoft Office patches and the August security updates for Windows systems.
The other advisory, ADV230004, is a memory integrity system readiness scan tool defense-in-depth update.
"The Memory Integrity System Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe) is used to check for compatibility issues with memory integrity, also known as hypervisor-protected code integrity (HVCI). The original version was published without a RSRC section, which contains resource information for a module. The new version addresses this issue," Microsoft wrote in the advisory notes.
Microsoft also updated a July advisory, ADV230001, on August Patch Tuesday and urged customers to apply this month's security updates to add more untrusted drivers and driver-signing certificates to the Windows Driver.STL revocation list. Last month, the company disclosed some certified drivers had been used in attacks to gain administrator privileges.