Microsoft Patch Tuesday August 2023

Microsoft patched 73 CVEs in its August Patch Tuesday release, with six rated as critical and 67 rated as important. Microsoft also released two advisories (ADV230003 and ADV230004) this month as well as a patch for a vulnerability in AMD processors (CVE-2023-20569).

This month’s patches applicable for below products

• .NET Core
• .NET Framework
• ASP.NET
• ASP.NET and Visual Studio
• Azure Arc
• Azure DevOps
• Azure HDInsights
• Dynamics Business Central Control
• Memory Integrity System Readiness Scan Tool
• Microsoft Dynamics
• Microsoft Exchange Server
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Teams
• Microsoft WDAC OLE DB provider for SQL
• Microsoft Windows Codecs Library
• Reliability Analysis Metrics Calculation Engine
• Role: Windows Hyper-V
• SQL Server
• Tablet Windows User Interface
• Windows Bluetooth A2DP driver
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows Defender
• Windows Fax and Scan Service
• Windows Group Policy
• Windows HTML Platform
• Windows Kernel
• Windows LDAP – Lightweight Directory Access Protocol
• Windows Message Queuing
• Windows Mobile Device Management
• Windows Projected File System
• Windows Reliability Analysis Metrics Calculation Engine
• Windows Smart Card
• Windows System Assessment Tool
• Windows Wireless Wide Area Network Service

.NET and Visual Studio DoS Vulnerability

CVE-2023-38180 is a Denial of Service vulnerability in Microsoft Visual Studio,.NET versions 6.0 and 7.0, and ASP.NET Core 2.1. It has a CVSSv3 score of 7.5 and rated as important. This vulnerability was exploited in the wild as a zero-day. An attacker that exploits this vulnerability would be able to create a DoS condition on a vulnerable server.

Microsoft Message Queuing RCE Vulnerability

CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 are RCE vulnerabilities in the Microsoft Message Queuing (MSMQ) component of Windows operating systems each with a CVSSv3 score of 9.8 and a rating of critical. Microsoft rated these vulnerabilities as Exploitation Less Likely.

A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. To exploit this flaw, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, it runs under the service name “Message Queuing” and is listening on TCP port 1801.

Microsoft Exchange Server EoP Vulnerability

CVE-2023-21709 is an EoP vulnerability in Microsoft Exchange Server with a CVSSv3 score of 9.8 and is rated as Exploitation Less Likely. An unauthenticated attacker could exploit this vulnerability by attempting to brute force the password for valid user accounts. Successful exploitation would allow an attacker to login as another user.

According to the advisory, additional steps are required in order to address this vulnerability. After applying the patch, a PowerShell script must be run. We recommend reviewing the advisory for the latest information from Microsoft to successfully remediate this vulnerability. This is the third EoP vulnerability in Microsoft Exchange Server disclosed in 2023.

The first two were disclosed as part of the January 2023 Patch Tuesday release (CVE-2023-21763, CVE-2023-21764).

Windows Kernel EoP Vulnerability

CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, and CVE-2023-38154 are EoP vulnerabilities in the Windows Kernel. All five vulnerabilities were assigned a CVSSv3 score of 7.8 and four are rated as Exploitation More Likely, and CVE-2023-38154 rated as “Exploitation Unlikely.” A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. Four of the five vulnerabilities are attributed to researchers from Google Project Zero.

Microsoft Office Defense in Depth Update

Microsoft released security advisory ADV230003 as part of its August Patch Tuesday release to provide “enhanced security as a defense in depth measure.” This update is in response to the discovery of CVE-2023-36884, a security feature bypass vulnerability affecting Windows and Windows Server installations that was disclosed as part of the July 2023 Patch Tuesday release.

ADV230003 does not directly address CVE-2023-36884, it was included as part of this month’s release as it “stops the attack chain” that leads to CVE-2023-36884. Organizations are encouraged to apply the Office updates listed in the advisory and apply the latest Windows updates for August.

Microsoft also updated its advisory page for CVE-2023-36884 as part of its August Patch Tuesday, including updating the title to a “Security Feature Bypass” in Windows Search, while the CVSSv3 score was reduced to 7.5 and the severity decreased from Critical to Important. Microsoft provided patching information to address the vulnerability.

Patch Summary