UPDATED: July’s Patch Tuesday Demands Attention: 5 Zero-days and 129 Vulnerabilities

Office and Windows HTML Remote Code Execution Vulnerability [IMPORTANT]

CVE-2023-36884 is an actively exploited zero-day vulnerability that currently does not have a patch. The vulnerability is being reported in various Windows and Office products. Attackers are taking advantage of the vulnerability by enticing users to open malicious Office file attachments or links, which when opened allow the attacker to perform remote code execution. 

Automox has created a script for customers to remediate as a workaround until a patch is available. Note, this script was last updated on July 13, 2023, and can break functionality with Microsoft Office applications. Before deploying, please thoroughly review the Microsoft documentation referenced here.

EVALUATION CODE

# EVALUATION

Write-Verbose 'Testing registry path!'

# evaluate registry key existence

if ( !( Test-Path -Path $keyPath -PathType Container ) )

{

    # append to our remediation config

    $remediationConfig.KeyPath = $keyPath

    Write-Verbose 'Registry path does not exist, appending to AXConfig!'

}

Write-Verbose 'Evaluating registry properties!'

# evaluate registry properties

foreach ( $prop in $props )

{

    # tack on path

    $prop.Path = $keyPath

    Write-Verbose "Evaluating property "$( $prop.Name )" at path "$( $prop.Path )"!"

    # evaluate property existence

    $itemPropertyValue = Get-ItemProperty @prop -ErrorAction Ignore | Select-Object -ExpandProperty $prop.Name

    if ( $itemPropertyValue -ne 1 )

    {

        Write-Verbose "Property "$( $prop.Name )" value is not inline with our expected configuration!"

        # create the RegistryProperties Hashtable key if needed

        if ( !$remediationConfig.RegistryProperties )

        {

            $remediationConfig.RegistryProperties = @()

        }

        # tack on value

        $prop.Value = 1

        # tack on property type

        $prop.PropertyType = 'DWord'

        # append to our remediation config

        $remediationConfig.RegistryProperties += $prop

        Write-Verbose "Appending "$( $prop.Name )" to AXConfig!"

    }

}

Write-Verbose 'Registry property evaluation complete!'

Write-Verbose 'Proceeding to AXConfig exit evaluation!'

# determine if we have work to do

if ( $remediationConfig.Keys.Count -gt 0 )

{

    # set the axconfig

    Set-AXConfig -Name $configName -Configuration $remediationConfig

    Write-Output 'The device is not inline with our desired configuration, remediation required!'

    exit 1

}

else

{

    Write-Output 'The device is inline with our desired configuration, exiting!'

    exit 0

}

REMEDIATION CODE

# REMEDIATION

Write-Verbose 'Retrieving AXConfig!'

# retrieve the AXConfig

$remediationConfig = Get-AXConfig -Name $configName

Write-Verbose "AXConfig "$configName" retrieval $( ( 'succeeded', 'failed' )[ $null -eq $remediationConfig ] )!"

# confirm we got a config back

if ( !$remediationConfig )

{

    Write-Error "Unable to retrieve an AXConfig with name $configName!"

    Write-Error 'Please ensure this Worklet is scheduled to run in a policy and at least one scan has occurred!'

    exit 1

}

# check if we need to create the registry key

if ( $remediationConfig.KeyPath )

{

    Write-Verbose "Evaluating registry key path existence: "$( $remediationConfig.KeyPath )"!"

    # forcefully create the key

    New-Item -Path $remediationConfig.KeyPath -ItemType Directory -Force | Out-Null

    Write-Verbose 'Registry key created successfully!'

}

# check if we need to set registry properties

if ( $remediationConfig.RegistryProperties )

{

    Write-Verbose 'Proceeding to registry property evaluation!'

    # iterate the properties to be created/set

    foreach ( $prop in $remediationConfig.RegistryProperties )

    {

        Write-Verbose "Evaluating existence of registry property "$( $prop.Name )" at path "$( $prop.Path )"!"

        # forcefully create the property

        New-ItemProperty -Path $prop.Path -Name $prop.Name -Value $prop.Value -PropertyType $prop.PropertyType -Force | Out-Null

        Write-Verbose "Registry property "$( $prop.Name )" created successfully!"

    }

}

Write-Verbose 'Registry evaluation completed successfully, proceeding to exit condition evaluation!'

# check for errors & exit appropriately

if ( $Error.Count -eq 0 )

{

    Write-Output 'The device is now inline with our desired configuration, exiting!'

    exit 0

}

else

{

    Write-Error 'The remediation failed!'

    Write-Error '=============== BEGIN ERROR LOG ==============='

    Write-Error $Error

    Write-Error '===============  END ERROR LOG  ==============='

    exit 1

}

Customers can access this Worklet directly in the console here.

It’s important to note that if your organization uses Microsoft Defender for Office, your users are protected from attachments that attempt to exploit this vulnerability. 

Microsoft Outlook Security Feature Bypass Vulnerability [IMPORTANT]

CVE-2023-35311 is an actively exploited zero-day vulnerability in Microsoft’s Outlook application. This vulnerability scores a CVSS 8.8 and opens the door to an attacker bypassing the Microsoft Outlook Security Notice prompt, leading to unauthorized access and/or the execution of malicious actions. In this attack scenario, the user would have to click on a unique URL to be compromised.

Because Outlook is a popular email client, the potential impact for organizations if this vulnerability is left unpatched could be severe. This vulnerability is perfect fuel for phishing and will be especially popular with criminal actors to potentially enable a ransomware or fraud event. We recommend patching within 24 hours to mitigate. – Jason Kikta, CISO/CIO

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilities [CRITICAL]

These three CVEs all score a CVSS 9.8 and affect the Windows Routing and Remote Access Service (RRAS). In a remote code execution attack, a bad actor could target Windows servers with RRAS running. 

Windows RRAS is a built-in networking component in Microsoft Windows Server operating systems that provides routing and remote access capabilities. RRAS enables computers running Windows Server to function as routers, virtual private network (VPN) servers, and dial-up servers. RRAS is not installed by default on Windows servers. 

A successful attacker could modify network configurations, steal data, move to other more critical/important systems, or create additional accounts for persistent access to the device. 

We recommend patching all three RRAS RCE vulnerabilities within 24 hours if you are running RRAS on your Windows servers.– Tom Bowyer, Product Security

Windows Error Reporting Service Elevation of Privilege Vulnerability [IMPORTANT]

CVE-2023-36874 is a zero-day elevation of privilege vulnerability affecting Windows Error Reporting (WER) service. The CVE scores a CVSS 7.8 and gives a successful attacker the means to obtain administrator privileges. 

The WER service is a feature in Microsoft Windows operating systems that automatically collects and sends error reports to Microsoft when certain software crashes or encounters other types of errors. In this instance, an attacker would need to gain local machine access and the local user account would need permissions to create folders and performance traces for a successful attack. 

This zero-day vulnerability is being actively exploited, so if WER is used by your organization we recommend patching within 24 hours. – Tom Bowyer, Product Security

Windows MSHTML Platform Elevation of Privilege Vulnerability [IMPORTANT]

CVE-2023-32046 is another zero-day elevation of privilege vulnerability that affects Windows Microsoft HTML (MSHTML) platform. The vulnerability is ranked ‘important’ and scores a CVSS 7.8. Successful exploitation allows an attacker to gain local user permissions in the affected application. 

The Windows MSHTML platform, also known as Trident, is a browser rendering engine developed by Microsoft. It is used by various Microsoft products, including Internet Explorer and Microsoft Edge (versions up to and including EdgeHTML). Attackers could exploit this privilege escalation vulnerability via email, instant message, or web-based application by enticing a user to open a specially crafted file. 

This vulnerability is likely lower impact, but because it’s a zero-day being actively exploited, it’s safest to patch within 24 hours. – Jason Kikta, CISO/CIO

Windows SmartScreen Security Feature Bypass Vulnerability [IMPORTANT]

CVE-2023-32049 is another actively exploited zero-day vulnerability with a CVSS 8.8 affecting Windows SmartScreen. A successful attack would allow a bad actor to bypass the Open File - Security Warning prompt in the Windows SmartScreen built-in security feature. Patch within 24 hours to avoid exploitation. – Tom Bowyer, Product Security