August Patching: Navigating Microsoft and Linux Vulnerabilities

Our monthly patching blog continues our commitment to keep you abreast of the latest threats and updates that might affect your systems. This month, Microsoft and Linux have released several significant updates, some of which addressed critical vulnerabilities.

Windows Patching Highlights

This month, Microsoft addressed 87 flaws, broken down into the following categories:

18 Elevation of Privilege Vulnerabilities: These could allow attackers to gain elevated privileges, compromising system integrity.

3 Security Feature Bypass Vulnerabilities: These flaws could permit attackers to bypass security features, leading to unauthorized access.

23 Remote Code Execution Vulnerabilities: These vulnerabilities could allow an attacker to remotely execute arbitrary code, leading to unauthorized access and data compromise.

10 Information Disclosure Vulnerabilities: Potentially exposing sensitive information to unauthorized parties.

8 Denial of Service Vulnerabilities: Allowing an attacker to crash or slow down the system.

12 Spoofing Vulnerabilities: Allowing an attacker to disguise themselves as another user.

This month’s updates tackle a variety of vulnerabilities that impact different Windows components. They include fixes for zero-day vulnerabilities that hackers have actively exploited, as well as vulnerabilities in Microsoft Office, Microsoft Exchange, and other areas of the Windows operating system.

August’s Highlighted Patches Include:

CVE-2023-38180 – .NET and Visual Studio Denial of Service Vulnerability: This flaw could allow an attacker to crash or slow down the system.

ADV230003 – Microsoft Office Defense in Depth Update: An improvement to Microsoft Office’s security features.

CVE-2023-36884 – Windows Search Remote Code Execution Vulnerability (update now available): Addressing a previously reported vulnerability that could allow an attacker to execute arbitrary code remotely.

CVE-2023-35385, CVE-2023-36910, & CVE-2023-36911 – Microsoft Message Queuing Remote Code Execution Vulnerability: Could allow unauthorized remote code execution.

CVE-2023-21709, CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182, & CVE-2023-35388 – Microsoft Exchange Security Updates: Patches for various vulnerabilities that may lead to unauthorized access and data leakage.

CVE-2023-32019 – This update was installed with June 2023 Security Updates, but the setting was disabled. The August updates will switch the setting to enabled.

Linux Patching

Moving on to Linux, we have a collection of vital security updates addressing vulnerabilities across various components. This roundup includes patches for critical vulnerabilities that demand immediate attention and essential updates to maintain overall system integrity.

• CVE-2023-20593 – A critical security vulnerability affecting the Linux firmware package in Oracle Linux is resolved. Attackers could exploit this issue to potentially access sensitive information on vulnerable systems.
• CVE-2023-1999 – The libwebp library contained a vulnerability addressed in this update. Exploiting this issue allowed attackers to use the ApplyFiltersAndEncode function and loop through to free best.bw and assign best = trial pointer.
• CESA-2023:3145 – A vulnerability found in the Apache Portable Runtime Utility Library (apr-util) allowing attackers to execute arbitrary code with elevated privileges.
• CVE-2023-25652 – A vulnerability in Git permitting attackers to feed specially crafted input to `git apply –reject`, a path outside the working tree, overwriting it with partially controlled contents.
• CVE-2023-24329 – An issue in the urllib.parse component of Python before 3.11.4, where attackers could bypass blocklisting methods by supplying a URL that starts with blank characters, has been resolved.
• CVE-2023-32067 – The c-ares DNS resolver library contained a vulnerability enabling attackers to launch denial-of-service attacks on affected systems is now resolved.
• CVE-2023-37201 – Provides fixes for vulnerabilities found in Firefox, including where an attacker could trigger a use-after-free condition when creating a WebRTC connection over HTTPS.
• CVE-2022-3564 – Patch for a vulnerability within the Linux kernel, preventing attackers from gaining unauthorized access to vulnerable systems.
• CVE-2023-2828 – Addresses vulnerability in BIND DNS server exploited to conduct denial-of-service attacks on affected systems.
• CVE-2023-32435 – Addresses a memory corruption issue with improved state management.
• CVE-2023-2269 – A denial of service problem, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

Non-Critical Updates

We’ve also identified multiple non-critical updates. Specifically, a security and bug fix update for Java (CVE-2023-22045) addresses a potential unauthorized access vulnerability. A similar update now exists for Samba (CVE-2023-3347). Lastly, a security update for Emacs (CVE-2022-48339) is available, addressing a similar vulnerability for unwanted access. While these vulnerabilities are not considered critical, we recommend applying these patches to maintain a secure environment.

Microsoft Office Updates

OneNeck does not patch Microsoft Office products during scheduled patching. We recommend all customers apply Microsoft Office updates to their environment immediately. If you have questions about how OneNeck can assist you in your environment, don’t hesitate to contact the Service Desk.

Exchange Updates

OneNeck encourages all customers to upgrade to Exchange Server 2019. OneNeck will apply the August Exchange Security Update (along with the additional actions) under separate Change Requests for customers contracted with OneNeck for Exchange Management. For customers not contracted with us for Exchange Management services, don’t hesitate to contact the Service Desk if you have any questions on how OneNeck can assist you in your environment.

Please note our engineers base the information provided here on reviews of the information provided by the vendors at the time of the release. Please see the vendor’s website or contact us for the latest patching details.

Keep an eye out for next month’s blog, and as always, feel free to contact us with any questions or concerns. Stay secure and stay patched!

Each month, OneNeck engineers review newly released updates from vendors, like Microsoft, to understand any known issues, actions required and understand the priority of each. This is done immediately following Patch Tuesday releases, and we monitor for adjustments to patches throughout each month.

The information below is gathered monthly during this review and posted for awareness to our customers. This information is generally updated only once per month and is based on our engineers’ review of the information provided by the vendor at that time. As always, for the most up-to-date patching information, please see the vendor’s website or contact us.

Note: If OneNeck actively manages a device or software that is impacted by any of these vulnerabilities, when necessary, OneNeck will be in direct contact with you regarding remediation.

Additional Resources: