June Patching: Vulnerabilities in VMware and Microsoft

Welcome to OneNeck’s monthly patching blog for June 2023. Our aim is to keep you informed about the latest patches and updates that may affect your systems. This month saw the release of several important patches but, thankfully, no zero-day vulnerabilities or actively exploited bugs.

Patching Highlights

Here are the most significant patches for June:

• CVE-2023-20867 – An authentication bypass vulnerability in VMware Tools has been identified. This vulnerability could potentially allow unauthorized users to gain access to sensitive information.
• CVE-2023-29357 – Pertains to an elevation of privilege vulnerability in the Microsoft SharePoint Server. If exploited, this vulnerability could grant an attacker higher-level privilege, thereby compromising the integrity and confidentiality of your data.
• CVE-2023-32031 – A remote code execution vulnerability in Microsoft Exchange Server that is particularly concerning as it could potentially allow an attacker to remotely execute arbitrary code and gain unauthorized access to data or services.
• CVE-2023-33131 – This vulnerability is being addressed within a broader set of updates for Microsoft Office. If exploited, it could lead to the execution of malicious code when a user opens a specially crafted file or program.

VMware Tools Updates

At OneNeck, we regularly update virtual machines (VMs) in managed environments. VMware Tools contains an Authentication Bypass vulnerability (CVE-2023-20867) in the vgauth module. A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine. This month, we will work to apply the latest version of VM Tools to remediate CVE-2023-20867 for customers contracted with OneNeck for support of their VMware environment.

Microsoft Office Updates

Please note that OneNeck does not patch Microsoft Office products during scheduled patching. We recommend that all customers apply Microsoft Office updates to their environment as soon as possible. If you need assistance with this in your environment, don’t hesitate to contact our team of Microsoft experts.

Exchange Patching Updates

Important news for Exchange users: Exchange Server 2013 has reached End of Life, and Microsoft will provide no further patches for this version. Exchange Server 2016 has reached the end of Mainstream Support and is now under Extended Support. We will continue applying Security Updates Microsoft released for customers contracted with OneNeck for Exchange Management.

Moreover, we strongly encourage all customers to upgrade to Exchange Server 2019. A new Security Update has been released for Exchange Server 2019, which we will apply for customers contracted with OneNeck for Exchange Management and running a supported version of Exchange.

Windows 10 & 11 22H2

OneNeck recommends updating Windows 10 & 11 devices to Feature Update version 22H2 to ensure future security updates will install on your systems. This upgrade is not automatic via standard patching. Additionally, Windows 10 & 11 devices using BitLocker will require a manual update to the Windows Recovery Environment. Please contact our Service Desk if you need assistance with these processes.

Secure Boot Security Bypass Vulnerability

We do not enable Secure Boot on OneNeck- build servers. As a result, we will not be taking any manual action for this update. However, if you have enabled Secure Boot on your servers, we encourage you to review the documentation and take all necessary actions. Our Service Desk is available to assist you with this should you have questions or concerns surrounding your organization’s environment.

OneNeck Has Your Back!

Stay tuned for next month’s patching blog, and as always, feel free to reach out with any questions or concerns. Stay secure, stay patched!

Each month, OneNeck engineers review newly released updates from vendors, like Microsoft, to understand any known issues, actions required and understand the priority of each. This is done immediately following Patch Tuesday releases, and we monitor for adjustments to patches throughout each month.

The information below is gathered monthly during this review and posted for awareness to our customers. This information is generally updated only once per month and is based on our engineers’ review of the information provided by the vendor at that time. As always, for the most up-to-date patching information, please see the vendor’s website or contact us.

Note: If OneNeck actively manages a device or software that is impacted by any of these vulnerabilities, when necessary, OneNeck will be in direct contact with you regarding remediation.

 

Additional Resources: