November Patching Update: Important Advisory and Vulnerabilities

Welcome to OneNeck’s monthly patching blog for November 2023. As your proactive partner in cybersecurity, our team is dedicated to identifying and addressing the most critical updates that can impact your IT infrastructure. Our engineers are committed to dissecting and understanding the latest vendor-released patches, ensuring that our Managed Patch Services keep your systems secure and operational.

Microsoft Security Brief

In November, Microsoft has patched 58 vulnerabilities, sorted into the following categories:

• 16 Elevation of Privilege Vulnerabilities
• 6 Security Feature Bypass Vulnerabilities
• 15 Remote Code Execution Vulnerabilities
• 6 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities
• 11 Spoofing Vulnerabilities

Notably this month, 3 zero-day vulnerabilities are currently being actively exploited.

Patching Highlights for November

These patches require your immediate attention due to their high-risk potential:

• CVE-2023-36025: Addresses a Security Feature Bypass Vulnerability in Windows SmartScreen.
• CVE-2023-36033: Fixes an Elevation of Privilege Vulnerability in the Windows DWM Core Library.
• CVE-2023-36036: Remedies an Elevation of Privilege Vulnerability in the Windows Cloud Files Mini Filter Driver.
• CVE-2023-36397: Patches a Remote Code Execution Vulnerability in Windows Pragmatic General Multicast (PGM).
• CVE-2023-36413: Corrects a Security Feature Bypass Vulnerability in Microsoft Office.

ASP.NET Core Applications Advisory

Developers utilizing ASP.NET Core 8.0 applications should be aware of the following advisory from Microsoft and take particular note of CVE-2023-36038 – an ASP.NET Core Denial of Service Vulnerability, where a remote unauthenticated user can issue specially crafted requests to a .NET application which may result in denial of service.

Linux Patching Updates

Our Unix Team has compiled an extensive list of Linux patches and vulnerabilities that demand attention this month:

• CVE-2023-3609; CVE-2023-32233; CVE-2023-35001: Patches for Red Hat Enterprise Linux 7 (Kernel), addressing critical security issues and enhancing system stability.
• CVE-2023-3341: Linux security update for BIND, crucial for maintaining domain name system integrity.
• CVE-2023-5721; CVE-2023-5724; CVE-2023-5725; CVE-2023-5728; CVE-2023-5730; CVE-2023-5732; CVE-2023-44488: A series of vital Firefox updates, reinforcing browser security and addressing various vulnerabilities.
• CVE-2023-40217: An important update for Python 3.x, enhancing security features and fixing vulnerabilities.
• CVE-2023-5217; CVE-2023-44488: For libvpx, focusing on addressing security concerns in this multimedia library.
• CVE-2023-44487: An update for nghttp, ensuring robustness against potential network protocol vulnerabilities.
• CVE-2023-38545; CVE-2023-38546: Bolsters security features for curl.
• CVE-2023-0567; CVE-2023-0568; CVE-2023-0662; CVE-2023-3247; CVE-2023-3823; CVE-2023-3824: Updates for PHP, addressing various security issues to ensure script integrity and system safety.
• CVE-2023-44487: Addresses security vulnerabilities and enhances web server protection within Tomcat.
• CVE-2022-0934: Ensures DNS forwarding and DHCP server stability within dnsmasq.
• CVE-2021-40211: A security update for ImageMagick, crucial for maintaining security in image processing tasks.
• CVE-2023-3609; CVE-2023-35001; CVE-2023-32233: Key patches for Oracle Linux 7 (Kernel 3.10), focusing on kernel vulnerabilities and system enhancements.
• CVE-2022-34918; CVE-2023-2513; CVE-2023-4387; CVE-2023-22024; CVE-2023-3772; CVE-2023-35001; CVE-2023-4206; CVE-2023-3611; CVE-2023-4459; CVE-2023-3776: For Oracle Linux 7 (Kernel 4.1.12), targeting various kernel security issues.
• CVE-2023-42753; CVE-2023-22024: Oracle Linux 7 (Kernel 4.14) patches, enhancing kernel protection and stability.
• CVE-2023-20588; CVE-2023-5090; CVE-2023-20569; CVE-2023-42753; CVE-2023-22024: Regarding Oracle Linux 7 (Kernel 5.4), focusing on kernel security and functionality improvements.

Microsoft Office and Exchange Updates

Please note that OneNeck does not patch Microsoft Office products during scheduled patching. We recommend customers apply Microsoft Office updates immediately. If you have questions about how our team can assist you within in your Microsoft environment, contact our Service Desk.

Exchange

For Exchange, we continue to recommend upgrading to Exchange Server 2019 and remind you that we’re here to apply necessary Exchange Security Updates for managed clients.

TLS 1.0 and TLS 1.1 Disabling Updates

Updates disabling TLS 1.0 and TLS 1.1 are on the horizon. Ensure you prepare your environment for these changes to maintain application functionality. For more information, visit Microsoft’s post on the timeline and process of these updates.

November Patching Cycle

As November’s patching cycle concludes, we invite you to remain engaged for next month’s updates. Keeping your systems up-to-date is more than a best practice—it’s necessary. Our team is ready to assist if you have any questions or need support.

Stay secure and stay patched!

Each month, OneNeck engineers review newly released updates from vendors, like Microsoft, to understand any known issues, actions required and understand the priority of each. This is done immediately following Patch Tuesday releases, and we monitor for adjustments to patches throughout each month.

The information above is gathered monthly during this review and posted for awareness to our customers. This information is generally updated only once per month and is based on our engineers’ review of the information provided by the vendor at that time. As always, for the most up-to-date patching information, please see the vendor’s website or contact us.

Note: If OneNeck actively manages a device or software that is impacted by any of these vulnerabilities, when necessary, OneNeck will be in direct contact with you regarding remediation.

 

Additional Resources: