17 Critical CVEs and a Zero-Day Haunt October Patch Tuesday

October's Patch Tuesday unearths a total of 112 vulnerabilities. There’s one Zero-Day vulnerability (CVE-2023-44487) and seventeen “critical” vulnerabilities.

But don’t be scared, Automox has your back. This month, we’re sharing three Automox Worklets™ designed to mitigate 22 of the 112 vulnerabilities, so you can unmask these monsters and feel safer this October.

MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack – [Zero Day]

CVE-2023-44487 is a zero-day vulnerability. 

The HTTP/2 protocol, a major revision of the HTTP network protocol, is widely adopted because of its ability to speed up web traffic and improve user experience. However, its rapid reset function, originally designed to enhance efficiency, can be exploited to a Denial of Service (DoS) attack. 

The specifics of this attack involve manipulating the rapid reset function to overwhelm and render a web server unresponsive, disrupting legitimate traffic flow.

Automox has deployed a Worklet that is designed to mitigate this vulnerability by disabling the HTTP/2 protocol on your web server using the Registry Editor. This is a crucial step in maintaining the robustness of your digital infrastructure.

This particular vulnerability poses a significant threat to web server performance and reliability. The Automox CVE-2023-44487 Mitigation Worklet effectively addresses the risk by adjusting the server configuration until the proper patches can be applied. – Tom Bowyer, Director, Security

Windows TCP/IP Denial of Service Vulnerability – [Important]

CVE-2023-36603 has a base score of 7.5. This vulnerability requires a non-default firewall setting of the EnablePacketQueue feature. By default EnablePacketQueue is disabled. In this state, systems are not vulnerable.

While enabling this setting can provide some convenience in certain scenarios, like troubleshooting network issues or capturing network traffic for analysis, it also poses a security risk. 

When enabled, packets are queued on the system instead of being immediately processed by the firewall. This allows malicious packets to potentially bypass the firewall and reach vulnerable services on the system.

To mitigate this risk, it is recommended to keep the EnablePacketQueue setting disabled until the proper patches can be applied. 

Exploitation of this vulnerability would be extremely hard to detect, especially in lateral movement scenarios. The Automox Disable Packet Queue Worklet provides a timely solution, ensuring servers and critical endpoints remain secure. – Jason Kikta, CISO/SVP

Windows IIS Server Elevation of Privilege Vulnerability - [Important]

This vulnerability has received a score of 9.8. The Windows Internet Information Services (IIS) server is a widely used component of many Windows-based web services. 

CVE-2023-36434 is an Elevation of Privilege vulnerability, which allows an attacker to exploit a weakness in the server to gain unauthorized access and control. This unauthorized access can lead to unauthorized data access, manipulation, or even complete control of the server. 

The attack vector is network-based and requires the attacker to brute-force the login. To mitigate this vulnerability, use strong passwords that cannot easily be brute-forced. 

Here are some key practices to help mitigate the risk associated with such vulnerabilities:

• Perform regular security updates

• Apply strong access controls

• Monitor for any suspicious activities

– Jason Kikta, CISO/SVP

Microsoft Message Queuing Remote Code Execution Vulnerability - [Critical]

With a base score of 9.8, you’ll want to pay close attention to CVE-2023-35349.  

Message Queuing (MSMQ) is a messaging protocol that allows applications running on separate servers to communicate in a failsafe manner. A Remote Code Execution (RCE) vulnerability in MSMQ can allow an attacker to execute arbitrary code on the target server.  

Despite the increasing availability of other message queuing protocols, MSMQ still holds its ground in certain scenarios, particularly within legacy systems within the Microsoft ecosystem. 

With 20 MSMQ-related vulnerabilities identified this Patch Tuesday, disabling MSMQ is a priority until patching can be administered. 

Automox's Worklet allows administrators to mitigate these MSMQ vulnerabilities by disabling MSMQ until the systems can be patched. – Tom Bowyer, Director, Security

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

This CVE has a base score of 8.8. Microsoft WDAC OLE DB Provider for SQL Server is a set of components designed to facilitate efficient data access from Microsoft SQL Server databases to endpoints. It’s a key element of the Windows Data Access Components (WDAC) that allows developers to create applications capable of communicating with almost any data source, including SQL Server.

This vulnerability may allow an attacker to execute arbitrary code on a targeted system by convincing a user to connect to a malicious database. 

These attacks can be mitigated by configuring the environment to connect only to trusted servers and enforcing certificate validation. 

– Jason Kikta, CISO/SVP

There are 9 vulnerabilities relating to L2TP, all with a Base Score of 7.1.

The CVE’s included in this are CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, CVE-2023-41774, and CVE-2023-38166. 

Layer 2 Tunneling Protocol (L2TP) is a protocol that provides support for Virtual Private Networks (VPNs). While once popular, L2TP by itself doesn’t provide any encryption or confidentiality for the data that passes through it. 

A Remote Code Execution vulnerability in L2TP can expose your network to attackers who could execute arbitrary code on your network devices.

With 9 vulnerabilities identified in Layer 2 Tunneling Protocol this month, and the insecure nature of L2TP, organizations should reconsider the security of their tunneling solutions if they are using L2TP. 

– Tom Bowyer, Director, Security

By using tools like Automox Worklets, you can swiftly mitigate these risks, strengthening the security and functionality of your digital infrastructure. 

With Automox, Patch Tuesday can be Fix Tuesday. 

Patch regularly, patch often.