June’s Patch Tuesday Packs a Modest Punch

June’s Patch Tuesday release from Microsoft gives admins some breathing room with no reported zero-days and only 70 total vulnerabilities to patch as we launch into summer.

But that doesn’t mean admins are totally off the hook this month. Several critical vulnerabilities should get your attention, including a CVSS 9.8 elevation of privilege vulnerability affecting Microsoft SharePoint. CVE-2023-29357 opens the doors for attackers to gain access to spoofed JWT authentication tokens to then use them to execute a network attack, with no privileges or user action needed.

There are also three critical remote code execution vulnerabilities affecting Windows Pragmatic General Multicast (PGM) that all score a CVSS 9.8 and should be patched within 24 hours.

Other vulnerabilities to prioritize include a Microsoft Exchange Server vulnerability that scores a CVSS 8.8 which attackers could use to target server accounts in an arbitrary or remote code execution and gain access. And there’s a Windows TPM Device Driver vulnerability that Microsoft notes is more likely to be exploited because no user interaction is needed, and via which a successful attacker could gain SYSTEM privileges.

Read on for details…and happy patching!

Microsoft SharePoint Server Elevation of Privilege Vulnerability [CRITICAL]

CVE-2023-29357 is a critical elevation of privilege, or privilege escalation, vulnerability that affects Microsoft Sharepoint Server 2019. This vulnerability scores a CVSS 9.8 with a successful attacker able to gain administrator privileges.

In this instance, an attacker who gains access to spoofed JWT authentication tokens can then use them to execute a network attack, which bypasses authentication and allows them to gain access to the privileges of an authenticated user. The attacker needs no privileges nor does the user need to perform any action.

Exfiltration of sensitive information is a priority for both criminal and state espionage actors. Therefore, mass exploitation against public-facing SharePoint instances in the near future is likely. Further, an actor is likely to exploit this vulnerability shortly after gaining access to a given internal corporate system, which reduces the potential response time before data is stolen.

On-prem customers who have enabled the AMSI feature are protected from this vulnerability, but all others should patch within 24 hours to avoid exploitation. – Jason Kikta, CISO/CIO

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability [CRITICAL]

This is a critical remote code execution vulnerability that scores a CVSS 9.8 and affects Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022.

Windows Pragmatic General Multicast (PGM) is a protocol developed by Microsoft that facilitates reliable multicast communication over IP networks. When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.

The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine.

This is one of three critical PGM RCE vulnerabilities this month. We recommend patching this vulnerability as well as CVE-2023-32015 and CVE-2023-32014 within 24 hours if you are running PGM. – Tom Bowyer, Product Security

Microsoft Exchange Server Remote Code Execution Vulnerability [IMPORTANT]

Two more Exchange Server vulnerabilities hit this month. CVE-2023-32031 is one of them and is an important vulnerability with a CVSS 8.8 that affects Microsoft Exchange Server 2016 and 2019. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution to gain access. As an authenticated user, the attacker could then attempt to trigger malicious code in the context of the server's account through a network call. 

With low attack complexity and privileges and no user interaction required, we recommend patching this one and CVE-2023-28310 within 24 hours to avoid exploitation. – Jason Kikta, CISO/CIO

Windows TPM Device Driver Elevation of Privilege Vulnerability [IMPORTANT]

CVE-2023-29360 is another elevation of privilege vulnerability that scores a CVSS 7.8 and which Microsoft notes is more likely to be exploited. 

TPM is a Windows hardware-based security feature that provides a secure environment for cryptographic operations, key management, and other security-related functions. In this scenario, no user interaction is needed for exploitation, and a successful attacker could gain SYSTEM privileges.

We recommend patching Windows 10, Windows 11, and Windows Server 2016, 2019, and 2022 within 72 hours. – Tom Bowyer, Product Security