最后更新于2023年10月13日(星期五)19:49:54 GMT
今年10月,微软正在解决105个漏洞 Patch Tuesday, 包括三个零日漏洞, 以及12个关键的远程代码执行(RCE)漏洞, 还有一个重新发布的第三方漏洞.
写字板:零日NTLM哈希披露
周二又一个补丁, 另一个提供NTLM散列泄露的零日漏洞, 这次是在写字板上. 建议: cve - 2023 - 36563 描述了两种可能的攻击媒介:
- 引诱用户打开通过电子邮件发送的特制恶意文件, IM, 或者其他方式, or;
- 通过使自定义应用程序运行.
该建议本身并没有提供更多细节, 而是要充分利用, 攻击者要么需要事先访问系统, 或者通过某种方式将NTLM散列作为攻击的一部分. 微软已经发布了关于攻击机制的更多细节 KB5032314,以及缓解战略. WordPad is vulnerable due to its use of the OleConvertOLESTREAMToIStorage and OleConvertOLESTREAMToIStorageEx Windows API functions, so the same is presumably true of other applications which make use of those functions.
也许是巧合,也许不是巧合 announced 上个月,写字板不再更新, 并将在未来的Windows版本中删除, 尽管目前还没有给出具体的时间表. 不出所料,微软推荐Word作为写字板的替代品.
Skype for Business服务器:零日信息泄露
Defenders responsible for a Skype for Business server should take note of an exploited-in-the-wild information disclosure vulnerability for which public exploit code exists. 成功开发 cve - 2023 - 41763 via a specially crafted network call could result in the disclosure of IP addresses and/or port numbers. 不过微软并没有具体说明披露的范围, it will presumably be limited to whatever the Skype for Business server can see; as always, 适当的网络分段将为纵深防御带来好处.
ASP.. NET红隼web服务器:零日拒绝服务
Rounding out this month’s trio of exploited-in-the-wild vulnerabilities: the cross-platform Kestrel web server for ASP.. NET Core收到一个修复 cve - 2023 - 44487,拒绝服务漏洞.
cve - 2023 - 44487 is perhaps of less concern to defenders, unless the Kestrel instance is internet-facing. 被称为“HTTP/2快速重置”, 这个漏洞并不是微软特有的, 而是HTTP/2所固有的. Exploitation involves abuse of the lack of bounds on HTTP/2 request cancellation to bring about severe load on the server for a very low cost to the attacker.
在咨询中, Microsoft provides essentially no information about attack vector beyond the fact that the vulnerability is specific to HTTP/2 , 但它提出了两种潜在的解决方案:
- Disabling the HTTP/2 protocol via a Windows Registry modification; and/or
- 限制每个红隼端点提供的协议,以排除HTTP/2.
降级到HTTP/1.1可能会导致性能显著下降. 微软建议及时打补丁,无论是否应用了变通方法.
N.B. In the 微软咨询, a hyperlink attached to the word “workarounds” does not resolve to anything specific, and Kestrel is misspelled as “Kestral” more than once, although these issues will likely be resolved soon.
第二层隧道协议:许多关键的rce
12个关键的RCE漏洞看起来很多,事实也确实如此. Fully three-quarters of these are in the same Windows component — the Layer 2 Tunneling Protocol — which has already received fixes for a significant number of critical RCEs in recent months. 利用每个第2层隧道协议关键rce本月 cve - 2023 - 41765 cve - 2023 - 41767 cve - 2023 - 41768 cve - 2023 - 41769 cve - 2023 - 41770 cve - 2023 - 41771 cve - 2023 - 41773 cve - 2023 - 41774 and cve - 2023 - 38166 — is via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.
如果还有一线希望的话, it’s that the acknowledgements for almost all of these vulnerabilities cite Microsoft’s Network Security and Containers (NSC) team; a reasonable inference is that Microsoft is directing significant resources towards security research and patching in this area. 因为cve通常是按顺序分配的, 序列中也有间隙, another reasonable inference here is that other similar as-yet-unpublished vulnerabilities have probably been identified and reported to MSRC.
Windows MSMQ:临界rce
cve - 2023 - 35349 描述消息队列服务中的RCE漏洞. 微软没有描述攻击媒介, but other similar vulnerabilities require that the attacker send specially crafted malicious MSMQ packet to a MSMQ server. One mitigating factor: the Microsoft Message Queueing Service must be enabled and listening on port 1801 for an asset to be vulnerable, 默认情况下不安装消息队列服务. As Rapid7注意到 previously, however, a number of applications – including Microsoft Exchange – may quietly introduce MSMQ as part of their own installation routine.
另一个MSMQ RCE漏洞也在本月收到了补丁: CVE-2023-36697 有一个较低的CVSS分数比它的兄弟, 都是因为需要有效的域凭据, and because exploitation requires that a user on the target machine connects to a malicious server. Alternatively, Microsoft suggests that an attacker could compromise a legitimate MSMQ server host and make it run as a malicious server to exploit this vulnerability, although it’s not immediately clear how the attacker could do that without already having significant control over the MSMQ host.
Microsoft vTPM:容器逃逸
The final constituent of this month’s dozen patched critical RCE vulnerabilities is rather more exotic: cve - 2023 - 36718 describes a vulnerability in the Microsoft Virtual Trusted Platform Module (vTPM), which is a TPM 2.硬件TPM的0兼容虚拟化版本作为特性提供 Azure机密虚拟机. 成功的利用可能导致集装箱逃逸. 攻击者首先需要访问易受攻击的VM, and the advisory notes that exploitation is possible when authenticated as a guest mode user. 往好的方面想, 微软将攻击复杂性评估为高, since successful exploitation of this vulnerability would rely upon complex memory shaping techniques to attempt an attack.
交换(按照传统):RCE
Exchange管理员应注意的存在 CVE-2023-36778在所有当前版本的Exchange Server中存在同一网络RCE漏洞. Successful exploitation requires that the attacker be on the same network as the Exchange Server host, 并在PowerShell远程会话中使用Exchange用户的有效凭据. 默认情况下,PowerShell Remoting 只允许来自Administrators组成员的连接, and the relevant Windows Firewall rule for connections via public networks rejects connections from outside the same subnet. Defenders may wish to review these rules to ensure that they have not been loosened beyond the default.
Office: LPE
Microsoft Office收到一个补丁 cve - 2023 - 36569本地特权升级(LPE)漏洞. 成功利用可以获得SYSTEM特权, 但微软表示预览窗格不是矢量. The advisory doesn’t provide much more information; patches are available for Office 2019, 2021, 和企业应用程序. Office 2016未列出, 这可能意味着它不脆弱, 或者可能意味着稍后将提供补丁.
Server 2012 & Server 2012 R2:终止支持,除非你为ESU付费
今天是Windows Server 2012和Windows Server 2012 R2的最后一个补丁星期二. The only way to receive security updates for these versions of Windows from now on is to subscribe to 微软的最后一招扩展安全更新(ESU)程序. In all cases, both Microsoft and Rapid7 recommend upgrading to a newer version of Windows as soon as possible.
Windows 1121h2:主要是停止支持
Windows 1121h2家庭版、专业版、专业版教育版、专业版工作站版和SE版 越过支持的终点. Windows 11客户端操作系统没有ESU程序, so Windows 11 21H2 assets for the editions listed above are insecure-by-default from now on. 然而,Windows 11 21H2企业和教育 保持普遍支持 直到2024-10-08. 如果你对此感到困惑,你并不孤单.
Summary Charts
Summary Table
Azure的漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36415 | Azure Identity SDK远程代码执行漏洞 | No | No | 8.8 |
cve - 2023 - 36414 | Azure Identity SDK远程代码执行漏洞 | No | No | 8.8 |
cve - 2023 - 36419 | Azure HDInsight Apache Oozie Workflow Scheduler特权提升漏洞 | No | No | 8.8 |
cve - 2023 - 36418 | Azure RTOS GUIX Studio远程代码执行漏洞 | No | No | 7.8 |
CVE-2023-36737 | Azure网络监视虚拟机代理特权提升漏洞 | No | No | 7.8 |
Azure开发人员工具漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
CVE-2023-36561 | Azure DevOps服务器特权提升漏洞 | No | No | 7.3 |
浏览器的漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
CVE-2023-5346 | Chromium: V8中的CVE-2023-5346类型混淆 | No | No | N/A |
静电单位漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
CVE-2023-36790 | Windows RDP编码器镜像驱动程序特权提升漏洞 | No | No | 7.8 |
Exchange Server漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
CVE-2023-36778 | Microsoft Exchange Server远程代码执行漏洞 | No | No | 8 |
Microsoft Dynamics漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36433 | Microsoft Dynamics 365(本地)信息泄露漏洞 | No | No | 6.5 |
cve - 2023 - 36429 | Microsoft Dynamics 365(本地)信息泄露漏洞 | No | No | 6.5 |
cve - 2023 - 36566 | 微软公共数据模型SDK拒绝服务漏洞 | No | No | 6.5 |
cve - 2023 - 36416 | Microsoft Dynamics 365(本地)跨站点脚本漏洞 | No | No | 6.1 |
Microsoft Office漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36569 | Microsoft Office特权提升漏洞 | No | No | 8.4 |
CVE-2023-36789 | Skype for Business远程代码执行漏洞 | No | No | 7.2 |
cve - 2023 - 36786 | Skype for Business远程代码执行漏洞 | No | No | 7.2 |
cve - 2023 - 36780 | Skype for Business远程代码执行漏洞 | No | No | 7.2 |
cve - 2023 - 36565 | Microsoft Office图形特权提升漏洞 | No | No | 7 |
cve - 2023 - 36568 | Microsoft Office点击运行特权提升漏洞 | No | No | 7 |
cve - 2023 - 41763 | Skype for Business特权提升漏洞 | Yes | Yes | 5.3 |
SQL Server漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36417 | Microsoft SQL ODBC驱动程序远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36730 | Microsoft ODBC Driver for SQL Server远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36785 | Microsoft ODBC Driver for SQL Server远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36420 | Microsoft ODBC Driver for SQL Server远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36728 | Microsoft SQL Server拒绝服务漏洞 | No | No | 5.5 |
Windows操作系统漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36704 | Windows安装程序文件清理远程代码执行漏洞 | No | No | 7.8 |
CVE-2023-36711 | Windows运行时c++模板库特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36725 | Windows内核特权提升漏洞 | No | No | 7.8 |
CVE-2023-36723 | Windows Container Manager服务特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 41772 | Win32k特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36557 | PrintHTML API远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36729 | 命名管道文件系统特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36718 | 微软虚拟可信平台模块远程代码执行漏洞 | No | No | 7.8 |
CVE-2023-36701 | Microsoft弹性文件系统(ReFS)特权提升漏洞 | No | No | 7.8 |
CVE-2023-36603 | Windows TCP/IP拒绝服务漏洞 | No | No | 7.5 |
CVE-2023-36720 | Windows混合现实开发者工具拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36709 | 微软AllJoyn API拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36605 | Windows命名管道文件系统特权提升漏洞 | No | No | 7.4 |
cve - 2023 - 36902 | Windows运行时远程代码执行漏洞 | No | No | 7 |
cve - 2023 - 38159 | Windows图形组件特权提升漏洞 | No | No | 7 |
cve - 2023 - 36721 | Windows错误报告服务特权提升漏洞 | No | No | 7 |
cve - 2023 - 36717 | Windows虚拟可信平台模块拒绝服务漏洞 | No | No | 6.5 |
cve - 2023 - 36707 | Windows部署服务拒绝服务漏洞 | No | No | 6.5 |
cve - 2023 - 36596 | 远程过程调用信息泄露漏洞 | No | No | 6.5 |
CVE-2023-36576 | Windows内核信息泄露漏洞 | No | No | 5.5 |
cve - 2023 - 36698 | Windows内核安全功能绕过漏洞 | No | No | 3.6 |
Windows开发人员工具漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
CVE-2023-38171 | 微软QUIC拒绝服务漏洞 | No | No | 7.5 |
CVE-2023-36435 | 微软QUIC拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 44487 | MITRE: cve - 2023 - 44487 HTTP/2快速重置攻击 | Yes | No | N/A |
Windows ESU漏洞
CVE | Title | Exploited? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36434 | Windows IIS服务器特权提升漏洞 | No | No | 9.8 |
cve - 2023 - 35349 | 微软消息队列远程代码执行漏洞 | No | No | 9.8 |
CVE-2023-36577 | Microsoft WDAC OLE DB提供程序用于SQL Server远程代码执行漏洞 | No | No | 8.8 |
cve - 2023 - 41765 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41767 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41768 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41769 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41770 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41771 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41773 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 41774 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 38166 | 第2层隧道协议远程代码执行漏洞 | No | No | 8.1 |
CVE-2023-36710 | Windows Media Foundation核心远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36436 | Windows MSHTML平台远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36712 | Windows内核特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36726 | Windows Internet Key Exchange (IKE)扩展特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36594 | Windows图形组件特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 41766 | Windows客户端服务器运行时子系统(CSRSS)特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36732 | Win32k特权提升漏洞 | No | No | 7.8 |
CVE-2023-36731 | Win32k特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36743 | Win32k特权提升漏洞 | No | No | 7.8 |
CVE-2023-36598 | 微软WDAC ODBC驱动程序远程代码执行漏洞 | No | No | 7.8 |
CVE-2023-36593 | 微软消息队列远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36702 | Microsoft DirectMusic远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 36438 | Windows TCP/IP信息泄露漏洞 | No | No | 7.5 |
cve - 2023 - 36602 | Windows TCP/IP拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36567 | Windows部署服务信息泄露漏洞 | No | No | 7.5 |
CVE-2023-36606 | 微软消息队列拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36581 | 微软消息队列拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36579 | 微软消息队列拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36431 | 微软消息队列拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36703 | DHCP服务器拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36585 | 活动模板库拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 36592 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
CVE-2023-36591 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36590 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36589 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36583 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36582 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36578 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36575 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36574 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36573 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36572 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
cve - 2023 - 36571 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
CVE-2023-36570 | 微软消息队列远程代码执行漏洞 | No | No | 7.3 |
CVE-2023-36776 | Win32k特权提升漏洞 | No | No | 7 |
CVE-2023-36697 | 微软消息队列远程代码执行漏洞 | No | No | 6.8 |
cve - 2023 - 36564 | Windows搜索安全功能绕过漏洞 | No | No | 6.5 |
CVE-2023-29348 | Windows远程桌面网关(RD网关)信息泄露漏洞 | No | No | 6.5 |
cve - 2023 - 36706 | Windows部署服务信息泄露漏洞 | No | No | 6.5 |
cve - 2023 - 36563 | 微软写字板信息泄露漏洞 | Yes | Yes | 6.5 |
CVE-2023-36724 | Windows电源管理服务信息泄露漏洞 | No | No | 5.5 |
cve - 2023 - 36713 | Windows通用日志文件系统驱动程序信息泄露漏洞 | No | No | 5.5 |
CVE-2023-36584 | Web安全特性绕过漏洞的Windows标记 | No | No | 5.4 |
CVE-2023-36722 | Active Directory域服务信息泄露漏洞 | No | No | 4.4 |
Updates
- 2023-10-11:增加了cve - 2023 - 36563漏洞位置的详细信息.
- 2023-10-11:扩展了cve - 2023 - 44487机制和风险的讨论.