June Patch Tuesday settles two Exchange Server bugs

Admins should prep for Kerberos protocol and Netlogon protocol changes

The planned rollout for updated protections related to the Kerberos protocol and the Netlogon protocol, which are both used in Windows environments for authentication and other security purposes, will test the mettle of many IT teams.

Microsoft disclosed a Windows Kerberos elevation-of-privilege vulnerability (CVE-2022-37967) on Nov. 8, 2022, related to Privilege Attribute Certificate (PAC) signatures. An attacker could escalate their privileges if they changed PAC signatures.

The first phase in the deployment in November added signatures to the Kerberos PAC buffer but did not check signatures in the authentication process. The "second deployment phase" released on December Patch Tuesday shifted Windows domain controllers to audit mode for Windows devices. The "third deployment phase" had been scheduled for April Patch Tuesday but changed to this month. Deploying the June Patch Tuesday security update will remove the option to disable PAC signature addition with a registry key setting.

On July Patch Tuesday, Microsoft will implement the "initial enforcement phase" of PAC signatures, which will still let admins perform an override. The last stage due in October will transition Windows devices to full enforcement mode to prevent disabling PAC signatures and deny authentication to devices without new PAC signatures.

Chris Goettl

"Admins need to make sure they are catching the events and confirming that either PAC signatures are in place and being properly validated or they need to do work in that area before July. Otherwise they could have a disruption or be held up on deploying any future security updates," said Chris Goettl, Ivanti vice president of security product management.

The other security hardening procedure centers on CVE-2022-38023, a Netlogon remote procedure call (RPC) elevation-of-privilege vulnerability that was also published on Nov. 8, 2022. The Netlogon RPC interface performs secure authentication for users and devices on the domain.

Microsoft released an update to the CVE for the "initial enforcement phase" on April Patch Tuesday, which prevented disabling the RPC sealing setting. June Patch Tuesday implemented the "enforcement by default" phase that put the RPC sealing registry key in "enforced" mode unless admins adjusted settings to use "compatibility" mode. At this point, clients with vulnerable connections will not be able to authenticate on the domain.

Microsoft plans to release the final stage of the Netlogon hardening procedure on July Patch Tuesday, when it will release a security update to implement the "enforcement phase" that removes the ability to run "compatibility mode."

Two Exchange Server vulnerabilities get top billing

Microsoft corrected two vulnerabilities in its server-based on-premises email platform this month. CVE-2023-28310 and CVE-2023-32031 are both remote-code execution vulnerabilities rated important but with high CVSS scores of 8.0 and 8.8 respectively.

With both vulnerabilities, the threat actor needs to be authenticated to carry out any attack. By exploiting CVE-2023-28310, the attacker can perform remote-code execution through a PowerShell remoting session. By utilizing the CVE-2023-32031 vulnerability, an attacker could run malicious code by using the server account via a network call.

"With the sophistication of the threat actors who specialize in Exchange Server attacks, I would not leave these two vulnerabilities unpatched for long," Goettl said. "The risk is high based on those types of attackers and how effective they've been at reverse engineering and exploiting Exchange vulnerabilities."

Multiple Microsoft developer tools get fixes

As the level of complexity expands in the enterprise with more interconnecting components, utilities and libraries, so do the number of products that require security fixes.

On June Patch Tuesday, Microsoft released more than 15 security updates for its developer tools, including the Visual Studio code editor, the .NET Framework, NuGet Client and Azure DevOps Server.

Microsoft also listed three AutoDesk software vulnerabilities (CVE-2023-27909, CVE-2023-27910 and CVE-2023-27911) and five GitHub CVEs (CVE-2023-25652, CVE-2023-25815, CVE-2023-29007, CVE-2023-29011 and CVE-2023-29012) in its Security Update Guide. While these are not Microsoft products, they are used in conjunction with Visual Studio. The notes in the CVEs indicated that updates to Visual Studio protected it from these third-party vulnerabilities.

Goettl said the ever-growing number of tools and services that organizations have integrated into their development workflow has also expanded the enterprise attack surface, which has made it difficult to detect where vulnerabilities might lie.

"Cyber asset attack surface management is one of those tools that tries to pull in even more pieces to get that 360-degree view of not just the servers and workstations but [also] the containers, cloud infrastructure and configuration vulnerabilities," he said. "This is still a blind spot for way too many organizations."

Other security updates of note for June Patch Tuesday

Microsoft patched three Windows Pragmatic General Multicast remote-code execution vulnerabilities (CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015) rated critical with a CVSS rating of 9.8. These vulnerabilities affect Windows desktop and server systems. If administrators cannot patch quickly, they can mitigate this vulnerability by disabling the Windows message queuing service.

A Microsoft SharePoint Server elevation-of-privilege vulnerability (CVE-2023-29357) rated critical has a CVSS score of 9.8. The threat actor must be on the network but does not need user interaction to exploit this vulnerability and gain administrator privileges. Admins who enabled the Antimalware Scan Interface and use Microsoft Defender on their SharePoint Server farms are safe from this bug.