In October 2023, Microsoft unveiled its latest Patch Tuesday, addressing a comprehensive 103 security vulnerabilities. Within this count, 12 have received a critical rating, while three zero-day vulnerabilities are currently under active exploitation. Notably, one of these zero-day vulnerabilities is linked to the emergence of Rapid Reset DDoS attacks, further highlighting their growing significance.
In the October 2023 Patch Tuesday release, the following types of vulnerabilities are included:
- 45 Remote Code Execution (RCE) Vulnerabilities
- 26 Elevation of Privilege (EoP) Vulnerabilities
- 16 Denial of Service (DoS) Vulnerabilities
- 12 Information Disclosure Vulnerabilities
- 3 Security Feature Bypass Vulnerabilities
- 1 Cross-Site Scripting (XSS) Vulnerability
Actively Exploited Zero-Day Vulnerabilities: CVE-2023-36563, CVE-2023-41763, and CVE-2023-44487
In this month’s Patch Tuesday, three zero-day vulnerabilities currently being actively exploited are being addressed. One of them is:
CVE-2023-36563 (CVSS Score: 6.5): This vulnerability is an information disclosure flaw in WordPad, which can potentially expose NTLM hashes upon exploitation. Exploiting this vulnerability can occur through two methods. The first method involves convincing a local user to open a specially crafted malicious file, using social engineering. The second method entails running a specifically crafted application that can exploit the vulnerability and take control of the affected system.
CVE-2023-41763 (CVSS Score: 5.3): A specially crafted network call to the target Skype for Business server could lead to parsing an HTTP request to an arbitrary address, potentially revealing IP addresses and/or port numbers. Successful exploitation could grant the attacker access to sensitive information, and in some cases, access to internal networks.
The third zero-day vulnerability, identified as CVE-2023-44487, has been disclosed as a non-Microsoft CVE. Further details can be found in the following section.
Zero-Day Vulnerability in HTTP/2: ‘Rapid Reset’ (CVE-2023-44487)
CVE-2023-44487 (CVSS Score: 7.5): Published as a non-Microsoft CVE, this vulnerability affects internet-exposed HTTP/2 endpoints, resulting in a Denial-of-Service situation due to excessive server resource consumption. This arises from the rapid reset of multiple streams upon request cancellation.
The vulnerability is also known as ‘Rapid Reset’, and it has been actively exploited in the wild between August and October 2023.
Although Microsoft’s advisory lacks in-depth information regarding this vulnerability, it provides some workarounds:
- Disable the HTTP/2 protocol on your web server using the Registry Editor.
- Add a protocols setting for each Kestrel endpoint to confine your application to HTTP/1.1.
How Does the Rapid Reset Attack Work?
The attack entails sending a predefined number of HTTP requests, starting with HEADERS and followed by RST_STREAM, and repeating this pattern to generate substantial traffic directed at the targeted HTTP/2 servers. Attackers bundle multiple HEADERS and RST_STREAM frames within a single connection, resulting in a substantial increase in requests per second and elevated CPU usage on the servers. This increased workload can ultimately deplete resources, leading to a DDoS attack.
This attack is known as ‘Rapid Reset’ because it leverages the endpoint’s capacity to quickly send a RST_STREAM frame immediately after dispatching a request frame. This sequence triggers the server’s operation and promptly resets the request, effectively canceling it while maintaining the open status of the HTTP/2 connection.
Microsoft emphasizes that this HTTP DDoS activity primarily targets layer 7, rather than layer 3 or 4. Therefore, adopting protective measures against layer 7 DDoS attacks is also recommended.
What are the Critical Vulnerabilities Addressed in October 2023 Patch Tuesday?
In the October 2023 Patch Tuesday update, Microsoft has addressed a total of 12 critical vulnerabilities, all of which are Remote Code Execution (RCE) vulnerabilities. Nine of these vulnerabilities affect the Windows Layer 2 Tunneling Protocol, with the following CVE identifiers:
The other two critical CVEs, CVE-2023-35349 and CVE-2023-36697, are associated with vulnerabilities in Microsoft Message Queuing (MSMQ).
CVE-2023-35349 (CVSS Score: 9.8): While the advisory lacks specific details about the attack vector, it’s important to note that this vulnerability requires MSMQ to be enabled on a system for it to be susceptible. To check for vulnerability, ensure that a service named Message Queuing is running and confirm that TCP port 1801 is actively listening on the machine.
CVE-2023-36697 (CVSS Score: 6.8): A successful exploitation of this vulnerability allows a remote, authenticated domain user to execute arbitrary code on the target server. The attacker must either convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and manipulate it into functioning as a malicious server. As it demands valid domain credentials and user interaction on the target machine, the CVSS score is lower for this vulnerability.
The last critical vulnerability identifier relates to a container escape problem affecting Microsoft Virtual Trusted Platform Module (vTPM).
CVE-2023-36718 (CVSS Score: 7.8): This vulnerability affects vTPM and, if successfully exploited, can lead to an escape from a contained execution environment. To carry out this exploit, the attacker needs initial access to the vulnerable virtual machine. The advisory specifies that exploitation of CVE-2023-36718 is feasible when authenticated as a guest mode user.