Windows PGM Accounts for Half of Patch Tuesday’s Critical Flaws

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Microsoft’s Patch Tuesday for June 2023 addresses 78 vulnerabilities, a significant increase from last month’s total of 37. While six of the flaws are critical, Microsoft says none are currently being exploited in the wild.

The six critical vulnerabilities are as follows:

  • CVE-2023-24897, a remote code execution vulnerability in .NET, .NET Framework, and Visual Studio, with a CVSS score of 7.8
  • CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server, with a CVSS score of 9.8
  • CVE-2023-29363, CVE-2023-32014 and CVE-2023-32015, three remote code execution vulnerabilities in Windows Pragmatic General Multicast (PGM), each with a CVSS score of 9.8
  • CVE-2023-32013, a denial of service vulnerability in Windows Hyper-V, with a CVSS score of 6.5

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted in a blog post that this is the third month in a row in which Windows Pragmatic General Multicast (PGM) has had a flaw addressed with a CVSS score of 9.8. “While not enabled by default, PGM isn’t an uncommon configuration,” he wrote. “Let’s hope these bugs get fixed before any active exploitation starts.”

Action1 vice president of vulnerability and threat research Mike Walters separately observed that the three PGM flaws can be exploited over the network without requiring privileges or user interaction.

“To mitigate this vulnerability, consider checking if the Message Queuing service is running on TCP port 1801 and disable it if not needed,” Walters advised. “However, be cautious as this may impact system functionality. It is generally recommended to install the available patch instead of relying solely on mitigation strategies.”

Flaws in SharePoint, .NET, Visual Studio

Exploitation of the SharePoint Server flaw CVE-2023-29357, Walters noted, also requires no privileges or user interaction. “Customers using Microsoft Defender and the AMSI integration feature in their SharePoint Server farm(s) are protected against this vulnerability,” he wrote. “While there are no confirmed cases of exploitation yet, Microsoft warns that the likelihood of exploitation is high. It is essential for organizations using SharePoint 2019 to apply the patch to mitigate this serious vulnerability.”

Rapid7 lead software engineer Adam Barnett pointed out by email that while the FAQ provided with Microsoft’s advisory for CVE-2023-29357 states that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, no related patches are listed for SharePoint 2016.

“Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency,” Barnett wrote. “Microsoft also explains that there may be more than one patch listed for a particular version of SharePoint, and that every patch must be installed to remediate this vulnerability (although order of patching doesn’t matter).”

Regarding CVE-2023-24897, Barnett observed that exploitation of the flaw in .NET, .NET Framework and Visual Studio requires the attacker to trick a victim into opening a specially-crafted malicious file.

“Although Microsoft has no knowledge of public disclosure or exploitation in the wild, and considers exploitation less likely, the long list of patches – going back as far as .NET Framework 3.5 on Windows 10 1607 – means that this vulnerability has been present for years,” he wrote.

See the Best Patch Management Software & Tools

Other Noteworthy Flaws

Ivanti vice president of security products Chris Goettl noted by email that two lower-severity flaws were also patched in Microsoft Exchange Server.

CVE-2023-32031 could potentially trigger malicious code in the context of the server’s account through a network call,” Goettl wrote. “CVE-2023-28310 could allow the attacker to execute code via a PowerShell remoting session. Neither have been disclosed or exploited, but given the sophistication of threat actors who specialize in targeting Exchange Server, it is recommended not to let these linger for long.”

And Silverfort senior research tech lead Dor Segal said by email that CVE-2023-29362, a remote code execution vulnerability in Remote Desktop Client with a CVSS score of 8.8 is also worth noting.

“Using an RDP client can give admins a false sense of security: they can see what’s going on in a remote server or that client’s computer, but they believe themselves to be protected from malicious activity on the client’s end thanks to the RDP,” Segal said. “This vulnerability unfortunately proves that wrong.”

“CVE-2023-29362 allows an attacker who has compromised a Windows machine to attack and spread to any RDP client connected to that same machine,” Segal added. “In the case of admins or other privileged machines, this could potentially lead to compromise of the entire domain. It’s worth noting that patching is needed on the client’s side – not the server’s – so we recommend first patching privileged clients before moving on to the rest of the clients in the organization.”

Read more:

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required