Today’s VERT Alert addresses Microsoft’s August 2023 Security Updates, which includes a recently introduced release notes format. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1068 on Wednesday, August 9th.
In-The-Wild & Disclosed CVEs
A vulnerability in Kestrel could allow for a denial of service. Kestrel is the cross-platform web server that is included with (and enabled by default in) ASP.NET Core. When detecting a potentially malicious client, Kestrel will sometimes fail to disconnect said client, resulting in the denial of service. Microsoft has reported this vulnerability as Exploitation More Likely (but has also listed it as Exploited).
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted.
|
Tag |
CVE Count |
CVEs |
|
Windows System Assessment Tool |
1 |
CVE-2023-36903 |
|
Microsoft Windows |
1 |
CVE-2023-20569 |
|
Windows Cryptographic Services |
2 |
CVE-2023-36906, CVE-2023-36907 |
|
Windows Common Log File System Driver |
1 |
CVE-2023-36900 |
|
Azure Arc |
1 |
CVE-2023-38176 |
|
Microsoft Office SharePoint |
4 |
CVE-2023-36890, CVE-2023-36891, CVE-2023-36892, CVE-2023-36894 |
|
Windows Cloud Files Mini Filter Driver |
1 |
CVE-2023-36904 |
|
Microsoft Windows Codecs Library |
1 |
CVE-2023-38170 |
|
Windows LDAP - Lightweight Directory Access Protocol |
1 |
CVE-2023-38184 |
|
SQL Server |
1 |
CVE-2023-38169 |
|
Microsoft Office Visio |
3 |
CVE-2023-36865, CVE-2023-36866, CVE-2023-35372 |
|
Microsoft Teams |
2 |
CVE-2023-29328, CVE-2023-29330 |
|
Microsoft Office Excel |
2 |
CVE-2023-35371, CVE-2023-36896 |
|
Windows Wireless Wide Area Network Service |
1 |
CVE-2023-36905 |
|
Dynamics Business Central Control |
1 |
CVE-2023-38167 |
|
.NET Core |
2 |
CVE-2023-35390, CVE-2023-38178 |
|
Tablet Windows User Interface |
1 |
CVE-2023-36898 |
|
Windows Kernel |
5 |
CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, CVE-2023-38154 |
|
ASP.NET and Visual Studio |
1 |
CVE-2023-35391 |
|
Microsoft Exchange Server |
6 |
CVE-2023-35368, CVE-2023-38185, CVE-2023-21709, CVE-2023-35388, CVE-2023-38182, CVE-2023-38181 |
|
Microsoft Office |
1 |
CVE-2023-36897 |
|
Windows Defender |
1 |
CVE-2023-38175 |
|
Windows Bluetooth A2DP driver |
1 |
CVE-2023-35387 |
|
Windows Projected File System |
1 |
CVE-2023-35378 |
|
ASP .NET |
1 |
CVE-2023-38180 |
|
.NET Framework |
1 |
CVE-2023-36873 |
|
Microsoft WDAC OLE DB provider for SQL |
1 |
CVE-2023-36882 |
|
Microsoft Office Outlook |
2 |
CVE-2023-36893, CVE-2023-36895 |
|
Mariner |
1 |
CVE-2023-35945 |
|
Azure HDInsights |
5 |
CVE-2023-35393, CVE-2023-35394, CVE-2023-38188, CVE-2023-36877, CVE-2023-36881 |
|
Windows Message Queuing |
11 |
CVE-2023-36909, CVE-2023-36910, CVE-2023-36911, CVE-2023-36912, CVE-2023-36913, CVE-2023-35376, CVE-2023-38254, CVE-2023-35377, CVE-2023-35383, CVE-2023-35385, CVE-2023-38172 |
|
Windows Mobile Device Management |
1 |
CVE-2023-38186 |
|
Windows Group Policy |
1 |
CVE-2023-36889 |
|
Role: Windows Hyper-V |
1 |
CVE-2023-36908 |
|
ASP.NET |
1 |
CVE-2023-36899 |
|
Windows HTML Platform |
1 |
CVE-2023-35384 |
|
Microsoft Edge (Chromium-based) |
12 |
CVE-2023-4068, CVE-2023-4069, CVE-2023-4070, CVE-2023-4071, CVE-2023-4072, CVE-2023-4073, CVE-2023-4074, CVE-2023-4075, CVE-2023-4076, CVE-2023-4077, CVE-2023-4078, CVE-2023-38157 |
|
Windows Smart Card |
1 |
CVE-2023-36914 |
|
Windows Reliability Analysis Metrics Calculation Engine |
1 |
CVE-2023-35379 |
|
Azure DevOps |
1 |
CVE-2023-36869 |
|
Windows Fax and Scan Service |
1 |
CVE-2023-35381 |
|
Microsoft Dynamics |
1 |
CVE-2023-35389 |
|
Reliability Analysis Metrics Calculation Engine |
1 |
CVE-2023-36876 |
Other Information
At the time of publication, there were two new advisories included with the August Security Guidance.
Microsoft Office Defense in Depth Update [ADV230003]
Microsoft has released a defense in depth update for Microsoft Office that helps to stop the attack chain that allows for successful exploitation of the Windows Search security feature bypass (CVE-2023-36884).
Memory Integrity System Readiness Scan Tool Defense in Depth Update [ADV230004]
Microsoft has released a defense in depth update for the Memory Integrity System Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe). When this tool, which checks for compatibility issues with memory integrity, was released, it was published without the resource information (the RSRC section). A new version has been released that addresses this issue.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
