Microsoft released its October 2023 edition of the Patch Tuesday update, also known as the Monthly Patch Tuesday. This month’s release contains 103 security vulnerabilities and two advisories. Nine of the listed vulnerabilities are listed as critical while there are five zero-day vulnerabilities in the list that are actively being exploited.

A breakdown of the vulnerabilities is as follows;

• 45 Remote Code Execution (RCE) Vulnerabilities
• 26 Elevation of Privilege (EoP) Vulnerabilities
• 16 Denial of Service (DoS) Vulnerabilities
• 12 Information Disclosure Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 1 Cross-Site Scripting (XSS) Vulnerability

Not sure what a ‘CVE’ is? Checkout our article on demystifying Common Vulnerabilities and Exposures (CVE)

Breakdown

Zero-day Vulnerabilities: CVE-2023-36563, CVE-2023-41763, and CVE-2023-44487

This month’s Patch Tuesday addresses three actively exploited zero-day vulnerabilities:

CVE-2023-36563 (CVSS Score: 6.5): This vulnerability, an information disclosure flaw in WordPad, has the potential to expose NTLM hashes upon exploitation. There are two methods by which this vulnerability can be exploited. The first method involves an attacker persuading a local user to open a specially crafted malicious file, using social engineering. The second method of exploitation entails running a specially crafted application capable of exploiting the vulnerability and assuming control over an affected system.

For more information and mitigation methods related to this vulnerability, visit.

CVE-2023-41763 (CVSS Score: 5.3): An attacker could make a specially crafted network call, directed at the target Skype for Business server. This could lead to the parsing of an HTTP request to an arbitrary address, potentially revealing IP addresses and/or port numbers. If successfully exploited, the vulnerability would enable the attacker to access certain sensitive information, and in specific instances, the exposed information could grant access to internal networks.

The third zero-day vulnerability tracked as CVE-2023-44487, was disclosed as a non-Microsoft CVE, and you can find its details in the following section.

Zero-Day Vulnerability in HTTP/2: ‘Rapid Reset’ (CVE-2023-44487)

CVE-2023-44487 (CVSS Score: 7.5): Published as a non-Microsoft CVE, this vulnerability impacts any internet exposed HTTP/2 endpoints, leading to a Denial-of-Service situation caused by server resource consumption. This occurs as request cancellation can swiftly reset numerous streams.

The vulnerability is also known as ‘Rapid Reset’, and it has been actively exploited in the wild between August and October 2023.

While Microsoft’s advisory does not offer extensive details about this vulnerability, it does include some workarounds:

• Disable the HTTP/2 protocol on your web server by using the Registry Editor
• Include a protocol setting for each Kestrel endpoint to limit your application to HTTP1.1

Furthermore, Microsoft detailed the Rapid Reset attack scheme in a blog post and presented several other mitigation methods.

 

How Does the Rapid Reset Attack Work?

The attack involves sending a set number of HTTP requests using HEADERS followed by RST_STREAM, and repeating this sequence to create substantial traffic on the targeted HTTP/2 servers. Attackers pack multiple HEADERS and RST_STREAM frames within a single connection, leading to a significant surge in requests per second and increased CPU usage on the servers. This heightened load can eventually lead to resource exhaustion, resulting in a DDoS attack.

This attack is termed ‘Rapid Reset’ because it capitalizes on the endpoint’s ability to promptly issue an RST_STREAM frame right after sending a request frame. This process initiates the server’s work and swiftly resets the request, effectively cancelling it while keeping the HTTP/2 connection open.

HTTP/1.1 and HTTP/2 request and response pattern

For a better understanding of how HTTP/1.1 and HTTP/2 request and response patterns work, visit.

Microsoft emphasizes that this HTTP DDoS activity primarily targets layer 7, rather than layer 3 or 4. Therefore, adopting protective measures against layer 7 DDoS attacks is also recommended.

Variants of Rapid Reset Attacks

Google has observed various Rapid Reset attack variants after the initial DDoS attacks. It is reported that, while not as efficient as the original version, these variants can still outperform standard HTTP/2 DDoS attacks.

The first variant opens a batch of streams, waits, cancels them, and quickly opens another batch. This approach can bypass mitigation strategies reliant on the rate of inbound RST_STREAM frames. However, it does not maximize connection usage, requiring strict rate-limiting for effective mitigation.

The second variant ditches stream cancellations entirely. Instead, it attempts to open more concurrent streams than the server allows, keeping the request pipeline full.

Google notes that the current HTTP/2 RFC (RFC 9113, a specification that defines an extension to the HTTP/2 protocol) suggests that attempting to open too many streams should only invalidate the exceeding streams, not the entire connection, making non-cancelling attacks possible.

CISA Urges Organizations to Secure Against Rapid Reset Attacks

The Cybersecurity & Infrastructure Security Agency (CISA) has issued an advisory to warn organizations about CVE-2023-44487. The agency advises organizations offering HTTP/2 services to apply available patches, consider configuration adjustments, and implement other mitigations.

CISA’s advisory lists several informative reports which also include mitigation measures aimed at helping organizations safeguard against the exploitation of CVE-2023-44487 in Rapid Reset DDoS attacks.

For more information, visit CISA’s advisory.

What are the Critical Vulnerabilities Addressed in October 2023 Patch Tuesday?

Critical Vulnerabilities

Microsoft has released a total of 12 critical vulnerabilities for October 2023, all of which are RCE vulnerabilities. Nine of these vulnerabilities impact the Windows Layer 2 Tunneling Protocol; see the CVE identifiers below:

• CVE-2023-38166

• CVE-2023-41765

• CVE-2023-41767

• CVE-2023-41768

• CVE-2023-41769

• CVE-2023-41770

• CVE-2023-41771

• CVE-2023-41773

• CVE-2023-41774

Two of the other critical CVEs, CVE-2023-35349 and CVE-2023-36697, have been assigned to vulnerabilities in Microsoft Message Queuing (MSMQ).

CVE-2023-35349 (CVSS Score: 9.8): While the advisory does not provide specific details about its attack vector, it requires MSMQ to be enabled for a system to be vulnerable to this vulnerability. To check for susceptibility, verify if a service named Message Queuing is running, and confirm that TCP port 1801 is actively listening on the machine.

CVE-2023-36697 (CVSS Score: 6.8): Exploiting this vulnerability successfully enables a remote, authenticated domain user to execute arbitrary code on the target server. The attacker must persuade a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and manipulate it into functioning as a malicious server. As it demands valid domain credentials and user interaction on the target machine, the CVSS score is lower for this vulnerability.

The final critical vulnerability identifier pertains to a container escape issue affecting Microsoft Virtual Trusted Platform Module (vTPM).

CVE-2023-36718 (CVSS Score: 7.8): This vulnerability impacts vTPM. Successful exploitation can result in an escape from a contained execution environment. To exploit this, the attacker must first gain access to the vulnerable VM. The advisory notes that exploitation of CVE-2023-36718 is possible when authenticated as a guest mode user.

Tech & Society recommends promptly applying patches to safeguard your environment and enhance your security stance. Additional details on the vulnerabilities addressed in this update can be found in Microsoft’s Release Note.

What is Patch Tuesday?

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle, and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003.