Skip to content

Search the site

This Microsoft zero day is under active attack and there’s no patch

Happy Patch Tuesday: Have some critical SAP vulnerabilities affecting pretty much every internet-facing product whilst you're at it...

Bugs galore

Five new Microsoft vulnerabilities are under active attack in the wild – and one remote code execution bug, CVE-2023-36884, doesn’t yet have a patch and is being used to target defense, government, finance and telecommunications entities across Europe by a Russian threat actor in (somewhat unusually) both cyber espionage and ransomware attacks.

July Patch Tuesday was an unpleasant-looking one for systems administrators and CISOs alike – bringing with it a flurry of critical vulnerabilities and some serious patch prioritisation headaches to boot.

CVE-2023-35311. CVE-2023-36874,   CVE-2023-32046, and CVE-2023-32049 are all also listed as being under attack. A CVSS 9.8 pre-auth RCE, CVE-2023-32057, also looks like it deserves fairly urgent attention. Microsoft says: “To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.”

As the Zero Day Initiative notes: “[This is] nearly identical to a CVE patched back in April. It was even reported by the same researcher. [Fortinet’s Wayne Low]. That has all the hallmarks of a failed patch.

“Either way, this bug could allow unauthenticated remote attackers to execute code with elevated privileges on affected systems where the message queuing service is enabled. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly.”

A trio of pre-authentication RCE vulnerabilities (CVE-2023-35365/6/7) with a CVSS of 9.8 meanwhile are wormable – but not listed as under attack yet and only only exploitable on Windows Servers that have installed and configured the Routing and Remote Access Service (RRAS).

CVE-2023-36884: No patch yet; targeted attacks happening

Microsoft also took the unusual step of including  CVE-2023-36884 in its Patch Tuesday release, despite not actually having a patch ready for it.

The vulnerability, reported by security researchers at Volexity, affects Windows and Office products. Microsoft said that “an attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

Exploitation has been detected in targeted attacks.

Notable fixes from other major software vendors included two from SAP that affect one of the most critical and ubiquitous components of SAP applications: the SAP Internet Communications Manager (ICM) – following in the wake of the "ICMAD" vulnerabilities disclosed (as were these) by Onapsis in the same component that came under attack in 2022.

See also: SAP systems are getting breached as attackers wake up to CVSS 10 “ICMAD” bug

CVE-2023-33987 and CVE-2023-35871, despite getting CVSS scores of 7.7 to 8.6, present the opportunity for attacks to hit targets via remote access and without authentication, as CTO of security firm Onapsis, JP Perez-Etchegoyen, noted on July 11 in a blog on the SAP bugs.

He added that the Onapsis threat intelligence team “anticipates the high likelihood of potential threat activity in the coming weeks following the release of the patches for these vulnerabilities” – given that the similar vulnerabilities in 2022 affecting the same feature were widely exploited.

Perez-Etchegoyen said: “These vulnerabilities affect a large number of SAP products that use the ICM such as SAP S/4HANA, SAP ERP, SAP Web Dispatcher, and SAP HANA - just to name a few. Technically, there’s applicability to everything that sits on top of SAP NetWeaver ABAP, SAP Web Dispatcher, SAP HANA XS, and XSA” – in better news, they only affect the HTTP/2 implementation of the ICM. Admins can “simply disable the support for HTTP/2 in the affected applications. This may have a performance impact (described by SAP as ~20% in the released SAP Security Notes) but should remain “functionally equivalent…”

#Hugops to all prioritising and fixing.

Join peers following The Stack on LinkedIn