Threat Advisory

Microsoft RCE & EOP Vulnerability in August Patch Release

August 17, 2023 | By Accorian

Microsoft addressed 74 CVEs in its August Patch Tuesday release, out of which 6 were rated “Critical” and 67 were rated “Important”. Remote code execution (RCE) vulnerabilities made up 31.5% of the vulnerabilities patched, with elevation of privilege (EoP) vulnerabilities making up 24.7%. One zero-day vulnerability was also addressed in the release.

Among the RCE vulnerabilities are the CVE-2023-35385CVE-2023-36910 and CVE-2023-36911 which have been assigned a CVSSv3 score of 9.8 and are “Critical”. The vulnerabilities are found in the Microsoft Message Queuing (MSMQ) component of the Windows operating system. An unauthenticated remote attacker can exploit this flaw by sending malicious MSMQ packets to a vulnerable MSMQ server, which leads to arbitrary code execution. Yet, to exploit this weakness, the susceptible server’s Message Queuing service must be activated. According to Microsoft, if the service is enabled, it runs as “Message Queuing” and listens on TCP port 1801.

Another “Important” rated vulnerability is CVE-2023-21709 which is an EoP vulnerability found in Microsoft Exchange Server. An adversary could exploit this flaw by trying to brute force the password for valid user accounts. If exploited, the adversary can login as another user. According to Microsoft, a PowerShell script must be run after the patch has been applied.

Microsoft addressed five other vulnerabilities in Microsoft Exchange Server which are tracked down as CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182 and CVE-2023-35388. The CVE-2023-38181 is a Spoofing Vulnerability which is assigned a CVSSv3 score of 8.8. If exploited, an attacker might acquire access to a user’s Net-NTLMv2 hash, which could then be used to launch an NTLM Relay attack against another service to authenticate as the user. The rest are RCE vulnerabilities with scores 8.8, 8.8, 8.0 and 8.0 respectively. The CVE-2023-3182 and CVE-2023-35388 are rated “Exploitation More Likely” by Microsoft. If exploited, an adversary could execute a code using PowerShell remoting session. To successfully exploit, the adversary would need to have LAN access and valid credentials for an Exchange user.

Accorian strongly recommends patching systems as soon as they can be and routinely scanning your environment to find any systems that need to be patched. Organizations are encouraged to apply the latest Windows updates for August.


Threat Advisory

Team Accorian

Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide