The August 2023 Patch Tuesday report has been released, providing critical information for organizations and individuals to address security vulnerabilities and software updates. This monthly event plays a crucial role in maintaining the security and stability of the Windows operating system and various other software products people rely on. In this article, we’ll break down the key highlights of the August 2023 Patch Tuesday report, focusing on the most pressing concerns for users and administrators.
Notably, Microsoft has released fixes for 88 vulnerabilities in August 2023 Patch Tuesday report, out of which 6 were rated Critical. Microsoft also warned about the active exploitation of 1 vulnerability. Again, as with other Patch Tuesday reports, Remote Code Execution (RCE) vulnerability has topped the list with 23 occurrences in the list of vulnerabilities. Let’s break down what is there in the report that Microsoft released on 8th August.
Key Highlights- Patch Tuesday August 2023
Two of the flaws are zero-day vulnerabilities, one of which is being actively exploited in the wild. In addition to the RCE flaws, this release covers privilege escalation bugs, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.
Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.
Key Highlights are:
- Microsoft’s August’s 2023 Patch Tuesday included updates for 88 security flaws, including two Security Advisories and 12 browser vulnerabilities.
- 2 of them are Zero-Days, with one publicly disclosed.
- The patch covered 23 Remote Code Execution (RCE) vulnerabilities, 6 of which were rated as ‘Critical.’The 2 zero-day vulnerabilities patched are:
- CVE-2023-38180 – Actively exploited ASP.NET zero-day denial of service vulnerability
- CVE-2023-36884 – Previously disclosed Windows zero-day vulnerability
Vulnerabilities by Category
The complete list of 88 vulnerabilities is classified into six categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 23 times, while Security Feature Bypass is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities:
| Elevation of Privilege vulnerabilities | CVE-2023-38176 CVE-2023-35359 CVE-2023-36876 CVE-2023-38167 CVE-2023-36869 CVE-2023-35390 CVE-2023-36899 CVE-2023-36873 CVE-2023-36904 CVE-2023-36900 CVE-2023-38175 CVE-2023-38186 CVE-2023-35378 CVE-2023-38154 CVE-2023-35382 CVE-2023-35386 CVE-2023-35380 |
| Security Feature Bypass vulnerabilities | CVE-2023-38157 CVE-2023-35384 |
| Remote Code Execution vulnerabilities | CVE-2023-38185 CVE-2023-35388 CVE-2023-35368 CVE-2023-29328 CVE-2023-29330 CVE-2023-36895 CVE-2023-36896 CVE-2023-35371 CVE-2023-38169 CVE-2023-36898 CVE-2023-38170 CVE-2023-32051 CVE-2023-35303 CVE-2023-38184 CVE-2023-35315 CVE-2023-35297 CVE-2023-300 CVE-2023-36910 CVE-2023-36911 CVE-2023-35385 |
| Information Disclosure vulnerabilities | CVE-2023-35391 CVE-2023-36890 CVE-2023-36894 CVE-2023-36905 CVE-2023-36907 CVE-2023-36906 CVE-2023-35383 CVE-2023-36913 |
| Denial of Service vulnerabilities | CVE-2023-38180 CVE-2023-38178 CVE-2023-36909 CVE-2023-35376 CVE-2023-38172 CVE-2023-38254 CVE-2023-35377 |
| Spoofing vulnerabilities | CVE-2023-38181 CVE-2023-36893 CVE-2023-36891 CVE-2023-36892 CVE-2023-35394 CVE-2023-35393 CVE-2023-36881 CVE-2023-36877 CVE-2023-38188 |
List of Products Patched in August 2023 Patch Tuesday Report
Microsoft’s August 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
- NET Core
- .NET Framework
- ASP.NET
- ASP.NET and Visual Studio
- Azure Arc
- Azure DevOps
- Azure HDInsights
- Dynamics Business Central Control
- Memory Integrity System Readiness Scan Tool
- Microsoft Dynamics
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Teams
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Reliability Analysis Metrics Calculation Engine
- Role: Windows Hyper-V
- SQL Server
- Tablet Windows User Interface
- Windows Bluetooth A2DP driver
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Defender
- Windows Fax and Scan Service
- Windows Group Policy
- Windows HTML Platform
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Message Queuing
- Windows Mobile Device Management
- Windows Projected File System
- Windows Reliability Analysis Metrics Calculation Engine
- Windows Smart Card
- Windows System Assessment Tool
- Windows Wireless Wide Area Network Service
List of Actively Exploited Vulnerabilities Patched in August 2023 Patch Tuesday
Microsoft patched an actively exploited zero-day denial of service (DoS) vulnerability, CVE-2023-38180, affecting ASP.NET Core. This vulnerability can lead to denial of service in Kestrel web server if exploited. Microsoft notes that reverse proxies and web application firewalls can help mitigate such attacks.
Here is a list of the actively exploited vulnerabilities patched in the August 2023 Patch Tuesday:
- ADV230003 – Microsoft Office Defense in Depth Update
- CVE-2023-38180 – .NET and Visual Studio Denial of Service Vulnerability
List of Critical Vulnerabilities Patched in August 2023 Patch Tuesday
The August Patch Tuesday addressed 6 critical-rated vulnerabilities that deserve close attention:
| Sl. No | CVE ID | Severity | CVSS | Description | Actively Exploited | Patch status |
| 1 | CVE-2023-29328 | Important | 8.8 | Remote Code Execution Vulnerability in Microsoft Teams | No | Available |
| 2 | CVE-2023-29330 | Important | 8.8 | Remote Code Execution Vulnerability in Microsoft Teams | No | Available |
| 3 | CVE-2023-36895 | Important | 7.8 | Remote Code Execution Vulnerability in Microsoft Outlook | No | Available |
| 4 | CVE-2023-36910 | Critical | 9.8 | Remote Code Execution Vulnerability in Microsoft Message Queuing | No | Available |
| 5 | CVE-2023-36911 | Critical | 9.8 | Remote Code Execution Vulnerability in Microsoft Message Queuing | No | Available |
| 6 | CVE-2023-35385 | Critical | 9.8 | Remote Code Execution Vulnerability in Microsoft Message Queuing | No | Available |
CVE-2023-29328 and CVE-2023-29330 – Microsoft Teams Remote Code Execution Vulnerability
These two critical RCE flaws in Microsoft Teams allow an attacker to execute arbitrary code through specially crafted Teams meeting invites. The vulnerabilities are exploitable, with no user interaction required beyond joining the malicious meeting. Microsoft has rated them as “exploitation less likely” due to the difficulty in exploiting them.
CVE-2023-36895 – Microsoft Outlook Remote Code Execution Vulnerability
This critical vulnerability in Microsoft Outlook can let a remote attacker execute arbitrary code on the target system by convincing the user to open a specially crafted file. Microsoft rates the exploitability as low.
CVE-2023-36910, CVE-2023-36911, CVE-2023-35385 – Windows Message Queuing Service Remote Code Execution
These three critical vulnerabilities in the Windows Message Queuing Service, if successfully exploited, can enable remote code execution on vulnerable systems. While concerning, the service needs to be explicitly enabled and accessible through TCP port 1801 for exploitation.
Complete List of Vulnerabilities Patched in August 2023 Patch Tuesday Are
If you wish to download the complete list of vulnerabilities patched in August 2023 Patch Tuesday, you can do it from here.
Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38176 | Azure Arc-Enabled Servers Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2023-35394 | Azure HDInsight Jupyter Notebook Spoofing Vulnerability | No | No | 4.6 |
| CVE-2023-36877 | Azure Apache Oozie Spoofing Vulnerability | No | No | 4.5 |
| CVE-2023-35393 | Azure Apache Hive Spoofing Vulnerability | No | No | 4.5 |
| CVE-2023-38188 | Azure Apache Hadoop Spoofing Vulnerability | No | No | 4.5 |
| CVE-2023-36881 | Azure Apache Ambari Spoofing Vulnerability | No | No | 4.5 |
Azure Developer Tools vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36869 | Azure DevOps Server Spoofing Vulnerability | No | No | 6.3 |
Browser vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38157 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 6.5 |
| CVE-2023-4078 | Chromium: CVE-2023-4078 Inappropriate implementation in Extensions | No | No | N/A |
| CVE-2023-4077 | Chromium: CVE-2023-4077 Insufficient data validation in Extensions | No | No | N/A |
| CVE-2023-4076 | Chromium: CVE-2023-4076 Use after free in WebRTC | No | No | N/A |
| CVE-2023-4075 | Chromium: CVE-2023-4075 Use after free in Cast | No | No | N/A |
| CVE-2023-4074 | Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling | No | No | N/A |
| CVE-2023-4073 | Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE | No | No | N/A |
| CVE-2023-4072 | Chromium: CVE-2023-4072 Out of bounds read and write in WebGL | No | No | N/A |
| CVE-2023-4071 | Chromium: CVE-2023-4071 Heap buffer overflow in Visuals | No | No | N/A |
| CVE-2023-4070 | Chromium: CVE-2023-4070 Type Confusion in V8 | No | No | N/A |
| CVE-2023-4069 | Chromium: CVE-2023-4069 Type Confusion in V8 | No | No | N/A |
| CVE-2023-4068 | Chromium: CVE-2023-4068 Type Confusion in V8 | No | No | N/A |
Developer Tools vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35390 | .NET and Visual Studio Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-36899 | ASP.NET Elevation of Privilege Vulnerability | No | No | 7.5 |
| CVE-2023-38180 | .NET and Visual Studio Denial of Service Vulnerability | Yes | No | 7.5 |
| CVE-2023-38178 | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2023-36873 | .NET Framework Spoofing Vulnerability | No | No | 7.4 |
| CVE-2023-35391 | ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability | No | No | 7.1 |
Developer Tools Microsoft Office vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36897 | Visual Studio Tools for Office Runtime Spoofing Vulnerability | No | No | 8.1 |
ESU vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35379 | Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36876 | Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability | No | No | 7.1 |
Exchange Server vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-21709 | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 9.8 |
| CVE-2023-38181 | Microsoft Exchange Server Spoofing Vulnerability | No | No | 8.8 |
| CVE-2023-38185 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-35368 | Microsoft Exchange Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-35388 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 8 |
| CVE-2023-38182 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 8 |
Microsoft Dynamics vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38167 | Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability | No | No | 7.2 |
| CVE-2023-35389 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | No | No | 6.5 |
Microsoft Office vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-29328 | Microsoft Teams Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-29330 | Microsoft Teams Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-36891 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 |
| CVE-2023-36892 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 |
| CVE-2023-36895 | Microsoft Outlook Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-36865 | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-36866 | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-35372 | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-35371 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-36896 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-36890 | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2023-36894 | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2023-36893 | Microsoft Outlook Spoofing Vulnerability | No | No | 6.5 |
SQL Server vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38169 | Microsoft OLE DB Remote Code Execution Vulnerability | No | No | 8.8 |
System Center vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38175 | Microsoft Windows Defender Elevation of Privilege Vulnerability | No | No | 7.8 |
Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35387 | Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability | No | No | 8.8 |
| CVE-2023-38186 | Windows Mobile Device Management Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-35382 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-35386 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-38154 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36904 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36898 | Tablet Windows User Interface Application Core Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-38170 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-35378 | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7 |
| CVE-2023-36905 | Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2023-36914 | Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability | No | No | 5.5 |
| CVE-2023-35384 | Windows HTML Platforms Security Feature Bypass Vulnerability | No | No | 5.4 |
Windows ESU vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36910 | Microsoft Message Queuing Remote Code Execution Vulnerability | No | No | 9.8 |
| CVE-2023-36911 | Microsoft Message Queuing Remote Code Execution Vulnerability | No | No | 9.8 |
| CVE-2023-35385 | Microsoft Message Queuing Remote Code Execution Vulnerability | No | No | 9.8 |
| CVE-2023-35381 | Windows Fax Service Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-36882 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-36903 | Windows System Assessment Tool Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-35359 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-35380 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36900 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-38184 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | No | No | 7.5 |
| CVE-2023-35383 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 7.5 |
| CVE-2023-36912 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2023-38172 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2023-36913 | Microsoft Message Queuing Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2023-36909 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 6.5 |
| CVE-2023-35376 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 6.5 |
| CVE-2023-38254 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 6.5 |
| CVE-2023-35377 | Microsoft Message Queuing Denial of Service Vulnerability | No | No | 6.5 |
| CVE-2023-36908 | Windows Hyper-V Information Disclosure Vulnerability | No | No | 5.7 |
| CVE-2023-36889 | Windows Group Policy Security Feature Bypass Vulnerability | No | No | 5.5 |
| CVE-2023-36906 | Windows Cryptographic Services Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2023-36907 | Windows Cryptographic Services Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2023-20569 | AMD: CVE-2023-20569 Return Address Predictor | No | No | N/A |
Ref: https://www.rapid7.com/blog/post/2023/08/08/patch-tuesday-august-2023/
Bottom Line
The August 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 88 vulnerabilities addressed, including 23 critical remote code executions, system administrators should prioritize testing and deployment of these fixes.
The 6 critical-rated vulnerabilities, covering Outlook, Teams, and the Windows Message Queuing Service, deserve immediate attention given their potential impact. The actively exploited ASP.NET zero-day vulnerability also needs urgent patching.
Overall, this Patch Tuesday continues the trend of large, complex updates that must be carefully reviewed and applied to avoid security risks. Ongoing diligence with patch management remains crucial, as Microsoft delivers fixes for critical flaws each month.