The August 2023 Patch Tuesday report has been released, providing critical information for organizations and individuals to address security vulnerabilities and software updates. This monthly event plays a crucial role in maintaining the security and stability of the Windows operating system and various other software products people rely on. In this article, we’ll break down the key highlights of the August 2023 Patch Tuesday report, focusing on the most pressing concerns for users and administrators.
Notably, Microsoft has released fixes for 88 vulnerabilities in August 2023 Patch Tuesday report, out of which 6 were rated Critical. Microsoft also warned about the active exploitation of 1 vulnerability. Again, as with other Patch Tuesday reports, Remote Code Execution (RCE) vulnerability has topped the list with 23 occurrences in the list of vulnerabilities. Let’s break down what is there in the report that Microsoft released on 8th August.
Key Highlights- Patch Tuesday August 2023
Two of the flaws are zero-day vulnerabilities, one of which is being actively exploited in the wild. In addition to the RCE flaws, this release covers privilege escalation bugs, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.
Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.
Key Highlights are:
- Microsoft’s August’s 2023 Patch Tuesday included updates for 88 security flaws, including two Security Advisories and 12 browser vulnerabilities.
- 2 of them are Zero-Days, with one publicly disclosed.
- The patch covered 23 Remote Code Execution (RCE) vulnerabilities, 6 of which were rated as ‘Critical.’The 2 zero-day vulnerabilities patched are:
- CVE-2023-38180 – Actively exploited ASP.NET zero-day denial of service vulnerability
- CVE-2023-36884 – Previously disclosed Windows zero-day vulnerability
Vulnerabilities by Category
The complete list of 88 vulnerabilities is classified into six categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 23 times, while Security Feature Bypass is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities:
| Elevation of Privilege vulnerabilities | CVE-2023-38176 CVE-2023-35359 CVE-2023-36876 CVE-2023-38167 CVE-2023-36869 CVE-2023-35390 CVE-2023-36899 CVE-2023-36873 CVE-2023-36904 CVE-2023-36900 CVE-2023-38175 CVE-2023-38186 CVE-2023-35378 CVE-2023-38154 CVE-2023-35382 CVE-2023-35386 CVE-2023-35380 |
| Security Feature Bypass vulnerabilities | CVE-2023-38157 CVE-2023-35384 |
| Remote Code Execution vulnerabilities | CVE-2023-38185 CVE-2023-35388 CVE-2023-35368 CVE-2023-29328 CVE-2023-29330 CVE-2023-36895 CVE-2023-36896 CVE-2023-35371 CVE-2023-38169 CVE-2023-36898 CVE-2023-38170 CVE-2023-32051 CVE-2023-35303 CVE-2023-38184 CVE-2023-35315 CVE-2023-35297 CVE-2023-300 CVE-2023-36910 CVE-2023-36911 CVE-2023-35385 |
| Information Disclosure vulnerabilities | CVE-2023-35391 CVE-2023-36890 CVE-2023-36894 CVE-2023-36905 CVE-2023-36907 CVE-2023-36906 CVE-2023-35383 CVE-2023-36913 |
| Denial of Service vulnerabilities | CVE-2023-38180 CVE-2023-38178 CVE-2023-36909 CVE-2023-35376 CVE-2023-38172 CVE-2023-38254 CVE-2023-35377 |
| Spoofing vulnerabilities | CVE-2023-38181 CVE-2023-36893 CVE-2023-36891 CVE-2023-36892 CVE-2023-35394 CVE-2023-35393 CVE-2023-36881 CVE-2023-36877 CVE-2023-38188 |
List of Products Patched in August 2023 Patch Tuesday Report
Microsoft’s August 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
- NET Core
- .NET Framework
- ASP.NET
- ASP.NET and Visual Studio
- Azure Arc
- Azure DevOps
- Azure HDInsights
- Dynamics Business Central Control
- Memory Integrity System Readiness Scan Tool
- Microsoft Dynamics
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Teams
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Reliability Analysis Metrics Calculation Engine
- Role: Windows Hyper-V
- SQL Server
- Tablet Windows User Interface
- Windows Bluetooth A2DP driver
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Defender
- Windows Fax and Scan Service
- Windows Group Policy
- Windows HTML Platform
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Message Queuing
- Windows Mobile Device Management
- Windows Projected File System
- Windows Reliability Analysis Metrics Calculation Engine
- Windows Smart Card
- Windows System Assessment Tool
- Windows Wireless Wide Area Network Service
-
List of Actively Exploited Vulnerabilities Patched in August 2023 Patch Tuesday
Microsoft patched an actively exploited zero-day denial of service (DoS) vulnerability, CVE-2023-38180, affecting ASP.NET Core. This vulnerability can lead to denial of service in Kestrel web server if exploited. Microsoft notes that reverse proxies and web application firewalls can help mitigate such attacks.
Here is a list of the actively exploited vulnerabilities patched in the August 2023 Patch Tuesday:
- ADV230003 – Microsoft Office Defense in Depth Update
- CVE-2023-38180 – .NET and Visual Studio Denial of Service Vulnerability
List of Critical Vulnerabilities Patched in August 2023 Patch Tuesday
The August Patch Tuesday addressed 6 critical-rated vulnerabilities that deserve close attention:
Sl. No CVE ID Severity CVSS Description Actively Exploited Patch status 1 CVE-2023-29328 Important 8.8 Remote Code Execution Vulnerability in Microsoft Teams No Available 2 CVE-2023-29330 Important 8.8 Remote Code Execution Vulnerability in Microsoft Teams No Available 3 CVE-2023-36895 Important 7.8 Remote Code Execution Vulnerability in Microsoft Outlook No Available 4 CVE-2023-36910 Critical 9.8 Remote Code Execution Vulnerability in Microsoft Message Queuing No Available 5 CVE-2023-36911 Critical 9.8 Remote Code Execution Vulnerability in Microsoft Message Queuing No Available 6 CVE-2023-35385 Critical 9.8 Remote Code Execution Vulnerability in Microsoft Message Queuing No Available CVE-2023-29328 and CVE-2023-29330 – Microsoft Teams Remote Code Execution Vulnerability
These two critical RCE flaws in Microsoft Teams allow an attacker to execute arbitrary code through specially crafted Teams meeting invites. The vulnerabilities are exploitable, with no user interaction required beyond joining the malicious meeting. Microsoft has rated them as “exploitation less likely” due to the difficulty in exploiting them.
CVE-2023-36895 – Microsoft Outlook Remote Code Execution Vulnerability
This critical vulnerability in Microsoft Outlook can let a remote attacker execute arbitrary code on the target system by convincing the user to open a specially crafted file. Microsoft rates the exploitability as low.
CVE-2023-36910, CVE-2023-36911, CVE-2023-35385 – Windows Message Queuing Service Remote Code Execution
These three critical vulnerabilities in the Windows Message Queuing Service, if successfully exploited, can enable remote code execution on vulnerable systems. While concerning, the service needs to be explicitly enabled and accessible through TCP port 1801 for exploitation.
Complete List of Vulnerabilities Patched in August 2023 Patch Tuesday Are
If you wish to download the complete list of vulnerabilities patched in August 2023 Patch Tuesday, you can do it from here.
Azure vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-38176 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability No No 7 CVE-2023-35394 Azure HDInsight Jupyter Notebook Spoofing Vulnerability No No 4.6 CVE-2023-36877 Azure Apache Oozie Spoofing Vulnerability No No 4.5 CVE-2023-35393 Azure Apache Hive Spoofing Vulnerability No No 4.5 CVE-2023-38188 Azure Apache Hadoop Spoofing Vulnerability No No 4.5 CVE-2023-36881 Azure Apache Ambari Spoofing Vulnerability No No 4.5 Azure Developer Tools vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability No No 6.3 Browser vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-38157 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 6.5 CVE-2023-4078 Chromium: CVE-2023-4078 Inappropriate implementation in Extensions No No N/A CVE-2023-4077 Chromium: CVE-2023-4077 Insufficient data validation in Extensions No No N/A CVE-2023-4076 Chromium: CVE-2023-4076 Use after free in WebRTC No No N/A CVE-2023-4075 Chromium: CVE-2023-4075 Use after free in Cast No No N/A CVE-2023-4074 Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling No No N/A CVE-2023-4073 Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE No No N/A CVE-2023-4072 Chromium: CVE-2023-4072 Out of bounds read and write in WebGL No No N/A CVE-2023-4071 Chromium: CVE-2023-4071 Heap buffer overflow in Visuals No No N/A CVE-2023-4070 Chromium: CVE-2023-4070 Type Confusion in V8 No No N/A CVE-2023-4069 Chromium: CVE-2023-4069 Type Confusion in V8 No No N/A CVE-2023-4068 Chromium: CVE-2023-4068 Type Confusion in V8 No No N/A Developer Tools vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-35390 .NET and Visual Studio Remote Code Execution Vulnerability No No 7.8 CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability No No 7.5 CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability Yes No 7.5 CVE-2023-38178 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5 CVE-2023-36873 .NET Framework Spoofing Vulnerability No No 7.4 CVE-2023-35391 ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability No No 7.1 Developer Tools Microsoft Office vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-36897 Visual Studio Tools for Office Runtime Spoofing Vulnerability No No 8.1 ESU vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability No No 7.8 CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability No No 7.1 Exchange Server vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 9.8 CVE-2023-38181 Microsoft Exchange Server Spoofing Vulnerability No No 8.8 CVE-2023-38185 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8.8 CVE-2023-35368 Microsoft Exchange Remote Code Execution Vulnerability No No 8.8 CVE-2023-35388 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8 CVE-2023-38182 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8 Microsoft Dynamics vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-38167 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability No No 7.2 CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability No No 6.5 Microsoft Office vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability No No 8.8 CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability No No 8.8 CVE-2023-36891 Microsoft SharePoint Server Spoofing Vulnerability No No 8 CVE-2023-36892 Microsoft SharePoint Server Spoofing Vulnerability No No 8 CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability No No 7.8 CVE-2023-36865 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 CVE-2023-36866 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 CVE-2023-35372 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 CVE-2023-35371 Microsoft Office Remote Code Execution Vulnerability No No 7.8 CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 CVE-2023-36890 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5 CVE-2023-36894 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5 CVE-2023-36893 Microsoft Outlook Spoofing Vulnerability No No 6.5 SQL Server vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-38169 Microsoft OLE DB Remote Code Execution Vulnerability No No 8.8 System Center vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.8 Windows vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-35387 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability No No 8.8 CVE-2023-38186 Windows Mobile Device Management Elevation of Privilege Vulnerability No No 7.8 CVE-2023-35382 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 CVE-2023-35386 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 CVE-2023-38154 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 CVE-2023-36904 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8 CVE-2023-36898 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability No No 7.8 CVE-2023-38170 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 CVE-2023-35378 Windows Projected File System Elevation of Privilege Vulnerability No No 7 CVE-2023-36905 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability No No 5.5 CVE-2023-36914 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability No No 5.5 CVE-2023-35384 Windows HTML Platforms Security Feature Bypass Vulnerability No No 5.4 Windows ESU vulnerabilities
CVE Title Exploited? Publicly disclosed? CVSSv3 base score CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8 CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8 CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8 CVE-2023-35381 Windows Fax Service Remote Code Execution Vulnerability No No 8.8 CVE-2023-36882 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8 CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability No No 7.8 CVE-2023-35359 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 CVE-2023-35380 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 CVE-2023-36900 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 CVE-2023-38184 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5 CVE-2023-35383 Microsoft Message Queuing Information Disclosure Vulnerability No No 7.5 CVE-2023-36912 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5 CVE-2023-38172 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5 CVE-2023-36913 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5 CVE-2023-36909 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5 CVE-2023-35376 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5 CVE-2023-38254 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5 CVE-2023-35377 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5 CVE-2023-36908 Windows Hyper-V Information Disclosure Vulnerability No No 5.7 CVE-2023-36889 Windows Group Policy Security Feature Bypass Vulnerability No No 5.5 CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5 CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5 CVE-2023-20569 AMD: CVE-2023-20569 Return Address Predictor No No N/A Ref: https://www.rapid7.com/blog/post/2023/08/08/patch-tuesday-august-2023/
Bottom Line
The August 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 88 vulnerabilities addressed, including 23 critical remote code executions, system administrators should prioritize testing and deployment of these fixes.
The 6 critical-rated vulnerabilities, covering Outlook, Teams, and the Windows Message Queuing Service, deserve immediate attention given their potential impact. The actively exploited ASP.NET zero-day vulnerability also needs urgent patching.
Overall, this Patch Tuesday continues the trend of large, complex updates that must be carefully reviewed and applied to avoid security risks. Ongoing diligence with patch management remains crucial, as Microsoft delivers fixes for critical flaws each month.