Microsoft security alert.
May 9, 2023
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 37 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft SharePoint Server Update for May 2023
- Severity
- Critical 4
- Qualys ID
- 110434
- Vendor Reference
- KB5002389, KB5002390, KB5002397
- CVE Reference
- CVE-2023-24950, CVE-2023-24954, CVE-2023-24955
- CVSS Scores
- Base 8.3 / Temporal 6.9
- Description
-
Microsoft has released May 2023 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5002390
KB5002389
KB5002397
QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Sharepoint via the Windows Registry. Below is the mapping of Filename, patched version and KB details checked for each applicable Product: ONETUTIL.DLL - 16.0.5395.1000 (KB5002397)
ONETUTIL.DLL - 16.0.10398.20000 (KB5002389)
PJINTL.DLL - 16.0.16130.20420 (KB5002390) - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
May 2023
-
Microsoft Office Security Update for May 2023
- Severity
- Critical 4
- Qualys ID
- 110435
- Vendor Reference
- KB5002365, KB5002369, KB5002372, KB5002384, KB5002386
- CVE Reference
- CVE-2023-24953, CVE-2023-29333, CVE-2023-29335, CVE-2023-29344
- CVSS Scores
- Base 6.6 / Temporal 5.1
- Description
-
Microsoft has released May 2023 security updates to fix multiple security vulnerabilities.
This security update contains the following:
Office Click-2-Run and Office 365 Release Notes
Release notes for Office for Mac
KB5002369
KB5002365
KB5002372
KB5002386
KB5002384
QID Detection Logic (Authenticated):
Operating System: Windows
The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsft Office. Patched Versions for Microsoft 365 Apps for enterprise, Microsoft 365 Apps for business, Office 2016 Retail (C2R), Office 2019, Office LTSC 2021, and Office 2021 are as follows
Current Channel: Version 2304 (Build 16.0.16327.20248)
Monthly Enterprise Channel: Version 2303 (Build 16.0.16227.20318)
Monthly Enterprise Channel: Version 2302 (Build 16.0.16130.20500)
Semi-Annual Enterprise Channel (Preview): Version 2302 (Build 16.0.16130.20500)
Semi-Annual Enterprise Channel: Version 2208 (Build 16.0.15601.20660)
Semi-Annual Enterprise Channel: Version 2202 (Build 16.0.14931.21000)
Office 2021 Retail: Version 2304 (Build 16.0.16327.20248)
Office 2019 Retail: Version 2304 (Build 16.0.16327.20248)
Office 2016 Retail: Version 2304 (Build 16.0.16327.20248)
Office LTSC 2021 Volume Licensed: Version 2108 (Build 16.0.14332.20503)
Office 2019 Volume Licensed: Version 1808 (Build 16.0.10398.20008)For traditional MSI Installations, following KBs and version are the required:
KB5002369 - 16.0.5395.1000 (Winword.exe)
KB5002365 - 15.0.5553.1000 (Winword.exe)
KB5002372 - 16.0.10398.20000 (microsoft.office.web.agentmanager.exe)
KB5002386 - 16.0.5395.1000 (Excel.exe)
KB5002384 - 15.0.5553.1000 (Excel.exe)QID Detection Logic (Authenticated):
Operating System: MacOS
The QID checks the installed applications on the MacOS host to find the installed Microsoft Office Apps. Microsoft Office Apps lower than 16.73 are vulnerable. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Office Click-2-Run and Office 365 Release Notes
Release notes for Office for Mac
KB5002369
KB5002365
KB5002372
KB5002386
KB5002384
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft office May 2023
-
Microsoft Visual Studio Code Security Update for May 2023
- Severity
- Serious 3
- Qualys ID
- 378477
- Vendor Reference
- CVE-2023-29338
- CVE Reference
- CVE-2023-29338
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.78.1QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code.
- Consequence
-
Visual Studio Code is prone to Information Disclosure Vulnerability
- Solution
-
Customers are advised to refer to CVE-2023-29338 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-29338
-
Microsoft Windows Sysmon Elevation of Privilege Vulnerability for May 2023
- Severity
- Critical 4
- Qualys ID
- 92012
- Vendor Reference
- CVE-2023-29343
- CVE Reference
- CVE-2023-29343
- CVSS Scores
- Base 7.2 / Temporal 5.6
- Description
-
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log
Affected Software
Sysmon prior to version 14.16.0.0
QID Detection Logic(Authenticated): This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Sysmon.exe - Consequence
-
Successful exploit could lead to elevation of privileges
- Solution
-
Customers are advised to refer to CVE-2023-29343 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-29343
-
Microsoft Windows Security Update for May 2023
- Severity
- Urgent 5
- Qualys ID
- 92014
- Vendor Reference
- KB5026361, KB5026362, KB5026363, KB5026368, KB5026370, KB5026372, KB5026382, KB5026408, KB5026409, KB5026411, KB5026413, KB5026415, KB5026419, KB5026426, KB5026427
- CVE Reference
- CVE-2023-24898, CVE-2023-24899, CVE-2023-24900, CVE-2023-24901, CVE-2023-24902, CVE-2023-24903, CVE-2023-24905, CVE-2023-24932, CVE-2023-24939, CVE-2023-24940, CVE-2023-24942, CVE-2023-24943, CVE-2023-24944, CVE-2023-24945, CVE-2023-24946, CVE-2023-24947, CVE-2023-24948, CVE-2023-24949, CVE-2023-28251, CVE-2023-28283, CVE-2023-28290, CVE-2023-29324, CVE-2023-29325, CVE-2023-29336, CVE-2023-29340, CVE-2023-29341
- CVSS Scores
- Base 7.5 / Temporal 6.2
- Description
-
Microsoft Windows Security Update - May 2023
The KB Articles associated with the update:
The patch version is 6.3.9600.20969 for KB5026415
The patch version is 6.3.9600.20969 for KB5026409
The patch version is 6.2.9200.24266 for KB5026419
The patch version is 6.2.9200.24266 for KB5026411
The patch version is 10.0.14393.5921 for KB5026363
The patch version is 10.0.10240.19926 for KB5026382
The patch version is 10.0.19041.2965 for KB5026361
The patch version is 10.0.22621.1702 for KB5026372
The patch version is 10.0.22000.1936 for KB5026368
The patch version is 10.0.20348.1726 for KB5026370
The patch version is 10.0.17763.4377 for KB5026362
The patch version is 6.1.7601.26517 for KB5026413
The patch version is 6.0.6003.22067 for KB5026408
The patch version is 6.1.7601.26517 for KB5026426
The patch version is 6.0.6003.22067 for KB5026427QID Detection Logic (Authenticated):
This QID checks for the file version of 'ntoskrnl.exe'.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the following KB Articles associated with the update:
KB5026415
KB5026409
KB5026419
KB5026411
KB5026363
KB5026382
KB5026361
KB5026372
KB5026368
KB5026370
KB5026456
KB5026362
KB5026366
KB5026413
KB5026408
KB5026426
KB5026427Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5026361
KB5026362
KB5026363
KB5026368
KB5026370
KB5026372
KB5026382
KB5026408
KB5026409
KB5026411
KB5026413
KB5026415
KB5026419
KB5026426
KB5026427
-
Microsoft Windows Codecs Library AV1 Video Extensions Remote Code Execution (RCE) Vulnerability for May 2023
- Severity
- Critical 4
- Qualys ID
- 92015
- Vendor Reference
- CVE-2023-29340, CVE-2023-29341
- CVE Reference
- CVE-2023-29340, CVE-2023-29341
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.
Affected Product:
AV1 from Device Manufacturer" media codec before version 1.1.60961.0
QID detection Logic:
The gets the version of AV1VideoExtension by querying wmi class Win32_InstalledStoreProgram. - Consequence
-
An attacker who successfully exploited this vulnerability through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
- Solution
-
Users are advised to check CVE-2023-29340,
CVE-2023-29341 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2023-29340
CVE-2023-29341
-
Microsoft Windows Network File System (NFS) Remote Code Execution (RCE) Vulnerability for May 2023
- Severity
- Urgent 5
- Qualys ID
- 92016
- Vendor Reference
- CVE-2023-24941
- CVE Reference
- CVE-2023-24941
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
Microsoft Windows Network File System is vulnerable to Remote Code Execution Vulnerability.
Operating Systems: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022
This vulnerability is not exploitable in NFSV2.0 or NFSV3.0
The KB Articles associated with the update are:
KB5026415
KB5026409
KB5026419
KB5026411
KB5026363
KB5026370
KB5026362QID Detection Logic (Authenticated):
This QID checks for the file version of nfssvr.sys and checks if the mitigations have been applied.
- Consequence
-
This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).
- Solution
-
Please refer to the CVE-2023-24941 for more information pertaining to the vulnerability.
Workaround:
The following PowerShell command will disable the affected NFS server versions:
PS C:\Set-NfsServerConfiguration -EnableNFSV4 $falsePatches:
The following are links for downloading patches to fix these vulnerabilities:
KB5026362
KB5026363
KB5026370
KB5026409
KB5026411
KB5026415
KB5026419
-
Windows Installer Elevation of Privilege Vulnerability
- Severity
- Serious 3
- Qualys ID
- 92017
- Vendor Reference
- KB5026408, KB5026413, KB5026426, KB5026427
- CVE Reference
- CVE-2023-24904
- CVSS Scores
- Base 6.6 / Temporal 4.9
- Description
-
The Microsoft Windows Installer is an installation and configuration service provided with Windows. The installer service enables customers to provide better corporate deployment and provides a standard format for component management.
This vulnerability would enable an attacker to delete specific files on a targeted system but not view or modify their contents. While there is no risk to the confidentiality of the data, the vulnerability poses a significant threat to the integrity and availability of the affected system.
QID Detection Logic (Authenticated):
Operating System: Windows Server 2008 and 2008 R2
The detection checks the msi.dll version and KB details: msi.dll - 5.0.7601.26514 (KB5026426)
msi.dll - 5.0.7601.26514 (KB5026413)
msi.dll - 4.5.6003.22065 (KB5026408)
msi.dll - 4.5.6003.22065 (KB5026427)
- Consequence
- Successful exploitation could lead to the deletion of critical data, potentially causing severe disruptions to the system's services and operations.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft office May 2023
-
Microsoft Azure Stack Hub Security Update for May 2023
- Severity
- Urgent 5
- Qualys ID
- 92018
- Vendor Reference
- Azure Stack Hub
- CVE Reference
- CVE-2023-24900, CVE-2023-24901, CVE-2023-24903, CVE-2023-24932, CVE-2023-24939, CVE-2023-24940, CVE-2023-24941, CVE-2023-24942, CVE-2023-24943, CVE-2023-24944, CVE-2023-24945, CVE-2023-24946, CVE-2023-24947, CVE-2023-24948, CVE-2023-24949, CVE-2023-28251, CVE-2023-28283, CVE-2023-29324, CVE-2023-29325
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
-
Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises environment and deliver Azure services in your datacenter.
A complete Qualys vulnerability scan report for Microsoft Azure Stack Hub can be obtained at Azure Stack Vulnerability Scan Report.
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe, if this file version is less than 10.0.17763.11446, it is considered as vulnerable.
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Customers are encouraged to connect with Microsoft for obtaining more information about patches and upcoming releases.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Azure Stack Hub
These new vulnerability checks are included in Qualys vulnerability signature 2.5.764-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110434
- 110435
- 378477
- 92012
- 92014
- 92015
- 92016
- 92017
- 92018
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.