Cloud Platform
Platform
Solutions
Resources
Customers
Partners
Community
Support
Company
Login
Contact us
Try it
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview

  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Compliance
Cloud Security
Cyber Risk Series | Cloud Security Edition | February 28 | Register Now

Microsoft security alert.

May 9, 2023

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 37 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft SharePoint Server Update for May 2023

    Severity
    Critical 4
    Qualys ID
    110434
    Vendor Reference
    KB5002389, KB5002390, KB5002397
    CVE Reference
    CVE-2023-24950, CVE-2023-24954, CVE-2023-24955
    CVSS Scores
    Base 8.3 / Temporal 6.5
    Description
    Microsoft has released May 2023 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB5002390
    KB5002389
    KB5002397
    QID Detection Logic (Authenticated):
    Operating System: Windows
    The detection extracts the Install Path for Microsoft Sharepoint via the Windows Registry. Below is the mapping of Filename, patched version and KB details checked for each applicable Product: ONETUTIL.DLL - 16.0.5395.1000 (KB5002397)
    ONETUTIL.DLL - 16.0.10398.20000 (KB5002389)
    PJINTL.DLL - 16.0.16130.20420 (KB5002390)

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    May 2023

  • Microsoft Office Security Update for May 2023

    Severity
    Critical 4
    Qualys ID
    110435
    Vendor Reference
    KB5002365, KB5002369, KB5002372, KB5002384, KB5002386
    CVE Reference
    CVE-2023-24953, CVE-2023-29333, CVE-2023-29335, CVE-2023-29344
    CVSS Scores
    Base 6.6 / Temporal 5.1
    Description
    Microsoft has released May 2023 security updates to fix multiple security vulnerabilities.

    This security update contains the following:

    Office Click-2-Run and Office 365 Release Notes
    Release notes for Office for Mac
    KB5002369
    KB5002365
    KB5002372
    KB5002386
    KB5002384
    QID Detection Logic (Authenticated):
    Operating System: Windows
    The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsft Office. Patched Versions for Microsoft 365 Apps for enterprise, Microsoft 365 Apps for business, Office 2016 Retail (C2R), Office 2019, Office LTSC 2021, and Office 2021 are as follows
    Current Channel: Version 2304 (Build 16.0.16327.20248)
    Monthly Enterprise Channel: Version 2303 (Build 16.0.16227.20318)
    Monthly Enterprise Channel: Version 2302 (Build 16.0.16130.20500)
    Semi-Annual Enterprise Channel (Preview): Version 2302 (Build 16.0.16130.20500)
    Semi-Annual Enterprise Channel: Version 2208 (Build 16.0.15601.20660)
    Semi-Annual Enterprise Channel: Version 2202 (Build 16.0.14931.21000)
    Office 2021 Retail: Version 2304 (Build 16.0.16327.20248)
    Office 2019 Retail: Version 2304 (Build 16.0.16327.20248)
    Office 2016 Retail: Version 2304 (Build 16.0.16327.20248)
    Office LTSC 2021 Volume Licensed: Version 2108 (Build 16.0.14332.20503)
    Office 2019 Volume Licensed: Version 1808 (Build 16.0.10398.20008)

    For traditional MSI Installations, following KBs and version are the required:
    KB5002369 - 16.0.5395.1000 (Winword.exe)
    KB5002365 - 15.0.5553.1000 (Winword.exe)
    KB5002372 - 16.0.10398.20000 (microsoft.office.web.agentmanager.exe)
    KB5002386 - 16.0.5395.1000 (Excel.exe)
    KB5002384 - 15.0.5553.1000 (Excel.exe)

    QID Detection Logic (Authenticated):
    Operating System: MacOS
    The QID checks the installed applications on the MacOS host to find the installed Microsoft Office Apps. Microsoft Office Apps lower than 16.73 are vulnerable.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Office Click-2-Run and Office 365 Release Notes
    Release notes for Office for Mac
    KB5002369
    KB5002365
    KB5002372
    KB5002386
    KB5002384

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft office May 2023

  • Microsoft Visual Studio Code Security Update for May 2023

    Severity
    Serious 3
    Qualys ID
    378477
    Vendor Reference
    CVE-2023-29338
    CVE Reference
    CVE-2023-29338
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.

    Affected Versions:
    Visual studio code prior to version 1.78.1

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of Visual Studio Code.

    Consequence
    Visual Studio Code is prone to Information Disclosure Vulnerability
    Solution
    Customers are advised to refer to CVE-2023-29338 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-29338

  • Microsoft Windows Sysmon Elevation of Privilege Vulnerability for May 2023

    Severity
    Critical 4
    Qualys ID
    92012
    Vendor Reference
    CVE-2023-29343
    CVE Reference
    CVE-2023-29343
    CVSS Scores
    Base 7.2 / Temporal 5.6
    Description
    System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log

    Affected Software
    Sysmon prior to version 14.16.0.0
    QID Detection Logic(Authenticated): This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Sysmon.exe

    Consequence
    Successful exploit could lead to elevation of privileges

    Solution
    Customers are advised to refer to CVE-2023-29343 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-29343

  • Microsoft Windows Security Update for May 2023

    Severity
    Urgent 5
    Qualys ID
    92014
    Vendor Reference
    KB5026361, KB5026362, KB5026363, KB5026368, KB5026370, KB5026372, KB5026382, KB5026408, KB5026409, KB5026411, KB5026413, KB5026415, KB5026419, KB5026426, KB5026427
    CVE Reference
    CVE-2023-24898, CVE-2023-24899, CVE-2023-24900, CVE-2023-24901, CVE-2023-24902, CVE-2023-24903, CVE-2023-24905, CVE-2023-24932, CVE-2023-24939, CVE-2023-24940, CVE-2023-24942, CVE-2023-24943, CVE-2023-24944, CVE-2023-24945, CVE-2023-24946, CVE-2023-24947, CVE-2023-24948, CVE-2023-24949, CVE-2023-28251, CVE-2023-28283, CVE-2023-28290, CVE-2023-29324, CVE-2023-29325, CVE-2023-29336, CVE-2023-29340, CVE-2023-29341
    CVSS Scores
    Base 7.5 / Temporal 6.2
    Description
    Microsoft Windows Security Update - May 2023

    The KB Articles associated with the update:
    The patch version is 6.3.9600.20969 for KB5026415
    The patch version is 6.3.9600.20969 for KB5026409
    The patch version is 6.2.9200.24266 for KB5026419
    The patch version is 6.2.9200.24266 for KB5026411
    The patch version is 10.0.14393.5921 for KB5026363
    The patch version is 10.0.10240.19926 for KB5026382
    The patch version is 10.0.19041.2965 for KB5026361
    The patch version is 10.0.22621.1702 for KB5026372
    The patch version is 10.0.22000.1936 for KB5026368
    The patch version is 10.0.20348.1726 for KB5026370
    The patch version is 10.0.17763.4377 for KB5026362
    The patch version is 6.1.7601.26517 for KB5026413
    The patch version is 6.0.6003.22067 for KB5026408
    The patch version is 6.1.7601.26517 for KB5026426
    The patch version is 6.0.6003.22067 for KB5026427

    QID Detection Logic (Authenticated):

    This QID checks for the file version of 'ntoskrnl.exe'.

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Please refer to the following KB Articles associated with the update:
    KB5026415
    KB5026409
    KB5026419
    KB5026411
    KB5026363
    KB5026382
    KB5026361
    KB5026372
    KB5026368
    KB5026370
    KB5026456
    KB5026362
    KB5026366
    KB5026413
    KB5026408
    KB5026426
    KB5026427

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB5026361
    KB5026362
    KB5026363
    KB5026368
    KB5026370
    KB5026372
    KB5026382
    KB5026408
    KB5026409
    KB5026411
    KB5026413
    KB5026415
    KB5026419
    KB5026426
    KB5026427

  • Microsoft Windows Codecs Library AV1 Video Extensions Remote Code Execution (RCE) Vulnerability for May 2023

    Severity
    Critical 4
    Qualys ID
    92015
    Vendor Reference
    CVE-2023-29340, CVE-2023-29341
    CVE Reference
    CVE-2023-29340, CVE-2023-29341
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.

    Affected Product:
    AV1 from Device Manufacturer" media codec before version 1.1.60961.0
    QID detection Logic:
    The gets the version of AV1VideoExtension by querying wmi class Win32_InstalledStoreProgram.

    Consequence
    An attacker who successfully exploited this vulnerability through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

    Solution
    Users are advised to check CVE-2023-29340, CVE-2023-29341 for further details.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-29340
    CVE-2023-29341

  • Microsoft Windows Network File System (NFS) Remote Code Execution (RCE) Vulnerability for May 2023

    Severity
    Urgent 5
    Qualys ID
    92016
    Vendor Reference
    CVE-2023-24941
    CVE Reference
    CVE-2023-24941
    CVSS Scores
    Base 7.5 / Temporal 5.5
    Description
    Microsoft Windows Network File System is vulnerable to Remote Code Execution Vulnerability.

    Operating Systems: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022

    This vulnerability is not exploitable in NFSV2.0 or NFSV3.0

    The KB Articles associated with the update are:
    KB5026415
    KB5026409
    KB5026419
    KB5026411
    KB5026363
    KB5026370
    KB5026362

    QID Detection Logic (Authenticated):

    This QID checks for the file version of nfssvr.sys and checks if the mitigations have been applied.

    Consequence
    This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).

    Solution
    Please refer to the CVE-2023-24941 for more information pertaining to the vulnerability.

    Workaround:
    The following PowerShell command will disable the affected NFS server versions:
    PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB5026362
    KB5026363
    KB5026370
    KB5026409
    KB5026411
    KB5026415
    KB5026419

  • Windows Installer Elevation of Privilege Vulnerability

    Severity
    Serious 3
    Qualys ID
    92017
    Vendor Reference
    KB5026408, KB5026413, KB5026426, KB5026427
    CVE Reference
    CVE-2023-24904
    CVSS Scores
    Base 6.6 / Temporal 4.9
    Description
    The Microsoft Windows Installer is an installation and configuration service provided with Windows. The installer service enables customers to provide better corporate deployment and provides a standard format for component management. This vulnerability would enable an attacker to delete specific files on a targeted system but not view or modify their contents. While there is no risk to the confidentiality of the data, the vulnerability poses a significant threat to the integrity and availability of the affected system. QID Detection Logic (Authenticated):
    Operating System: Windows Server 2008 and 2008 R2
    The detection checks the msi.dll version and KB details: msi.dll - 5.0.7601.26514 (KB5026426)
    msi.dll - 5.0.7601.26514 (KB5026413)
    msi.dll - 4.5.6003.22065 (KB5026408)
    msi.dll - 4.5.6003.22065 (KB5026427)
    Consequence
    Successful exploitation could lead to the deletion of critical data, potentially causing severe disruptions to the system's services and operations.
    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft office May 2023

  • Microsoft Azure Stack Hub Security Update for May 2023

    Severity
    Urgent 5
    Qualys ID
    92018
    Vendor Reference
    Azure Stack Hub
    CVE Reference
    CVE-2023-24900, CVE-2023-24901, CVE-2023-24903, CVE-2023-24932, CVE-2023-24939, CVE-2023-24940, CVE-2023-24941, CVE-2023-24942, CVE-2023-24943, CVE-2023-24944, CVE-2023-24945, CVE-2023-24946, CVE-2023-24947, CVE-2023-24948, CVE-2023-24949, CVE-2023-28251, CVE-2023-28283, CVE-2023-29324, CVE-2023-29325
    CVSS Scores
    Base 10 / Temporal 7.8
    Description
    Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises environment and deliver Azure services in your datacenter.

    A complete Qualys vulnerability scan report for Microsoft Azure Stack Hub can be obtained at Azure Stack Vulnerability Scan Report.

    QID Detection Logic (Authenticated):
    This QID checks for the file version of ntoskrnl.exe, if this file version is less than 10.0.17763.11446, it is considered as vulnerable.

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Customers are encouraged to connect with Microsoft for obtaining more information about patches and upcoming releases.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Azure Stack Hub

These new vulnerability checks are included in Qualys vulnerability signature 2.5.764-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110434
    • 110435
    • 378477
    • 92012
    • 92014
    • 92015
    • 92016
    • 92017
    • 92018
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.