Microsoft security alert.

September 12, 2023

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 57 vulnerabilities that were fixed in 16 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 16 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Office Security Update for September 2023

    Severity
    Critical 4
    Qualys ID
    110446
    Vendor Reference
    5002100, 5002457, 5002470, 5002477, 5002483, 5002488, 5002496, 5002497, 5002498
    CVE Reference
    CVE-2023-36761, CVE-2023-36762, CVE-2023-36764, CVE-2023-36765, CVE-2023-36766, CVE-2023-36767, CVE-2023-41764
    CVSS Scores
    Base 7.2 / Temporal 6
    Description
    Microsoft has released September 2023 security updates to fix multiple security vulnerabilities.

    This security update contains the following:

    Office Click-2-Run and Office 365 Release Notes
    KB5002477
    KB5002457
    KB5002498
    KB5002100
    KB5002488
    KB5002496
    KB5002470
    KB5002483
    KB5002497
    QID Detection Logic (Authenticated):
    Operating System: Windows
    The detection extracts the Install Path for Microsoft Office via the Windows Registry. The QID checks the file version of "graph.exe" to identify vulnerable versions of Microsoft Office.
    Patched Versions for Microsoft 365 (C2R) are:
    Current Channel: Version 2308 (Build 16731.20234)
    Monthly Enterprise Channel: Version 2307 (Build 16626.20208)
    Monthly Enterprise Channel: Version 2306 (Build 16529.20254)
    Semi-Annual Enterprise Channel (Preview): Version 2308 (Build 16731.20234)
    Semi-Annual Enterprise Channel: Version 2302 (Build 16130.20766)
    Semi-Annual Enterprise Channel: Version 2208 (Build 15601.20772)
    Office 2021 Retail: Version 2308 (Build 16731.20234)
    Office 2019 Retail: Version 2308 (Build 16731.20234)
    Office 2016 Retail: Version 2308 (Build 16731.20234)
    Office LTSC 2021 Volume Licensed: Version 2108 (Build 14332.20565)
    Office 2019 Volume Licensed: Version 1808 (Build 10402.20023)

    Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

    Consequence
    Vulnerable products may be prone to one or all of these vulnerabilities: Remote Code Execution, Elevation of Privilege, Spoofing, Security Feature Bypass and Information Disclosure.

    Solution
    Customers are advised to refer to these KB Articles:
    KB5002477
    KB5002457
    KB5002498
    KB5002100
    KB5002488
    KB5002496
    KB5002470
    KB5002483
    KB5002497

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Microsoft office September 2023

  • Microsoft Outlook Information Disclosure Vulnerability for September 2023

    Severity
    Critical 4
    Qualys ID
    110447
    Vendor Reference
    5002499
    CVE Reference
    CVE-2023-36763
    CVSS Scores
    Base 7.8 / Temporal 5.8
    Description
    Microsoft has released September 2023 security updates for outlook to fix an Information Disclosure Vulnerability.

    This security update contains the following KBs:
    KB5002499

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on affected outlook applications.

    Consequence
    Successful exploitation will lead to an Information Disclosure Vulnerability.

    Solution
    Refer to Microsoft Security Guide, and KB5002499
    for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    September 2023

  • Microsoft SharePoint Server Security Update for September 2023

    Severity
    Critical 4
    Qualys ID
    110448
    Vendor Reference
    5002472, 5002474, 5002494, 5002501
    CVE Reference
    CVE-2023-36762, CVE-2023-36764
    CVSS Scores
    Base 9 / Temporal 6.7
    Description
    Microsoft has released September 2023 security updates security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB5002494
    KB5002501
    KB5002474
    KB5002472

    QID Detection Logic (Authenticated):
    Operating System: Windows

    Consequence
    Successful exploitation allows an atacker to perform Remote Code Execution and/or Privilege Escalation Vulnerabilities.

    Solution
    Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

    KB5002494
    KB5002501
    KB5002474
    KB5002472

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    September 2023

  • Microsoft Visual Studio Code Security Update for September 2023

    Severity
    Serious 3
    Qualys ID
    378852
    Vendor Reference
    CVE-2023-36742, CVE-2023-39956
    CVE Reference
    CVE-2023-36742, CVE-2023-39956
    CVSS Scores
    Base 4.3 / Temporal 3.2
    Description
    Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.

    Affected Versions:
    Visual studio code prior to version 1.82.1

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of Visual Studio Code.

    Consequence
    Visual Studio Code is prone to Remote Code Execution Vulnerability
    Solution
    Customers are advised to refer to CVE-2023-39956,CVE-2023-36742 for more information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36742
    CVE-2023-39956

  • Microsoft Exchange Server Multiple Vulnerabilities for September 2023

    Severity
    Critical 4
    Qualys ID
    50129
    Vendor Reference
    5030524
    CVE Reference
    CVE-2023-36744, CVE-2023-36745, CVE-2023-36756, CVE-2023-36757, CVE-2023-36777
    CVSS Scores
    Base 5.8 / Temporal 4.6
    Description
    Microsoft Exchange Server 2016 and 2019 are affected by multiple vulnerabilities.

    KB Articles associated with this update are: KB5030524

    Affected Versions:
    Microsoft Exchange Server 2016 Cumulative Update 23
    Microsoft Exchange Server 2019 Cumulative Update 12
    Microsoft Exchange Server 2019 Cumulative Update 13

    QID Detection Logic (Authenticated):
    The QID checks for vulnerable version of Microsoft Exchange Server by checking the file version of Exsetup.exe.

    Consequence
    Successful exploitation of the vulnerability may allow remote code execution and spoofing

    Solution
    Microsoft has released patch, customers are advised to refer to KB5030524 for information pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB5030524

  • Microsoft Dynamics 365 Security Update for September 2023

    Severity
    Critical 4
    Qualys ID
    92055
    Vendor Reference
    CVE-2023-36433, CVE-2023-36886, CVE-2023-38164
    CVE Reference
    CVE-2023-36433, CVE-2023-36886, CVE-2023-38164
    CVSS Scores
    Base 5.5 / Temporal 4.1
    Description
    Microsoft Dynamics 365 is a product line of enterprise resource planning and customer relationship management intelligent business applications.

    Affected Software:
    Microsoft Dynamics 365 (on-premises) prior to 9.0.49.4

    Microsoft Dynamics 365 (on-premises) prior to 9.1.21.5

    QID Detection Logic(Authenticated):
    This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Crm.Setup.Server.exe:

    Consequence
    Successful exploitation of this vulnerability could lead to a Cross-site Scripting Vulnerability

    Solution
    Customers are advised to refer to 5029396 and 5030608 for more details pertaining to this vulnerability.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB5029396
    KBKB5030608

  • Azure DevOps Server Security Update for September 2023

    Severity
    Critical 4
    Qualys ID
    92056
    Vendor Reference
    CVE-2023-33136, CVE-2023-38155
    CVE Reference
    CVE-2023-33136, CVE-2023-38155
    CVSS Scores
    Base 6.8 / Temporal 5
    Description

    Azure DevOps Server is a Microsoft product that provides version control, reporting, requirements management, project management, automated builds, testing, and release management capabilities.
    CVE-2023-38155: Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

    CVE-2023-33136: Azure DevOps Server Remote Code Execution Vulnerability.

    Affected Software:
    Azure DevOps Server 2020.0.2
    Azure DevOps Server 2019.1.2
    Azure DevOps Server 2020.1.2
    Azure DevOps Server 2022.0.1
    Azure DevOps Server 2019.0.1

    QID Detection Logic(Authenticated):
    This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.TeamFoundation.Framework.Server.dll.

    Consequence
    An attacker who successfully exploited this vulnerability could gain administrator privileges.

    Solution
    Customers are advised to refer to CVE-2023-38155, CVE-2023-33136 for more details.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-33136
    CVE-2023-38155

  • Microsoft Windows Security Update for September 2023

    Severity
    Critical 4
    Qualys ID
    92057
    Vendor Reference
    KB5030209, KB5030211, KB5030213, KB5030214, KB5030216, KB5030217, KB5030219, KB5030220, KB5030261, KB5030265, KB5030269, KB5030271, KB5030278, KB5030279, KB5030286, KB5030287, KB5030325
    CVE Reference
    CVE-2023-35355, CVE-2023-36801, CVE-2023-36802, CVE-2023-36803, CVE-2023-36804, CVE-2023-36805, CVE-2023-38139, CVE-2023-38140, CVE-2023-38141, CVE-2023-38142, CVE-2023-38143, CVE-2023-38144, CVE-2023-38146, CVE-2023-38147, CVE-2023-38148, CVE-2023-38149, CVE-2023-38150, CVE-2023-38152, CVE-2023-38160, CVE-2023-38161, CVE-2023-38162
    CVSS Scores
    Base 8.3 / Temporal 6.9
    Description
    Microsoft Windows Security Update - September 2023

    The Patch Version is 10.0.14393.62525030213
    The Patch Version is 10.0.19041.34485030211
    The Patch Version is 10.0.22621.22835030219
    The Patch Version is 10.0.22000.24165030217
    The Patch Version is 10.0.20348.19705030216
    The Patch Version is 10.0.17763.48515030214
    The Patch Version is 6.3.9600.215635030269
    The Patch Version is 6.3.9600.215635030287
    The Patch Version is 6.2.9200.244625030278
    The Patch Version is 6.2.9200.244625030279
    The Patch Version is 6.1.7601.267135030265
    The Patch Version is 6.1.7601.267135030261
    The Patch Version is 6.0.6003.222645030271
    The Patch Version is 6.0.6003.222645030286
    The Patch Version is 10.0.10240.201615030220
    QID Detection Logic (Authenticated):

    This QID checks for the file version of 'ntoskrnl.exe'. Note: This QID checks for windows Server 2022 Azuro Hotpatch through below registry key
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\DynamicInstalled\Hotpatch.amd64

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Please refer to the following KB Articles associated with the update:
    5030213
    5030211
    5030219
    5030217
    5030216
    5030214
    5030269
    5030287
    5030278
    5030279
    5030265
    5030261
    5030271
    5030286
    5030220

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    KB5030211
    KB5030213
    KB5030214
    KB5030216
    KB5030217
    KB5030219
    KB5030220
    KB5030261
    KB5030265
    KB5030269
    KB5030271
    KB5030278
    KB5030279
    KB5030286
    KB5030287

  • Microsoft Windows Defender Attack Surface Reduction Security Feature Bypass Vulnerability for September 2023

    Severity
    Critical 4
    Qualys ID
    92058
    Vendor Reference
    CVE-2023-38163
    CVE Reference
    CVE-2023-38163
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Microsoft Defender is prone to Attack Surface Reduction Security Feature Bypass Vulnerability Affected Software:
    Microsoft Defender Security Intelligence Updates

    Affected Version:
    Windows Defender prior to build 1.391.1332.0
    QID Detection Logic (Authenticated):
    The authenticated check looks for a vulnerable version of file under system32 directory MpSigStub.exe

    Consequence
    An attacker who successfully exploited this vulnerability could bypass the Windows Defender Attack Surface Reduction blocking feature.
    Solution
    Users are advised to check CVE-2023-38163 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-38163

  • Microsoft .NET Framework Update for September 2023

    Severity
    Serious 3
    Qualys ID
    92059
    Vendor Reference
    KB5029921, KB5029924, KB5030178, KB5030179, KB5030180, KB5030181, KB5030182, KB5030183, KB5030184, KB5030185, KB5030186
    CVE Reference
    CVE-2023-36788, CVE-2023-36792, CVE-2023-36793, CVE-2023-36794, CVE-2023-36796
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    A Remote Code Execution Vulnerability exist in Microsoft .Net Framework.

    Following KBs are covered in this detection:
    5030186
    5030178
    5030182
    5030184
    5030183
    5030185
    5030180
    5029921
    5030179
    5030181
    5029924

    This security update is rated Important for supported versions of Microsoft .NET Framework.
    .NET Framework 2.0, 3.0, 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, and 4.8.1

    QID Detection Logic (Authenticated):
    Checks for vulnerable file version of ntoskrnl.exe or Mscorlib.dll or System.core.dll or System.web.dll for the respective .Net Framework KBs

    Consequence
    Successful exploitation may allow a attacker to perform Remote Code Execution and/or Elevation of Privileges.
    Solution
    Customers are advised to refer to CVE-2023-36788, CVE-2023-36792, CVE-2023-36793, CVE-2023-36794 and CVE-2023-36796 for more details pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36788
    CVE-2023-36792
    CVE-2023-36793
    CVE-2023-36794
    CVE-2023-36796

  • Microsoft Visual Studio Security Updates for September 2023 (CVE-2023-36758)

    Severity
    Critical 4
    Qualys ID
    92060
    Vendor Reference
    CVE-2023-36758
    CVE Reference
    CVE-2023-36758
    CVSS Scores
    Base 8.7 / Temporal 6.4
    Description

    Microsoft has released security Updates for Visual Studio which resolve Security Feature Bypass and Escalation of Privileges Vulnerabilities.

    Affected Software:
    Microsoft Visual Studio 2022 version 17.7

    QID Detection Logic: Authenticated : Windows
    This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key "HKLM\SOFTWARE\Microsoft" and file "evenv.exe" to check the version of the Visual Studio.

    Consequence
    An attacker who successfully exploited this vulnerability could elevate privileges to SYSTEM assigned integrity level.

    Solution
    Customers are advised to refer to CVE-2023-36758 for more information on these vulnerabilities and their patches.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36758

  • Microsoft 3D Viewer Remote Code Execution (RCE) Vulnerability - September 2023

    Severity
    Critical 4
    Qualys ID
    92061
    Vendor Reference
    CVE-2023-36739, CVE-2023-36740, CVE-2023-36760
    CVE Reference
    CVE-2023-36739, CVE-2023-36740, CVE-2023-36760
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    Microsoft 3D Viewer is prone to Remote Code Execution Vulnerability.

    Affected Versions:
    Microsoft 3D-Viewer App package versions prior to 7.2306.12012.0

    QID Detection Logic (Authenticated):
    The detection gets the version of Microsoft.Microsoft3DViewer by querying wmi class Win32_InstalledStoreProgram.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.
    Solution
    Users are advised to check CVE-2023-36739,CVE-2023-36740 for more information.

    ,CVE-2023-36760 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36739
    CVE-2023-36740
    CVE-2023-36760

  • Microsoft Visual Studio Security Updates for September 2023 (CVE-2023-36759)

    Severity
    Serious 3
    Qualys ID
    92062
    Vendor Reference
    CVE-2023-36759
    CVE Reference
    CVE-2023-36759
    CVSS Scores
    Base 6.5 / Temporal 4.8
    Description

    Microsoft has released security Updates for Visual Studio which resolve Security Feature Bypass and Escalation of Privileges Vulnerabilities.

    Affected Software:
    Microsoft Visual Studio 2022 version 17.6
    Microsoft Visual Studio 2022 version 17.7
    Microsoft Visual Studio 2022 version 17.4
    Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
    Microsoft Visual Studio 2022 version 17.2

    QID Detection Logic: Authenticated : Windows
    This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key "HKLM\SOFTWARE\Microsoft" and file "evenv.exe" to check the version of the Visual Studio.

    Consequence
    An attacker who successfully exploited this vulnerability could elevate privileges to SYSTEM assigned integrity level.

    Solution
    Customers are advised to refer to CVE-2023-36759 for more information on these vulnerabilities and their patches.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36759

  • Microsoft 3D Builder Remote Code Execution (RCE) Vulnerability - September 2023

    Severity
    Critical 4
    Qualys ID
    92063
    Vendor Reference
    CVE-2023-36770, CVE-2023-36771, CVE-2023-36772, CVE-2023-36773
    CVE Reference
    CVE-2023-36770, CVE-2023-36771, CVE-2023-36772, CVE-2023-36773
    CVSS Scores
    Base 4.6 / Temporal 3.4
    Description
    3D Builder is an application to View, Create, and Personalize 3D objects.
    Microsoft has released a security update to 3D Builder Application to address a remote code execution vulnerability.

    Affected Versions:
    3D Builder Version prior to 20.0.4.0

    QID Detection Logic:
    This QID gets the version of 3D Builder by querying wmi class Win32_InstalledStoreProgram.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.
    Solution
    Users are advised to check CVE-2023-36770,CVE-2023-36771 for more information.

    ,CVE-2023-36772 for more information.

    ,CVE-2023-36773 for more information.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36770
    CVE-2023-36771
    CVE-2023-36772
    CVE-2023-36773

  • Microsoft .NET Security Update for September 2023

    Severity
    Serious 3
    Qualys ID
    92064
    Vendor Reference
    CVE-2023-36792, CVE-2023-36793, CVE-2023-36794, CVE-2023-36796, CVE-2023-36799
    CVE Reference
    CVE-2023-36792, CVE-2023-36793, CVE-2023-36794, CVE-2023-36796, CVE-2023-36799
    CVSS Scores
    Base 6.8 / Temporal 5
    Description
    Microsoft has released a security Update for .NET which resolves Remote Code Execution, and Denial of Service vulnerabilities.

    Affected versions:
    .NET 6.0 before version 6.0.22
    .NET 7.0 before version 7.0.11

    QID Detection Logic: Authenticated
    On Windows, this QID detects vulnerable versions of Microsoft .NET by checking the file version.
    On Linux, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" and "/root/shared/Microsoft.NETCore.App" folders.
    On Mac, this QID detects vulnerable versions of Microsoft .NET by checking the .NET version present in "/usr/share/dotnet/shared/Microsoft.NETCore.App/" folder.

    Consequence
    Vulnerable versions of Microsoft .NET are prone to Remote Code Execution, and Denial of Service vulnerabilities.

    Solution
    Customers are advised to refer to CVE-2023-36799, CVE-2023-36792, CVE-2023-36793, CVE-2023-36794 and CVE-2023-36796 for more details pertaining to these vulnerabilities.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    CVE-2023-36792
    CVE-2023-36793
    CVE-2023-36794
    CVE-2023-36796
    CVE-2023-36799

  • Microsoft Azure Stack Hub Security Updates for September 2023

    Severity
    Critical 4
    Qualys ID
    92065
    Vendor Reference
    Azure Stack Hub
    CVE Reference
    CVE-2023-35355, CVE-2023-36801, CVE-2023-36802, CVE-2023-36803, CVE-2023-36804, CVE-2023-36805, CVE-2023-38139, CVE-2023-38140, CVE-2023-38141, CVE-2023-38142, CVE-2023-38143, CVE-2023-38144, CVE-2023-38147, CVE-2023-38149, CVE-2023-38152, CVE-2023-38160, CVE-2023-38161, CVE-2023-38162
    CVSS Scores
    Base 6.2 / Temporal 5.1
    Description
    Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises environment and deliver Azure services in your datacenter.

    A complete Qualys vulnerability scan report for Microsoft Azure Stack Hub can be obtained at Azure Stack Vulnerability Scan Report.

    QID Detection Logic (Authenticated):
    This QID checks for the file version of ntoskrnl.exe, if this file version is less than , it is considered as vulnerable.

    Consequence
    Successful exploit could compromise Confidentiality, Integrity and Availability

    Solution
    Customers are encouraged to connect with Microsoft for obtaining more information about patches and upcoming releases.

    Patches:
    The following are links for downloading patches to fix these vulnerabilities:
    Azure Stack Hub

These new vulnerability checks are included in Qualys vulnerability signature 2.5.862-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110446
    • 110447
    • 110448
    • 378852
    • 50129
    • 92055
    • 92056
    • 92057
    • 92058
    • 92059
    • 92060
    • 92061
    • 92062
    • 92063
    • 92064
    • 92065
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.