Important Vulnerabilities in Microsoft’s October 2023 Security Update

This Alert is relevant to Australians who are running Microsoft products. This alert is intended to be understood by slightly more technical users.

Users are encouraged to apply any available patches as soon as possible.

Background  / What has happened?

ASD's ACSC has reviewed the Microsoft October 2023 Security Update.

• The Security Update provided patches for 104 vulnerabilities.
• 3 vulnerabilities are believed to have been exploited.
• 12 vulnerabilities are rated ‘Critical’.

The following vulnerabilities are important based on their severity, widespread use of the related product and/or likelihood of exploitation.

 Last patch for Windows Server 2012/2012R2

• This is the final Patch Tuesday for Windows Server 2012, and Windows Server 2012 R2.
• It is highly recommended that anyone using Windows Server 2012/2012R2 upgrades to a newer and supported version of Windows.
• Using unsupported versions of any software opens your organisation up to 'forever-day' vulnerabilities.

HTTP/2 Rapid Reset Attack DOS (CVE-2023-44487)

• 0-day DDOS attack that has been actively exploited since August.
• This attack abuses the HTTP/2's stream cancellation feature to continuously send and cancel requests, overwhelming the target server/application and imposing a DoS state.
• No fix has been implemented, however Microsoft have released mitigation steps.
• https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/

Layer 2 Transport Protocol RCEs (CVE-2023-41765, CVE-2023-41767, CVE-2023-41768, CVE-2023-41769, CVE-2023-41770, CVE-2023-41771, CVE-2023-41773, CVE-2023-41774, CVE-2023-38166)

• 9 Critical vulnerabilities which allow Remote Code Execution (RCE).
• An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server.
• Attack complexity is high, and Microsoft has labelled this as "Exploitation Less Likely".

Microsoft MSMQ RCE (CVE-2023-353495)

• 20 vulnerabilities in MSMQ, 16 of which allow Remote Code Execution.
• CVE-2023-353495 is the most severe and allows an unauthenticated RCE with a low complexity attack.
• Microsoft MSMQ vulnerabilities have been prevalent in recent Microsoft Patch Tuesday releases.

Mitigation / How do I stay secure?

Technical subject matter experts that use Microsoft products should read the associated security update guides available for their products.

Security Update Guide - Microsoft

General users should consider enabling automatic patching of Microsoft products if they have not already done so. Advice is available on the Protect Yourself: Updates page.

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).