Rackspace Response to July 2023 Microsoft Patch Tuesday Security Advisory
by Marc Nourani Director, Global Service Operations, Rackspace Technology
On 11 July 2023, Microsoft declared 132 vulnerabilities, including 6 actively exploited Zero-Day and 9 critical vulnerabilities. Microsoft has released patches for all vulnerabilities except one Zero-Day (CVE-2023-36884). This vulnerability impacts how Microsoft Office handles MSHTML files – Rackspace recommends patching CVE-2023-36884 when a patch is eventually released. Please note that Microsoft has not indicated if this vulnerability will be patched individually or included with the August patch release. Of the vulnerabilities noted by Microsoft, Rackspace will highlight five in this post.
Three vulnerabilities (tracked as CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367) impact the “Routing and Remote Access service” (RRAS) on all current versions of Windows Server, as well as v2008. These vulnerabilities result in Remote Code Execution (RCE), do not require authentication or user interaction, and have a low attack complexity. Fortunately, RRAS is not installed or configured by default on Windows Servers. We recommend that customers evaluate whether this service is or could be enabled, and either disable the service, or patch it to mitigate the vulnerability.
The fourth vulnerability (tracked as CVE-2023-32057) affects Microsoft Message Queuing (MSMQ) with a CVSS of 9.8 (rated “critical”). To successfully exploit this vulnerability, an attacker must send a specifically crafted malicious MSMQ packet to a MSMQ server, leading to a remote code execution. This Windows component must be enabled for a system to be vulnerable. Microsoft recommends checking if “Message Queuing” service is running and TCP port 1801 is listening on the machine.
The final vulnerability (tracked as CVE-2023-35352) exists within the Remote Desktop Protocol (RDP). Exploiting this vulnerability would allow an attacker to bypass authentication using certificates or private keys when initiating a remote desktop session. The vulnerability impacts Windows Servers versions 2012 to 2019 and has a low attack complexity rating.
Rackspace engineers have performed an initial assessment and strongly recommend that customers review the advisories and ensure appropriate patches are installed. Rackspace customers using our Managed Patching Service will be patched during normal patching cycles.
For those customers not using Rackspace Managed Patching, we recommend patching devices as soon as possible to mitigate these vulnerabilities. Customers not using our Managed Patching Service can install the latest Windows Updates themselves or can request that Rackspace perform patching by contacting Rackspace Support.
Our security teams are actively monitoring the situation and will provide any associated updates via this blog.
Should you have any questions or require assistance in responding to these vulnerabilities, please contact a support Racker via https://www.rackspace.com/login.
Security Awareness Recommendation
September 28th, 2023
Update: Decommission of TLS v1.0 and v1.1 - Rackspace Customer Identity API Endpoint
September 21st, 2023