Table of Contents
Overview
As a part of their Tuesday patch, Microsoft disclosed three active zero-day vulnerabilities in addition to addressing 101 other vulnerabilities. The 'Big 3' vulnerabilities, if exploited together, have the potential to enable hackers to launch a denial of service (DoS) attack from within your network. [ List of all vulnerabilities disclosed ]
What is CVE-2023-41763?
CVE-2023-41763 represents a critical vulnerability affecting Skype for Business servers. This vulnerability enables malicious actors to exploit the server by sending a specifically crafted network call, leading to the disclosure of the server's IP addresses and open ports of the server to the attacker.
What is CVE-2023-36563?
CVE-2023-36563 is another critical vulnerability that affects a wide range of Windows versions, from Windows 10 to 11, and Windows Server 2016 to 2022. This vulnerability allows an attacker to send a specially crafted file to a user through email or downloaded from the web. That file, when opened, would show the attacker the user's NTLM hash (password in encoded format). This allows an offline password attack.
What is CVE-2023-44487?
CVE-2023-44487 is the last critical vulnerability that Microsoft and many others disclosed. Many cloud providers have reported instances of this attack from early October 2023. This DoS attack leverages the rapid reset request of the HTTP/2 protocol and affects any web servers utilizing either the HTTP/2 or HTTP/3 protocols.
How Can Hackers Leverage These Vulnerabilities?
One way an attacker could use all three zero-day vulnerabilities starts with CVE-2023-41763. This allows the mal-actor to identify IP addresses and open ports on the Skype for Business server. Subsequently, the attacker would use CVE-2023-36563 to get a user's NTLM hash and crack the hash offline to get the login information for the Skype server. The attacker could then use CVE-2023-44487 to launch a DoS (Denial of Service) attack on any web server on the same network as the Skype server and avoid any external firewall or load-balancing servers.
Recommendations for Everyone
Microsoft has already advised that users update to the latest patch for all Windows machines.
.NET Framework for Windows server 2022 KB5031221
.NET framework for Windows 10 KB 5030841
.NET framework for windows server 2016, Windows 10 version 1607 KB KB5031000
Windows 10 Enterprise and education KB5031356
For those that can't patch to the latest version. Here are some workarounds for:
CVE-2023-36563 Workaround KB5032314: How to manage the OLE object conversion vulnerability associated with CVE-2023-36563 - Microsoft Support
CVE-2023-44487 Workaround CVE-2023-44487 - Security Update Guide - Microsoft - MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Recommendations for ThreatLocker Customers
For ThreatLocker customers, two Configuration Manager Policies exist which prevents these vulnerabilities. To enable these features, head to your Configuration Portal or reach out to a ThreatLocker Cyber hero team Member to learn more.
