ION Threat Advisory: November Update

Executive Summary

This November update consists of patches for 64 different vulnerabilities in Microsoft products. This includes three rated critical and three that are being actively exploited.

Actively Exploited Vulnerabilities

• CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
• CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
• CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability

When successfully exploited, both CVE-2023-36036 and CVE-2023-36033, allow an attacker to gain SYSTEM privileges. These will likely be paired with remote code execution (RCE) vulnerabilities to gain arbitrary user-level execution on a target’s machine first, then use one of the above CVEs to gain sysadmin-level control.

CVE-2023-36025 is noteworthy as Windows SmartScreen is the anti-phishing and anti-malware feature. Attackers will use this vulnerability to evade user prompts that would prevent or warn about opening a malicious document.

Critical Vulnerabilities

At the time of this publication, none of these critical vulnerabilities have been reported as actively exploited or publicly disclosed.

• CVE-2023-36052 – Azure CLI REST Command Information Disclosure Vulnerability
• CVE-2023-36400 – Windows HMAC Key Derivation Elevation of Privilege Vulnerability
• CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

CVE-2023-36397, a remote code execution vulnerability in the Windows Pragmatic General Multicast (PGM) protocol, is noteworthy as we had patches for this in prior months. But exploitation should be difficult. It will require local network access and is not typically enabled. 

Next Steps

Apply patches as soon as possible, after appropriate testing.