No Zero-Days but PGM Flaws Cause Patch Tuesday Concern

Written by

System administrators breathed a sigh of relief yesterday after Microsoft issued a relatively light patch update round, with no zero-day vulnerabilities and only six critical CVEs on the list.

However, there was still some work to do. Among the 78 CVEs addressed was a critical SharePoint elevation of privilege bug (CVE-2023-29357), which Adam Barnett, lead software engineer at Rapid7, said organizations should prioritize.

“Microsoft isn’t aware of public disclosure or in-the-wild exploitation, but considers exploitation more likely,” he added.

“At time of writing, the FAQ provided with Microsoft’s advisory suggests that both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable, but neither the advisory nor the SharePoint 2016 Release history list any related patches for SharePoint 2016. Defenders responsible for SharePoint 2016 will no doubt wish to follow up on this one as a matter of some urgency.”

There may also be more than one patch listed for a particular SharePoint version. If so, all of them must be installed to remediate the flaw, Barnett said.

Read more on Patch Tuesday: Microsoft Fixes Zero-Day Bug This Patch Tuesday.

Elsewhere, there were three critical remote code execution (RCE) vulnerabilities listed for Windows Pragmatic General Multicast (PGM) – the third Patch Tuesday in a row to feature at least one critical RCE bug in PGM. These are CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363.

Mike Walters, VP of vulnerability and threat research at Action1, explained that the Windows PGM protocol is commonly used in video streaming and online gaming applications.

“These vulnerabilities have a high CVSS rating of 9.8 and pose a serious risk. They can be exploited over the network without requiring privileges or user interaction. Affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later,” he warned.

“If the Windows Message Queuing Service is running in a PGM Server environment, an attacker could send a specially crafted file to achieve remote code execution. To mitigate this vulnerability, consider checking if the Message Queuing service is running on TCP port 1801 and disable it if not needed. However, be cautious as this may impact system functionality.”

Editorial image credit: monticello /

What’s hot on Infosecurity Magazine?