Skip to main content

The August 2023 Patch Tuesday report has been released, providing critical information for organizations and individuals to address security vulnerabilities and software updates. This monthly event plays a crucial role in maintaining the security and stability of the Windows operating system and various other software products people rely on. In this article, we’ll break down the key highlights of the August 2023 Patch Tuesday report, focusing on the most pressing concerns for users and administrators.

Notably, Microsoft has released fixes for 88 vulnerabilities in August 2023 Patch Tuesday report, out of which 6 were rated Critical. Microsoft also warned about the active exploitation of 1 vulnerability. Again, as with other Patch Tuesday reports, Remote Code Execution (RCE) vulnerability has topped the list with 23 occurrences in the list of vulnerabilities. Let’s break down what is there in the report that Microsoft released on 8th August.

Key Highlights- Patch Tuesday August 2023

Two of the flaws are zero-day vulnerabilities, one of which is being actively exploited in the wild. In addition to the RCE flaws, this release covers privilege escalation bugs, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.

Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.

Key Highlights are:

  • Microsoft’s August’s 2023 Patch Tuesday included updates for 88 security flaws, including two Security Advisories and 12 browser vulnerabilities.
  • 2 of them are Zero-Days, with one publicly disclosed.
  • The patch covered 23 Remote Code Execution (RCE) vulnerabilities, 6 of which were rated as ‘Critical.’The 2 zero-day vulnerabilities patched are:
    • CVE-2023-38180 – Actively exploited ASP.NET zero-day denial of service vulnerability
    • CVE-2023-36884 – Previously disclosed Windows zero-day vulnerability

Vulnerabilities by Category

The complete list of 88 vulnerabilities is classified into six categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 23 times, while Security Feature Bypass is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities:

Vulnerabilities by Category - Patch Tuesday August 2023
Elevation of Privilege vulnerabilities CVE-2023-38176
CVE-2023-35359
CVE-2023-36876
CVE-2023-38167
CVE-2023-36869
CVE-2023-35390
CVE-2023-36899
CVE-2023-36873
CVE-2023-36904
CVE-2023-36900
CVE-2023-38175
CVE-2023-38186
CVE-2023-35378
CVE-2023-38154
CVE-2023-35382
CVE-2023-35386
CVE-2023-35380
Security Feature Bypass vulnerabilities CVE-2023-38157
CVE-2023-35384
Remote Code Execution vulnerabilities CVE-2023-38185
CVE-2023-35388
CVE-2023-35368
CVE-2023-29328
CVE-2023-29330
CVE-2023-36895
CVE-2023-36896
CVE-2023-35371
CVE-2023-38169
CVE-2023-36898
CVE-2023-38170
CVE-2023-32051
CVE-2023-35303
CVE-2023-38184
CVE-2023-35315
CVE-2023-35297
CVE-2023-300
CVE-2023-36910
CVE-2023-36911
CVE-2023-35385
Information Disclosure vulnerabilities CVE-2023-35391
CVE-2023-36890
CVE-2023-36894
CVE-2023-36905
CVE-2023-36907
CVE-2023-36906
CVE-2023-35383
CVE-2023-36913
Denial of Service vulnerabilities CVE-2023-38180
CVE-2023-38178
CVE-2023-36909
CVE-2023-35376
CVE-2023-38172
CVE-2023-38254
CVE-2023-35377
Spoofing vulnerabilities CVE-2023-38181
CVE-2023-36893
CVE-2023-36891
CVE-2023-36892
CVE-2023-35394
CVE-2023-35393
CVE-2023-36881
CVE-2023-36877
CVE-2023-38188

List of Products Patched in August 2023 Patch Tuesday Report

Microsoft’s August 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

  • NET Core
  • .NET Framework
  • ASP.NET
  • ASP.NET and Visual Studio
  • Azure Arc
  • Azure DevOps
  • Azure HDInsights
  • Dynamics Business Central Control
  • Memory Integrity System Readiness Scan Tool
  • Microsoft Dynamics
  • Microsoft Exchange Server
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office Outlook
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Teams
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Codecs Library
  • Reliability Analysis Metrics Calculation Engine
  • Role: Windows Hyper-V
  • SQL Server
  • Tablet Windows User Interface
  • Windows Bluetooth A2DP driver
  • Windows Cloud Files Mini Filter Driver
  • Windows Common Log File System Driver
  • Windows Cryptographic Services
  • Windows Defender
  • Windows Fax and Scan Service
  • Windows Group Policy
  • Windows HTML Platform
  • Windows Kernel
  • Windows LDAP – Lightweight Directory Access Protocol
  • Windows Message Queuing
  • Windows Mobile Device Management
  • Windows Projected File System
  • Windows Reliability Analysis Metrics Calculation Engine
  • Windows Smart Card
  • Windows System Assessment Tool
  • Windows Wireless Wide Area Network Service

List of Actively Exploited Vulnerabilities Patched in August 2023 Patch Tuesday

Microsoft patched an actively exploited zero-day denial of service (DoS) vulnerability, CVE-2023-38180, affecting ASP.NET Core. This vulnerability can lead to denial of service in Kestrel web server if exploited. Microsoft notes that reverse proxies and web application firewalls can help mitigate such attacks.

Here is a list of the actively exploited vulnerabilities patched in the August 2023 Patch Tuesday:

  • ADV230003 – Microsoft Office Defense in Depth Update
  • CVE-2023-38180 – .NET and Visual Studio Denial of Service Vulnerability

List of Critical Vulnerabilities Patched in August 2023 Patch Tuesday

The August Patch Tuesday addressed 6 critical-rated vulnerabilities that deserve close attention:

Sl. No CVE ID Severity CVSS Description Actively Exploited Patch status
1 CVE-2023-29328 Important 8.8 Remote Code Execution Vulnerability in Microsoft Teams No Available
2 CVE-2023-29330 Important 8.8 Remote Code Execution Vulnerability in Microsoft Teams No Available
3 CVE-2023-36895 Important 7.8 Remote Code Execution Vulnerability in Microsoft Outlook No Available
4 CVE-2023-36910 Critical 9.8 Remote Code Execution Vulnerability in Microsoft Message Queuing No Available
5 CVE-2023-36911 Critical 9.8 Remote Code Execution Vulnerability in Microsoft Message Queuing No Available
6 CVE-2023-35385 Critical 9.8 Remote Code Execution Vulnerability in Microsoft Message Queuing No Available

CVE-2023-29328 and CVE-2023-29330 – Microsoft Teams Remote Code Execution Vulnerability

These two critical RCE flaws in Microsoft Teams allow an attacker to execute arbitrary code through specially crafted Teams meeting invites. The vulnerabilities are exploitable, with no user interaction required beyond joining the malicious meeting. Microsoft has rated them as “exploitation less likely” due to the difficulty in exploiting them.

CVE-2023-36895 – Microsoft Outlook Remote Code Execution Vulnerability

This critical vulnerability in Microsoft Outlook can let a remote attacker execute arbitrary code on the target system by convincing the user to open a specially crafted file. Microsoft rates the exploitability as low.

CVE-2023-36910, CVE-2023-36911, CVE-2023-35385 – Windows Message Queuing Service Remote Code Execution

These three critical vulnerabilities in the Windows Message Queuing Service, if successfully exploited, can enable remote code execution on vulnerable systems. While concerning, the service needs to be explicitly enabled and accessible through TCP port 1801 for exploitation.

Complete List of Vulnerabilities Patched in August 2023 Patch Tuesday Are

If you wish to download the complete list of vulnerabilities patched in August 2023 Patch Tuesday, you can do it from here. 

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38176 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability No No 7
CVE-2023-35394 Azure HDInsight Jupyter Notebook Spoofing Vulnerability No No 4.6
CVE-2023-36877 Azure Apache Oozie Spoofing Vulnerability No No 4.5
CVE-2023-35393 Azure Apache Hive Spoofing Vulnerability No No 4.5
CVE-2023-38188 Azure Apache Hadoop Spoofing Vulnerability No No 4.5
CVE-2023-36881 Azure Apache Ambari Spoofing Vulnerability No No 4.5

Azure Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36869 Azure DevOps Server Spoofing Vulnerability No No 6.3

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38157 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 6.5
CVE-2023-4078 Chromium: CVE-2023-4078 Inappropriate implementation in Extensions No No N/A
CVE-2023-4077 Chromium: CVE-2023-4077 Insufficient data validation in Extensions No No N/A
CVE-2023-4076 Chromium: CVE-2023-4076 Use after free in WebRTC No No N/A
CVE-2023-4075 Chromium: CVE-2023-4075 Use after free in Cast No No N/A
CVE-2023-4074 Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling No No N/A
CVE-2023-4073 Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE No No N/A
CVE-2023-4072 Chromium: CVE-2023-4072 Out of bounds read and write in WebGL No No N/A
CVE-2023-4071 Chromium: CVE-2023-4071 Heap  buffer overflow  in Visuals No No N/A
CVE-2023-4070 Chromium: CVE-2023-4070 Type Confusion in V8 No No N/A
CVE-2023-4069 Chromium: CVE-2023-4069 Type Confusion in V8 No No N/A
CVE-2023-4068 Chromium: CVE-2023-4068 Type Confusion in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35390 .NET and Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36899 ASP.NET Elevation of Privilege Vulnerability No No 7.5
CVE-2023-38180 .NET and Visual Studio Denial of Service Vulnerability Yes No 7.5
CVE-2023-38178 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5
CVE-2023-36873 .NET Framework Spoofing Vulnerability No No 7.4
CVE-2023-35391 ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability No No 7.1

Developer Tools Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36897 Visual Studio Tools for Office Runtime Spoofing Vulnerability No No 8.1

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35379 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36876 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability No No 7.1

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21709 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 9.8
CVE-2023-38181 Microsoft Exchange Server Spoofing Vulnerability No No 8.8
CVE-2023-38185 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-35368 Microsoft Exchange Remote Code Execution Vulnerability No No 8.8
CVE-2023-35388 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8
CVE-2023-38182 Microsoft Exchange Server Remote Code Execution Vulnerability No No 8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38167 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability No No 7.2
CVE-2023-35389 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability No No 6.5

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-29328 Microsoft Teams Remote Code Execution Vulnerability No No 8.8
CVE-2023-29330 Microsoft Teams Remote Code Execution Vulnerability No No 8.8
CVE-2023-36891 Microsoft SharePoint Server Spoofing Vulnerability No No 8
CVE-2023-36892 Microsoft SharePoint Server Spoofing Vulnerability No No 8
CVE-2023-36895 Microsoft Outlook Remote Code Execution Vulnerability No No 7.8
CVE-2023-36865 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-36866 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-35372 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-35371 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2023-36896 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2023-36890 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5
CVE-2023-36894 Microsoft SharePoint Server Information Disclosure Vulnerability No No 6.5
CVE-2023-36893 Microsoft Outlook Spoofing Vulnerability No No 6.5

SQL Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38169 Microsoft OLE DB Remote Code Execution Vulnerability No No 8.8

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-38175 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35387 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability No No 8.8
CVE-2023-38186 Windows Mobile Device Management Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35382 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35386 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38154 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36904 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36898 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability No No 7.8
CVE-2023-38170 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8
CVE-2023-35378 Windows Projected File System Elevation of Privilege Vulnerability No No 7
CVE-2023-36905 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability No No 5.5
CVE-2023-36914 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability No No 5.5
CVE-2023-35384 Windows HTML Platforms Security Feature Bypass Vulnerability No No 5.4

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36910 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-36911 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-35385 Microsoft Message Queuing Remote Code Execution Vulnerability No No 9.8
CVE-2023-35381 Windows Fax Service Remote Code Execution Vulnerability No No 8.8
CVE-2023-36882 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-36903 Windows System Assessment Tool Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35359 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35380 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36900 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-38184 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.5
CVE-2023-35383 Microsoft Message Queuing Information Disclosure Vulnerability No No 7.5
CVE-2023-36912 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-38172 Microsoft Message Queuing Denial of Service Vulnerability No No 7.5
CVE-2023-36913 Microsoft Message Queuing Information Disclosure Vulnerability No No 6.5
CVE-2023-36909 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-35376 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-38254 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-35377 Microsoft Message Queuing Denial of Service Vulnerability No No 6.5
CVE-2023-36908 Windows Hyper-V Information Disclosure Vulnerability No No 5.7
CVE-2023-36889 Windows Group Policy Security Feature Bypass Vulnerability No No 5.5
CVE-2023-36906 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2023-36907 Windows Cryptographic Services Information Disclosure Vulnerability No No 5.5
CVE-2023-20569 AMD: CVE-2023-20569 Return Address Predictor No No N/A

Ref: https://www.rapid7.com/blog/post/2023/08/08/patch-tuesday-august-2023/

Bottom Line

The August 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 88 vulnerabilities addressed, including 23 critical remote code executions, system administrators should prioritize testing and deployment of these fixes.

The 6 critical-rated vulnerabilities, covering Outlook, Teams, and the Windows Message Queuing Service, deserve immediate attention given their potential impact. The actively exploited ASP.NET zero-day vulnerability also needs urgent patching.

Overall, this Patch Tuesday continues the trend of large, complex updates that must be carefully reviewed and applied to avoid security risks. Ongoing diligence with patch management remains crucial, as Microsoft delivers fixes for critical flaws each month.

Leave a Reply