Accelerate vulnerability response. Find out how at RSAC 2024, May 6-9. Meet With Us →

WATCH DEMO

July 17, 2023 CISA KEV Breakdown | Microsoft

Nucleus Security > CISA KEV > July 17, 2023 CISA KEV Breakdown | Microsoft

July 17: 1 New Vuln | CVE-2023-36884

In this CISA KEV Breakdown, one vulnerability affecting Microsoft’s Office applications as well as multiple versions of Windows Server was added to the KEV. This vulnerability was referenced in our July 11 Breakdown post when it was originally disclosed, as it was observed as having been exploited but not added to the KEV due to the fact that there was not a patch available. Even though what is available now is still not directly a patch, the vulnerability has been added to KEV regardless with the available recommendation from CISA.

CVE ID


Vendor/Project

Software

Exploitation Consequence

GreyNoise Traffic

EPSS Score

EPSS Percentile

Due Date

CVE-2023-36884

Microsoft

Multiple Products

Remote Code Execution

0.49923

97.04%

08/07/2023

Notable Vulnerability Additions

CVE-2023-36884 | Microsoft Office Remote Code Execution

A vulnerability affecting multiple Windows and Office products can allow a remote attacker to execute arbitrary code. It is important to note that exploitation of this vulnerability requires user interaction. This vulnerability was disclosed as a 0-day to Microsoft by the folks over at Google TAG, and mitigation was included as part of July’s patch Tuesday. CISA currently recommends to follow the specific recommendations provided by Microsoft in their advisory regarding Storm-0978, also referred to as RomCom, a Russian threat actor group known for ransomware operations.

In it, Microsoft recommends enabling the “Block all Office applications from creating child processes” Attack Surface Reduction Rule as a means to prevent the behavior associated with exploiting CVE-2023-36884. Users can also set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as a preventative measure.

It is being reported by Microsoft that exploitation of this vulnerability was likely targeted at European and United States government entities during a phishing campaign in June of this year. More details on this campaign can also be found in this report from Blackberry’s Threat Research and Intelligence team. Will Dormann, @wdormann on Twitter, has contributed to an extensive thread on reproducing the in-the-wild exploit for CVE-2023-36884 and is worth a read.

Security Advisory(s):

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36884

Footnote – CVE-2023-3519

Nucleus Security is aware of a report from Citrix for CVE-2023-3519, CVE-2023-3466 and CVE-2023-3467. These vulnerabilities affect NetScaler ADC FIPS/NDcPP and NetScaler Gateway. In the report, Citrix identified CVE-2023-3519 as having been exploited against unmitigated appliances. Organizations should ensure their appliances are up to the latest versions according to the advisory.

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Citrix vulnerabilities have been known to cause quite a bit of chaos within the security community, so organizations are encouraged to apply the patches out-of-band before attackers make too much headway in understand the potential attack paths.

We expect that this vulnerability, specifically CVE-2023-3519, will be released to the KEV in due time with a fix available from the vendor.

← July 13, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet