[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability

Wed Oct 11 12:09:14 PDT 2023

Good afternoon,

The SOC Services team is reporting on the vulnerability CVE-2023-36563: Microsoft WordPad Information Disclosure Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On October 10, 2023, Microsoft released a security notification about CVE-2023-36563. CISA added CVE-2023-36563 to the known exploited vulnerabilities catalog the same day.

There are 33 affected versions of products which can be found in the security notification from Microsoft; The security notification from Microsoft can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36563

A general list of affected products:

  *   Windows 10
  *   Windows 11
  *   Windows Server 2008
  *   Windows Server 2012
  *   Windows Server 2016
  *   Windows Server 2019
  *   Windows Server 2022

Intelligence:  As of October 10, 2023, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: There are no workarounds for this vulnerability.

How it works:  The vulnerability allows for information disclosure, specifically NTLM (Windows New Technology LAN Manager) hashes. This allows an attacker to steal NTLM hashes by utilizing the preview pane when opening a document. NTLM hashes are important for gaining account access due to the nature of the protocol allowing for secure authentication, and an attacker would be able to exploit the vulnerability to crack the hashes or use them in an NTLM relay attack.

Post-Exploit: The successful exploitation of the vulnerability could allow the disclosure of NTLM hashes.

As of October 11, 2023, the following vulnerability plugins are currently available in Tenable Security Center:
Plugin
Title
Severity
182865<https://www.tenable.com/plugins/nessus/182865>
KB5031361: Windows 10 version 1809 / Windows Server 2019 Security Update (October 2023)
Critical
182864<https://www.tenable.com/plugins/nessus/182864>
KB5031407: Windows Server 2012 R2 Security Update (October 2023)
Critical
182862<https://www.tenable.com/plugins/nessus/182862>
KB5031362: Windows 10 Version 1607 and Windows Server 2016 Security Update (October 2023)
Critical
182858<https://www.tenable.com/plugins/nessus/182858>
KB5031358: Windows 11 version 21H2 Security Update (October 2023)
Critical
182857<https://www.tenable.com/plugins/nessus/182857>
KB5031441: Windows Server 2008 R2 Security Update (October 2023)
Critical
182856<https://www.tenable.com/plugins/nessus/182856>
KB5031427: Windows Server 2012 Security Update (October 2023)
Critical
182855<https://www.tenable.com/plugins/nessus/182855>
KB5031354: Windows 11 version 22H2 Security Update (October 2023)
Critical
182854<https://www.tenable.com/plugins/nessus/182854>
KB5031356: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (October 2023)
Critical
182853<https://www.tenable.com/plugins/nessus/182853>
KB5031411: Windows Server 2008 Security Update (October 2023)
Critical
182852<https://www.tenable.com/plugins/nessus/182852>
KB5031377: Windows 10 LTS 1507 Security Update (October 2023)
Critical
182851<https://www.tenable.com/plugins/nessus/182851>
KB5031364: Windows 2022 / Azure Stack HCI 22H2 Security Update (October 2023)
Critical

Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231011/dcd92753/attachment-0001.html>