Microsoft has released a package of updates on Tuesday, June 13, which contains 78 vulnerabilities, including 6 critical ones, but no zero-day vulnerabilities were discovered. This is according to a report by Bleeping Computer. Among the critical risks posed, was the discovery of a flaw in the privileges of SharePoint, tagged CVE-2023-29357, with a CVSS rating of 9.8. The vulnerability, which was identified by lead engineer Rapid7 Adam Barnett, has not been publicly disclosed yet, but it’s likely to be used soon by threat actors.
Microsoft’s recommendation is that the affected products are the Sharepoint Enterprise Server 2016 and Shar EpipinT Server 2019. However, no related fixes were released for Sharepoint 2016.
Also, three critical Remote Code Execution (RCE) vulnerabilities have been identified in Windows PragMatic General Multicast (PGM) which are yet to be unveiled publicly. The corrections for PGM have been released consecutively on the third Tuesday, with identifiers CVE-2023-32015 with a CVSS rating of 9.8, CVE-2023-32014 with a CVSS rating of 9.8, and CVE-2023-29363 with a CVSS score of 9.8.
Mike Walters, the Vice President of Vulnerabilities and Threat Research at Action1, revealed that the dangers posed by these vulnerabilities are significant, with a CVSS rating of 9.8. These threats can be implemented on networks without the need for user interaction. Walters warns that various systems, including Windows Server 2008 and above as well Windows 10, are vulnerable.
The Windows PGM protocol is typically used in streaming video applications and online games. With the vulnerability exposed, an attacker can send a malicious file that is capable of deleting critical files. Microsoft has provided solutions to minimize the vulnerabilities of affected systems, directing users to check if TCP 1801 port service is working and turning it off if it’s unnecessary. However, users need to be careful as this may affect the system functionality.