June Patch Tuesday: VMware vuln under attack by Chinese spies, Microsoft kinda meh

Microsoft has released security updates for 78 flaws for June's Patch Tuesday, and luckily for admins, none of these are under exploit.

Yesterday's critical Fortinet bug and the ongoing Progress MOVEit fallout, however, are entirely different stories, so the proverbial thoughts and prayers to the teams dealing with those messes. 

Microsoft's big patch day rated six of today's fixes as critical and four of these garnered a 9.8 severity score, so let's start with those.

CVE-2023-29357, a Microsoft SharePoint Server Elevation of Privilege Vulnerability, is one that Redmond lists as "exploitation more likely." This may be because it, when chained with other bugs, was used to bypass authentication during March's Pwn2Own contest.

An attacker can use this vulnerability to gain admin privileges without any user interaction, according to Microsoft. Once they've "gained access to spoofed JWT authentication tokens, they can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," according to the security update.

The other three 9.8-rated vulnerabilities allow remote code execution (RCE): CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015. All three could allow a remote, unauthenticated attacker to execute malicious code on a Windows system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment.

"This is the third month in a row for PGM to have a CVSS 9.8 bug addressed, and it's beginning to be a bit of a theme," Zero Day Initiative's Dustin Childs pointed out. "While not enabled by default, PGM isn't an uncommon configuration. Let's hope these bugs get fixed before any active exploitation starts."

The remaining two critical patches fix denial of service vulnerabilities (CVE-2023-32013) in Windows Hyper-V, and another RCE bug CVE-2023-24897) in .NET, .NET Framework, and Visual Studio.

VMware fixes flaw, but China found it first

In other news we shine a light on VMware, which admits one of the bugs disclosed today is already being exploited by alleged Chinese spies, namely, a security update to fix an authentication bypass VMware Tools vulnerability that affects ESXi hypervisors, tracked as CVE-2023-20867. 

"A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine," the virtualization giant said.

According to Mandiant, a Chinese cyber espionage group that it tracks as UNC3886 found and exploited the flaw before VMware issued a patch. Mandiant spotted this same gang targeting VMware hypervisors for spying purposes back in 2022.

Adobe releases four patches

And onto Adobe, whose June patches are also thankfully uneventually, with none of the vulnerabilities being under exploit or publicly known at the time of publication.

In total, the software provider released four patches to fix 18 bugs in Adobe Experience Manager, Commerce, Animate, and Substance 3D Designer.

• Fortinet squashes hijack-my-VPN bug in FortiOS gear
• These Microsoft Office security signatures are 'practically worthless'
• UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims
• Covert malware targets VMware shops for hypervisor-level espionage

The patch for Adobe Experience Manager addresses four CVE rated important and moderate. Successful exploitation of these flaws could allow arbitrary code execution and security feature bypasses. 

The Adobe Commerce update fixes 12 CVEs including one critical RCE vulnerability.

There's only one fix for both Adobe Animate and Adobe Substance 3D Designer, but these two patches also address critical RCEs.

SAP tackles XXS

SAP today released eight new Security Notes and five updates to previously released warnings. Four of these are rated high priority, eight are medium and one is low priority.

Interestingly, a whopping eight of these fix Cross-Site Scripting (XSS) vulnerabilities. This includes one of the new high-priority Security Notes, #3324285, with a CVSS score of 8.2, that fixes a Stored XXS vulnerability in UI5 Variant Management.

"This vulnerability allows an attacker to gain user-level access and compromise the confidentiality, integrity, and availability of the UI5 Varian Management application," according to Onapsis' SAP bug hunters.

Android, still hot with spyware vendors

And closing out the June patch party, Google released its Android security update earlier this month with fixes for 56 bugs. 

"The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation," according to Google. It's tracked as CVE-2023-21108. 

Another one of the June fixes addresses CVE-2022-22706, an Arm Mali GPU flaw that Google's Threat Analysis Group said has already been exploited by spyware vendors. ®