After identifying threats of Remote Code Execution (RCE) attacks on GNOME Linux systems and numerous cyber threats in recent times, software giant Microsoft is tightening security. The Exchange Team, dedicated to the Microsoft Exchange Server, is pushing administrators to deploy a new security patch that directly addresses a notable vulnerability.
Addressing the Critical Vulnerability
The threat of elevated privileges being offered to unauthenticated attackers first came to light with the security flaw termed as CVE-2023-21709, which was initially addressed in the August 2023 Patch Tuesday update. The flaw allows less complex, user-independent attacks, giving hackers an opportunity to brute force user account passwords. To prevent such activities, Microsoft has been encouraging the use of complex passwords that are difficult to decipher.
Earlier measures to fix this flaw involved the release of security updates but required manual intervention for complete resolution. Administrators were informed about manually removing the vulnerable Windows IIS Token Cache module or using a PowerShell script to protect their servers against any attacks exploiting CVE-2023-21709.
The New Patch is a Game Changer
In the most recent Patch Tuesday update, Microsoft has introduced a new security patch (CVE-2023-36434) that completely addresses the CVE-2023-21709 flaw. This improved update doesn't necessitate any additional manual steps, making it a more effective solution for the identified flaw.
The Exchange Team at Microsoft suggested, “Today, the Windows team has released the IIS fix for the root cause of this vulnerability, in the form of a fix for CVE-2023-36434. We recommend installing the IIS fix, after which you can re-enable the Token Cache module on your Exchange servers.”
Administrators Called Upon for Next Steps
For those who had removed the Windows IIS Token Cache module to address the previous issue, the new directive is to install the recent security updates and restore the IIS module. Either a specific script or a command in an elevated powershell prompt can be used for this task.
The administrators yet to install the August CVE-2023-21709 security update are now being advised to install the Windows Server October 2023 security updates.
October 2023's Patch Tuesday brought along bug fixes for a total of 104 flaws, out of which 12 were of critical severity and three were highlighted as zero-day vulnerabilities actively used in subsequent attacks. Microsoft had abstained from patching one of these, a Skype for Business Elevation of Privilege vulnerability, identified as CVE-2023-41763; a flaw disclosed in September 2022 that could allow attackers to access internal systems.