Skip to content

Commit cade6ba

Browse files
Dinindu-WickDGovEnterpriseadonm
authored
Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability - 20231116001 (#414)
* T1566.001 - QR Code Phishing Attachment (Quishing) - Updated the KQL with Recipient Email address * # NSA, FBI, CISA, and Japanese Partners Release Advisory on PRC-Linked Cyber Actors - 20230928002 * Apple releases Critical Updates for Known Exploited vulnerabilities - 20231009003 * Apple releases Critical Updates for Known Exploited vulnerabilities - 20231009001 * Update T1566.001-QR-CodePhishingAttachment(Quishing).md Updated the document version number to 1.0 * Citrix Releases Security Updates for Multiple Products - 20231012001 * Updated Citrix Releases Security Updates for Multiple Products - 20231012001 * Updated Citrix Releases Security Updates for Multiple Products - 20231012001 * Added new ADS and updates * Updated Advisory number for Citrix advisory * Updated ADSs with macros for MITRE URL's * Updates libraries and requirement.txt * Removed macros for Software ID related ADS's * Added marcos to retrieve MITRE URL's * Updated requirements.txt with BeautifulSoup4 req * 20231023005-SolarWinds-ARM-ThreeCriticalRCEVulnerabilities.md * Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities - 20231025001 * VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities - 20231026001 * Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature - 20231027004 * Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature - 20231027004 * Apple Releases Security Advisories for Multiple Products - 20231027005 * Updated CVSS score of CVE-2023-4966 - 20231012003 * Improper Authorization Vulnerability In Confluence Data Center and Server - 20231101002 * Added logic to resolve links to MITRE tactics * Added new ADS's and updated existing ones * Updated entry to hide Lateral Movement - Webservers in Guidelines table * New Microsoft Exchange zero-days allow RCE, data theft attacks - 20231106002 * Updated ADS formatting and KQL Syntax's * Updated ADS formatting and KQL Syntax's * Minor updates to formatting * updates to ads * Updates to ADS * Minor updates to ADS * Updated ADS * Updates to ADS * Updated ADS * Minor updates to ADS's * Updates to ADSs * Atlassian Confluence Data Center and Server Improper Authorization Vulnerability - 20231108001 * Updated Linux Webshell indicator ADS * Updated the Technique ID in Linux Webshell Indicators * Juniper Junos OS EX / SRX vulnerabilities - 20231114002 * Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability - 20231116001 * Update 20231116001-Microsoft-Windows-Mark-of-the-Web-(MOTW)-Security-Feature-Bypass-Vulnerability.md --------- Co-authored-by: Joshua Hitchen (DGov) <[email protected]> Co-authored-by: Adon Metcalfe <[email protected]>
1 parent 09e2623 commit cade6ba

1 file changed

+109
-0
lines changed

docs/advisories/20231116001-Microsoft-Windows-Mark-of-the-Web-(MOTW)-Security-Feature-Bypass-Vulnerability.md

+109
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
# Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability - 20231116001
2+
3+
## Overview
4+
5+
This advisory provides detailed information on Microsoft recommended updates to multiple products that maybe vulnerable to Mark of the Web Security feature bypass vulnerability.
6+
7+
## What is the vulnerability?
8+
9+
[**CVE-2023-36584**](https://nvd.nist.gov/vuln/detail/CVE-2023-36584) - CVSS v3 Base Score: ***5.4***
10+
- An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.
11+
12+
## What is vulnerable?
13+
14+
The vulnerability affects the following products:
15+
16+
| **_Product_** | **_Build Number_** |
17+
|---|---|
18+
| Windows Server 2012 R2 (Server Core installation) | ***Prior*** 6.3.9600.21620 |
19+
| Windows Server 2012 R2 | ***Prior*** 6.3.9600.21620 |
20+
| Windows Server 2012 (Server Core installation) | ***Prior*** 6.2.9200.24523 |
21+
| Windows Server 2012 | ***Prior*** 6.2.9200.24523 |
22+
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | ***Prior*** 6.1.7601.26769 |
23+
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | ***Prior*** 6.1.7601.26769 |
24+
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | ***Prior*** 6.0.6003.22317 |
25+
| Windows Server 2008 for x64-based Systems Service Pack 2 | ***Prior*** 6.0.6003.22317 |
26+
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | ***Prior*** 6.0.6003.22317 |
27+
| Windows Server 2008 for 32-bit Systems Service Pack 2 | ***Prior*** 6.0.6003.22317 |
28+
| Windows Server 2016 (Server Core installation) | ***Prior*** 10.0.14393.6351 |
29+
| Windows Server 2016 | ***Prior*** 10.0.14393.6351 |
30+
| Windows 10 Version 1607 for x64-based Systems | ***Prior*** 10.0.14393.6351 |
31+
| Windows 10 Version 1607 for 32-bit Systems | ***Prior*** 10.0.14393.6351 |
32+
| Windows 10 for x64-based Systems | ***Prior*** 10.0.10240.20232 |
33+
| Windows 10 for 32-bit Systems | ***Prior*** 10.0.10240.20232 |
34+
| Windows 10 Version 22H2 for 32-bit Systems | ***Prior*** 10.0.19045.3570 |
35+
| Windows 10 Version 22H2 for ARM64-based Systems | ***Prior*** 10.0.19045.3570 |
36+
| Windows 10 Version 22H2 for x64-based Systems | ***Prior*** 10.0.19045.3570 |
37+
| Windows 11 Version 22H2 for x64-based Systems | ***Prior*** 10.0.22621.2428 |
38+
| Windows 11 Version 22H2 for ARM64-based Systems | ***Prior*** 10.0.22621.2428 |
39+
| Windows 10 Version 21H2 for x64-based Systems | ***Prior*** 10.0.19041.3570 |
40+
| Windows 10 Version 21H2 for ARM64-based Systems | ***Prior*** 10.0.19041.3570 |
41+
| Windows 10 Version 21H2 for 32-bit Systems | ***Prior*** 10.0.19041.3570 |
42+
| Windows 11 version 21H2 for ARM64-based Systems | ***Prior*** 10.0.22000.2538 |
43+
| Windows 11 version 21H2 for x64-based Systems | ***Prior*** 10.0.22000.2538 |
44+
| Windows Server 2022 (Server Core installation) | ***Prior*** 10.0.20348.2031 |
45+
| Windows Server 2022 | ***Prior*** 10.0.20348.2031 |
46+
| Windows Server 2019 (Server Core installation) | ***Prior*** 10.0.17763.4974 |
47+
| Windows Server 2019 | ***Prior*** 10.0.17763.4974 |
48+
| Windows 10 Version 1809 for ARM64-based Systems | ***Prior*** 10.0.17763.4974 |
49+
| Windows 10 Version 1809 for x64-based Systems | ***Prior*** 10.0.17763.4974 |
50+
| Windows 10 Version 1809 for 32-bit Systems | ***Prior*** 10.0.17763.4974 |
51+
52+
## What has been observed?
53+
54+
There is evidence of active exploitation and the vulnerability was added to the [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) on **2023-11-16**.
55+
56+
## Recommendation
57+
58+
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *2 weeks* (refer [Patch Management](../guidelines/patch-management.md)):
59+
60+
| **Product** | **Impact** | **Max Severity** | **Article** | **Download** | **Build Number** |
61+
|---|---|---|---|---|---|
62+
| Windows Server 2012 R2 (Server Core installation) | Security Feature Bypass | Important | [5031419](https://support.microsoft.com/help/5031419) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031419 ) | 6.3.9600.21620 |
63+
| Windows Server 2012 R2 (Server Core installation) | Security Feature Bypass | Important | [5031407](https://support.microsoft.com/help/5031407) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031407 ) | 6.3.9600.21620 |
64+
| Windows Server 2012 R2 | Security Feature Bypass | Important | [5031419](https://support.microsoft.com/help/5031419 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031419 ) | 6.3.9600.21620 |
65+
| Windows Server 2012 R2 | Security Feature Bypass | Important | [5031407](https://support.microsoft.com/help/5031407 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031407 ) | 6.3.9600.21620 |
66+
| Windows Server 2012 (Server Core installation) | Security Feature Bypass | Important | [5031442](https://support.microsoft.com/help/5031442 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031442 ) | 6.2.9200.24523 |
67+
| Windows Server 2012 (Server Core installation) | Security Feature Bypass | Important | [5031427](https://support.microsoft.com/help/5031427 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031427 ) | 6.2.9200.24523 |
68+
| Windows Server 2012 | Security Feature Bypass | Important | [5031442](https://support.microsoft.com/help/5031442 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031442 ) | 6.2.9200.24523 |
69+
| Windows Server 2012 | Security Feature Bypass | Important | [5031427](https://support.microsoft.com/help/5031427 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031427 ) | 6.2.9200.24523 |
70+
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Security Feature Bypass | Important | [5031408](https://support.microsoft.com/help/5031408 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031408 ) | 6.1.7601.26769 |
71+
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Security Feature Bypass | Important | [5031441](https://support.microsoft.com/help/5031441 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031441 ) | 6.1.7601.26769 |
72+
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Security Feature Bypass | Important | [5031408](https://support.microsoft.com/help/5031408 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031408 ) | 6.1.7601.26769 |
73+
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Security Feature Bypass | Important | [5031441](https://support.microsoft.com/help/5031441 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031441 ) | 6.1.7601.26769 |
74+
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | [5031416](https://support.microsoft.com/help/5031416 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031416 ) | 6.0.6003.22317 |
75+
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | [5031411](https://support.microsoft.com/help/5031411 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031411 ) | 6.0.6003.22317 |
76+
| Windows Server 2008 for x64-based Systems Service Pack 2 | Security Feature Bypass | Important | [5031416](https://support.microsoft.com/help/5031416 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031416 ) | 6.0.6003.22317 |
77+
| Windows Server 2008 for x64-based Systems Service Pack 2 | Security Feature Bypass | Important | [5031411](https://support.microsoft.com/help/5031411 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031411 ) | 6.0.6003.22317 |
78+
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | [5031416](https://support.microsoft.com/help/5031416 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031416 ) | 6.0.6003.22317 |
79+
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Security Feature Bypass | Important | [5031411](https://support.microsoft.com/help/5031411 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031411 ) | 6.0.6003.22317 |
80+
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Security Feature Bypass | Important | [5031416](https://support.microsoft.com/help/5031416 ) | [Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031416 ) | 6.0.6003.22317 |
81+
| Windows Server 2008 for 32-bit Systems Service Pack 2 | Security Feature Bypass | Important | [5031411](https://support.microsoft.com/help/5031411 ) | [Security Only](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031411 ) | 6.0.6003.22317 |
82+
| Windows Server 2016 (Server Core installation) | Security Feature Bypass | Important | [5031362](https://support.microsoft.com/help/5031362 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031362 ) | 10.0.14393.6351 |
83+
| Windows Server 2016 | Security Feature Bypass | Important | [5031362](https://support.microsoft.com/help/5031362 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031362 ) | 10.0.14393.6351 |
84+
| Windows 10 Version 1607 for x64-based Systems | Security Feature Bypass | Important | [5031362](https://support.microsoft.com/help/5031362 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031362 ) | 10.0.14393.6351 |
85+
| Windows 10 Version 1607 for 32-bit Systems | Security Feature Bypass | Important | [5031362](https://support.microsoft.com/help/5031362 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031362 ) | 10.0.14393.6351 |
86+
| Windows 10 for x64-based Systems | Security Feature Bypass | Important | [5031377](https://support.microsoft.com/help/5031377 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031377 ) | 10.0.10240.20232 |
87+
| Windows 10 for 32-bit Systems | Security Feature Bypass | Important | [5031377](https://support.microsoft.com/help/5031377 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031377 ) | 10.0.10240.20232 |
88+
| Windows 10 Version 22H2 for 32-bit Systems | Security Feature Bypass | Important | [5031356](https://support.microsoft.com/help/5031356 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031356 ) | 10.0.19045.3570 |
89+
| Windows 10 Version 22H2 for ARM64-based Systems | Security Feature Bypass | Important | [5031356](https://support.microsoft.com/help/5031356 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031356 ) | 10.0.19045.3570 |
90+
| Windows 10 Version 22H2 for x64-based Systems | Security Feature Bypass | Important | [5031356](https://support.microsoft.com/help/5031356 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031356 ) | 10.0.19045.3570 |
91+
| Windows 11 Version 22H2 for x64-based Systems | Security Feature Bypass | Important | [5031354](https://support.microsoft.com/help/5031354 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031354 ) | 10.0.22621.2428 |
92+
| Windows 11 Version 22H2 for ARM64-based Systems | Security Feature Bypass | Important | [5031354](https://support.microsoft.com/help/5031354 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031354 ) | 10.0.22621.2428 |
93+
| Windows 10 Version 21H2 for x64-based Systems | Security Feature Bypass | Important | [5031356](https://support.microsoft.com/help/5031356 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031356 ) | 10.0.19041.3570 |
94+
| Windows 10 Version 21H2 for ARM64-based Systems | Security Feature Bypass | Important | [5031356](https://support.microsoft.com/help/5031356 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031356 ) | 10.0.19041.3570 |
95+
| Windows 10 Version 21H2 for 32-bit Systems | Security Feature Bypass | Important | [5031356](https://support.microsoft.com/help/5031356 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031356 ) | 10.0.19041.3570 |
96+
| Windows 11 version 21H2 for ARM64-based Systems | Security Feature Bypass | Important | [5031358](https://support.microsoft.com/help/5031358 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031358 ) | 10.0.22000.2538 |
97+
| Windows 11 version 21H2 for x64-based Systems | Security Feature Bypass | Important | [5031358](https://support.microsoft.com/help/5031358 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031358 ) | 10.0.22000.2538 |
98+
| Windows Server 2022 (Server Core installation) | Security Feature Bypass | Important | [5031364](https://support.microsoft.com/help/5031364 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031364 ) | 10.0.20348.2031 |
99+
| Windows Server 2022 | Security Feature Bypass | Important | [5031364](https://support.microsoft.com/help/5031364 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031364 ) | 10.0.20348.2031 |
100+
| Windows Server 2019 (Server Core installation) | Security Feature Bypass | Important | [5031361](https://support.microsoft.com/help/5031361 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031361 ) | 10.0.17763.4974 |
101+
| Windows Server 2019 | Security Feature Bypass | Important | [5031361](https://support.microsoft.com/help/5031361 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031361 ) | 10.0.17763.4974 |
102+
| Windows 10 Version 1809 for ARM64-based Systems | Security Feature Bypass | Important | [5031361](https://support.microsoft.com/help/5031361 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031361 ) | 10.0.17763.4974 |
103+
| Windows 10 Version 1809 for x64-based Systems | Security Feature Bypass | Important | [5031361](https://support.microsoft.com/help/5031361 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031361 ) | 10.0.17763.4974 |
104+
| Windows 10 Version 1809 for 32-bit Systems | Security Feature Bypass | Important | [5031361](https://support.microsoft.com/help/5031361 ) | [Security Update](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031361 ) | 10.0.17763.4974 |
105+
106+
## Additional References
107+
108+
- [CVE-2023-36584 - Security Update Guide - Microsoft - Windows Mark of the Web Security Feature Bypass Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36584)
109+
- [CVE Record | CVE](https://www.cve.org/CVERecord?id=CVE-2023-36584)

0 commit comments

Comments
 (0)