Patch Tuesday May 2023

Jordan Hammond fun headshot
Jordan Hammond|May 9, 2023
Patch Tuesday (green)
Patch Tuesday (green)

It’s May, and you know what that means: INSERT STAR WARS JOKE HERE! Now that we have that out of the way, let’s look at Patch Tuesday.

  • Total exploits patched: 38

  • Critical patches: 6

  • Already known or exploited: 2

Seeing 38 total exploits had me thinking that my system for tracking these was broken. That is a shockingly low number considering the last few years. It’s not all roses, however — two of these are already exploited, and another two are publicly known. Of the six critical patches, two are Remote Code Executions graded as a 9.8 on CVSS. That’s about as bad as it can get before you enter zero-day territory.

Let’s dive into the lowlights.

Some highlights (or lowlights)

  • CVE-2023-24941: This is a 9.8 RCE for the Network File System. It requires no privileges or user interactions to exploit. This exploit does impact only NFS 4, which is not on by default. There are a lot of mitigating actions you can take prepatch, but honestly, a temporary change like that could have a massive impact on your environment. You might be better just patching ASAP. If you aren’t able to patch right away and want to take the risk of the temporary mitigation, you can do that with PowerShell.

Set-NfsConfiguration –EnableNFSV4 $false

(After that’s done, you’ll still need to start and stop the service for it to take effect.)

  • CVE-2023-24943: The second 9.8 RCE uses the Pragmatic General Multicast (PGM). If your PGM server is running the Windows Messaging Queue service, they would be able to send a file to run remote code. This would not require credentials or user interaction. Even with all those easy-to-exploit flags, this was designated "exploitation less likely" — mainly because there are newer technologies that can be implemented for this task. If you are using a PGM server, you need to patch now.

  • CVE-2023-29336: This is the highest rated of patches that have already been exploited, coming in at a 7.8. It is an elevation of privilege exploit for Win32k. It does have a local attack vector and require some privileges to exploit. An attacker that was able to get a local attack would be able to elevate to system privileges, enabling them to use that system as a basis for further attacks.

Wrapping up

*Inserts a follow-up Star Wars reference that connects to the earlier joke.* (Clever, aren’t I?)

That’s it for May! Overall, this is one of the tamest Patch Tuesdays we’ve had in months. Low total number of exploits, and the 9.8s are either for older technology or for settings that are not on by default. That’s not too bad. But if you’re using NFSv4 or PGM, you might disagree with my take as both are at high risk of being exploited.

Whether this Patch Tuesday is good or bad news for you, wouldn’t it be nice to introduce a little automation so that you don’t have to worry about it? PDQ Deploy and PDQ Inventory have you covered. And if you’re looking for a little more control over your patching automation, check out our PDQ LIVE! webcast episode to learn how you can build more customization into your workflows. (Plus, you get to enjoy the sultry tones of my lovely voice.) See you next month.


Jordan Hammond fun headshot
Jordan Hammond

Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet.

Related articles