Mega Patch Tuesday Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. It was one of hundreds of security bugs squashed today by Redmond along with Oracle, Adobe, VMware, SAP and Google.
Microsoft emitted fixes for 123 vulnerabilities in this month's Patch Tuesday batch. Some 18 of those CVE-listed security flaws are considered critical, meaning remote code execution (RCE) is possible without user interaction.
They include CVE-2020-1350, aka SIGred, a wormable remote code execution flaw in the way Windows Server handles incoming DNS requests. According to Dustin Childs of the Trend Zero Day Initiative (ZDI), the flaw is exploited by sending a specially crafted DNS request to a vulnerable server, which ultimately triggers the execution of arbitrary malicious code at the level of the Local System account. This code can then install spyware, open a backdoor, and so on.
That means game over: total control over the box. Childs also said the hole, a classic heap-based buffer overflow, is "wormable – at least between affected DNS servers."
"Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don’t list any potential side effects of that registry change," he continued. "The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can."
What's more, the bug appears to have been around for nearly 20 years. Researchers at Check Point, who discovered and reported the flaw to Microsoft, reckon the vulnerability is exposed in Windows Server builds as far back as 2003.
"As DNS security is not something many organizations monitor for, or have tight controls around, this means that a single compromised machine could be a ‘super spreader,’ enabling the attack to spread throughout an organization’s network within minutes of the first exploit," said CheckPoint.
So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You'll want to patch thisREAD MORE
Also warranting your attention is CVE-2020-1463. Exploit code for this elevation-of-privilege bug is already out there, though there are no reports of in-the-wild attacks yet on production systems.
Childs also says CVE-2020-1349, a remote-code-execution bug in Outlook, should be a priority for admins to test and patch.
"What sets this vulnerability apart is the fact that just viewing the email in the Preview Pane is enough to trigger the bug," he noted.
Hyper-V accounted for six critical flaws enabling remote-code execution and guest-to-host escapes this month: CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, and and CVE-2020-1043. All are exploited via a server's RemoteFX vGPU, if present, by opening a malicious application in a guest.
"RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016," Microsoft noted.
An RCE in the Remote Desktop client should catch everyone's attention: CVE-2020-1374. Log into a malicious server with this one unpatched, and it's game over.
The remaining flaws include the usual assortment of browser scripting bugs, Office blunders, and various non-critical Windows flaws. They should all be tested and patched quickly.
Adobe puts out five fixes
Users of Adobe software will want to make sure they install the security updates for Creative Cloud (three privilege escalation, one arbitrary file write), Media Encoder (one code execution, one information disclosure), Genuine Service (two privilege escalation flaws), ColdFusion (two privilege escalation flaws), and Download Manager (one code execution bug).
SAP, it's not just about RECON
While admins should prioritize patching the NetWeaver RECON hole, there are a handful of other fixes from SAP as well.
The patches include an information-disclosure flaw in NetWeaver (CVE-2020-6285) and a handful of medium-graded bugs in Disclosure Management (CVE-2020-6267), Business Objects (CVE-2020-6281, CVE-2020-6276), NetWeaver AS JAVA, (CVE-2020-6282), and Business Objects BI (CVE-2020-6278, CVE-2020-6222). Falling on the low end of the spectrum was an information-disclosure hole in NetWeaver (CVE-2020-6280).
Android bugs aplenty
For Android devices there are a total of seven critical fixes for remote-code-execution vulnerabilities. They are present in the Media Framework (CVE-2020-9589), Android System (CVE-2020-0224, CVE-2020-0225), Broadcom components (CVE-2019-9501, CVE-2019-9502), and Qualcomm components (CVE-2020-3698, CVE-2020-3699).
The first three flaws are going to be addressed with the base 2020-07-01 security patch for all Android devices. The Qualcomm and Broadcom bugs are classified as part of the 2020-07-05 patch, a level reserved for relevant devices.
Also patched in the base Android update were two elevation-of-privilege flaws in Framework (CVE-2020-0122, CVE-2020-0227), an elevation-of-privilege bug in Media Framework (CVE-2020-0226), and an information-disclosure hole in the Android System (CVE-2020-0107).
Those running Google-branded hardware should get the updates now, while the rest will have to wait for their respective vendor to kick out the patches.
And the rest...
Least you think it was just these four vendors, we also have multiple updates from VMware (here, here and here) as well as hundreds of flaw fixes from Oracle (the highest being CVE-2020-14701 and CVE-2020-14606 in Oracle SD-WAN Aware and Edge, scoring 10.0 each) and Chrome (one critical bug, seven high-severity flaws, eight dubbed moderate, and ten classified as low risk.) ®