Tim Lovegrove
Security Analyst
2020 is here and, as always, we’re rounding up the month’s patches and updates from the main players. We came back to the New Year with some pretty important things to address, so let’s get stuck in.
Microsoft
Much speculation surrounded this month’s Patch Tuesday release, with many InfoSec commentators predicting panic and destruction following the announcement of CVE-2020-0601. This vulnerability was reported to Microsoft by the NSA and covers a flaw in the cryptographic library (crypt32.dll) used by the OS. This has wide-ranging implications for certificates and crypto messaging functions, from spoofing software and digital signing to X.509 certificates and HTTPS connections. Limited to Windows 10 and Server 2016, the bug was only rated as Important (rather than Critical) by Microsoft, likely because no active attacks are known to be targeting it (except possibly by the NSA themselves…). Microsoft do note that they expect attacks to be forthcoming, and these could include some novel and inventive methods due to the broad implementation of the library.
After the inevitable Twitter meltdown, the final analysis seems to have fallen on the side of “don’t panic, patch promptly” (to quote @ProfWoodward). Make sure your regular patch cycle runs successfully across the board, focus on high value assets (domain controller, web servers) and use your vulnerability scanning tools to confirm the existence and remediation status of assets. Bring patching forward for any high-risk assets.
Aside from this high-profile bug, there are 48 other fixes included in the update, with several Critical Remote Code Execution vulnerabilities in the Windows Remote Desktop Gateway application. These are arguably more serious but exist in a less prevalent product, however anyone running RDG will want to address them promptly. Further updates address issues in ASP.NET, .NET, Internet Exploder Explorer and various Office products.
Citrix
A similar meltdown surrounded Citrix NetScalers, which unfolded throughout December and came to a head early in the New Year. Citrix announced CVE-2019-19781 on the 17th December 2019, uncomfortably close to the festive break and lacking a patch to remediate the issue. The announcement went largely unnoticed until early January 2020, when a large number of exploits were made public and honeypots across the globe lit up with aggressive attacks.
The vulnerability enables arbitrary code execution and researchers saw a variety of exploits, including extracting password hashes stored on the NetScaler for cracking, setting up reverse proxy connections into inner networks to permit data exfiltration, and attacks on internal system integrations such as Active Directory.
The vulnerability is still unpatched, with Citrix promising updates before the end of the month. Mitigation information is included in the release, however some customers judged the risk to be so sufficiently high as to simply turn off external access to internet-facing NetScalers while they apply the mitigation. Customers running NetScalers should urgently look at the information and make a call for themselves, leaning on any partner relationships they may have for supporting Citrix to address the situation.
Cisco
Not to be outdone, Cisco also found a trio of critical vulnerabilities in their Data Centre Network Manager tool. Covering the REST API, SOAP API and web interface, these three distinct vulnerabilities all enable further attacks by allowing privilege escalation through authentication bypass.
An update is provided, but there are no workarounds for older software versions, so patching is the only remediation. One would hope that these APIs and the Web Interface are not generally made publicly accessible by the system owners, adding a layer of complexity to any potential attacks.
Adobe
After all the panic from Microsoft and Citrix, Adobe gave us a thankfully quiet month with only two updates, for Illustrator and Experience Manager. With nothing for Reader/Acrobat or Flash, admins can at least cross this one off the list for a few weeks.
Get In Touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.