Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup. As we enter the home stretch for 2020, Microsoft have blessed us with a comparatively small, but nonetheless important drop of updates. Let’s start digging in…
With 11 critical vulnerabilities and 87 total bug fixes, this is one of the smaller update drops of recent times. There’s a couple of important, high-scoring CVE’s but otherwise this is mostly a case of “patch promptly, patch thoroughly”, which will be a relief to sysadmins everywhere.
Starting off with clearly the most notable bug, CVE-2020-16898 is a flaw in the IPv6 stack that allows an attacker to execute code remotely by simply sending a malformed ICMPv6 Router Advertisement packet to your machine. This has been dubbed “Bad Neighbour” by McAfee and is mostly likely to result in the infamous BSOD, but could also enable the attacker to execute other arbitrary code.
All this sounds terrifying and is no doubt worthy of its 9.8 CVSS score, however since the bug is in the handling of IPv6 packets it’s unlikely to be of immediate concern to most machines on a corporate network. This is primarily because the majority of perimeter network controls – firewalls, load balancers etc – are still only running IPv4, and would typically shield internal machines from inbound packets.
That said, IPv6 is built-in and enabled on all modern OSes and is a necessary part of the computer’s networking stack, so disabling IPv6 as a workaround isn’t advisable. This means there are circumstances where this bug could be exploited, particularly those coffee shop remote workers, or if an attacker already has a foothold on a compromised machine inside the corporate network.
Hyper-V and SharePoint are each affected by a couple of serious bugs. Hyper-V gets patched for both a Remote Code Execution flaw and an Elevation of Privilege bug. Used together these could allow an attacker not only to break out of the VM isolation but then run arbitrary code on the underlying host.
The SharePoint bugs are a little more interesting, especially CVE-2020-16945, a XSS (cross-site scripting) bug in the on-premises versions which allows an attacker to act under the context of current user. This could potentially enable them access to data and to modify contents or permissions within a site acting as the user, leading to data loss and possible disruption to other users of the site. CVE-2020-16951 is another example of a relatively new type of attack, whereby uploading a crafted application package to a SharePoint repository causes the server to execute the code it contains under the context of the Server Farm administrator account. We’ve discussed previously how this account doesn’t need to be a Domain Admins but is often incorrectly configured with higher privileges than it requires, leading to unnecessary exposure of highly privileged accounts which could leave you in a bad state if the account were compromised
We’re rapidly closing in on the end of support for Flash Player, but Adobe have dropped version 126.96.36.1995 with its companion Microsoft-delivered update. If you’re not already on the path to eliminating Flash-driven apps from your corporate systems, don’t delay in getting that project started – any security issues discovered in the Flash platform after December won’t be patched.