Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup. We’ve made it to the end of 2020 and it’s been quite a year for many reasons. Let’s see what parting gifts Patch Tuesday brings us…
Microsoft
With just 58 bug fixes, of which 9 are considered critical, Microsoft thankfully bless us with a small batch of updates this month, giving admins a lighter run up to the holiday season.
Five remote code execution (RCE) flaws in Exchange stand out as the high priority bugs to address. These are triggered by sending a crafted email to the server, making it fairly trivial to exploit, however no attacks have yet been seen in the wild.
Dynamics 365 also received fixes for RCE bugs, and while details are scant these affect the on-premises version of the product and are marked as “Exploitation more likely”. Breaking down the CVSS ratings, this means an attack is possible across the network with no user interaction and low-level privileges, resulting in a high impact on all 3 aspects of the CIA triad. Reports suggest this is a simple input validation failure, allowing malicious code to be inserted into the application via web forms.
Hypervisor escape vulnerabilities are always of concern, especially where tools such as HyperV are used to host large numbers of VDI (virtual desktop infrastructure) guests. This increases the attack surface through the large number of users carrying out general work on the desktops, as opposed to a virtual server estate which is typically smaller and not actively used for browsing, opening Office documents and so on.
As such, CVE-2020-17095 for HyperV is one of the higher-risk vulnerabilities identified this month, allowing a crafted vSMB packet to give an attacker the ability to break out of the guest OS to execute code against the underlying host.
As always, updates are also released for Office, the Chakra scripting engine and a thankfully small number of less critical OS updates for all current versions of Windows. Microsoft also silently patched a critical RCE in Teams last month which could be exploited by sending a chat message to the target. It’s unclear if this was being actively exploited but it was deemed serious enough to receive an out-of-band update to resolve.
Adobe
There are no updates for Flash this month, and since it will have gone end-of-life by the time our next blog comes out we would love to be able to strike it from our list of things to check each month. However, we have a sneaking suspicion that this won’t be the last we hear of it, and no doubt there will be new bugs and attacks surfacing in the early part of next year.
VMWare
Last month we neglected to mention a serious bug in ESXi which was released in late October. VMSA-2020-0023 scores 9.8 on the CVSS rating scheme and allows an attacker to trigger a “use-after-free” bug in the management interface of ESXi, Workstation, Fusion and NSX-T. Use-after-free bugs are the result of dynamic memory incorrectly clearing pointers after an activity has been completed and the memory space reclaimed, allowing an attacker to insert malicious code into that empty memory space and run it.
The good news is that it’s rare to leave your VMware management interfaces accessible to the internet, meaning an attacker must be present on the network already and able to reach your management interfaces in order to exploit this bug. However, a compromised laptop or desktop may be able to reach a management network if it isn’t strongly segregated, allowing for the attacker to fire the exploit at the hosts.