Alexander Lewis
Cyber Assessment Services Technical Practice Lead
Welcome back to another instalment of the Softcat Post-Patch Tuesday roundup, with guest contributor Alex Lewis, Softcat Security Consultant. This month’s update release has already hit the headlines so let’s not waste time with long intros and get to it…
Microsoft
The big news from Patch Tuesday is CVE-2020-1350, dubbed SIGRed by Checkpoint, who discovered the bug. It’s a DNS flaw that can be exploited by forcing a Windows DNS server to receive an oversized DNS packet, which causes a controlled buffer overflow and triggers the execution of arbitrary malicious code. At this point this code can be used for a myriad of things, such as opening a backdoor, installing malware etc. We covered this vulnerability in more detail in a separate blog, found here.
This is not the only Microsoft vulnerability of note, however. One particularly worth attention is related to Outlook (CVE-2020-1349), and this vulnerability can be trigged just be viewing the email in the preview pane. Several more RCE vulnerabilities are found in Directwrite, a text layout and glyph rendering API, (CVE-2020-1409), .NET (CVE-2020-1147) and GDI+ (CVE-2020-1435).
Hyper-V
Your friendly neighbourhood hypervisor has some fixes in this month’s update, with six critical CVE’s released for yet more remote code execution, and guest-to-host escapes.
These vulnerabilities are all exploited using a host’s RemoteFX vGPU, which has been deprecated in Windows Server 2019, with Microsoft recommending ‘Discrete Device Assignment’ (DDU) instead, which was introduced in windows server 2016. That being said, if your hosts still operate RemoteFX vGPU, the following CVE’s are worth knowing, and planning a more permanent move to DDU in place of vGPU will be the best long-term fix:
· CVE-2020-1041
· CVE 2020-1036
· CVE-2020-1040
· CVE-2020-1032
· CVE-2020-1043
· CVE-2020-1042
Adobe
Adobe keep things simple with just a single update to Flash this month. The official end-of-life date for Flash is slated as the 31st December 2020, and while it’s now deprecated across most browsers, there are no doubt a few custom applications and sites out there that rely on it still. 6 months isn’t as long as it seems, so plan to move away from those final few Flash-based apps ASAP.
SAP
This particular vulnerability is fortunate enough to get its own name – dubbed ‘RECON’. CVE-2020-6287 is another perfect 10.0 on the CVSS scale: certain versions of SAP NetWeaver (7.30, 7.31, 7.40, 7.50) do not perform authentication checks which can enable attackers to run critical actions, including creating administrative users. There is a patch available, with SAP recommending ‘patching immediately’. There are a couple of other lower scoring vulnerabilities in this release as well, but admins should prioritise RECON first.
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.