“… that doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers”
Microsoft’s “Patch Tuesday” is once again (perhaps by now unsurprisingly) a whopper, with 129 vulnerabilities to fix; 23 of them rated critical and a chunky 105 listed as important — up from August’s tally of 120 CVEs, with 17 considered critical.
If there’s a silver lining to this cloud it is that — unlike last month — none are listed as under active attack. Yet the release brings Microsoft’s tally of bugs needing fixing this year to 991, and includes patches for some severe vulnerabilities that no shortage of well-resourced bad actors will be looking to swiftly reverse engineer.
In the real world, of course, working out what to patch is a perennial dice-roll (for those not in the sunlit uplands where rebooting systems at the click of IT’s fingers is possible; for most it’s not) and as one contributor recently noted in a lively debate over risk prioritisation on the OSS-security mailing list, “the frameworks which do exist, such as CVSS, are entirely arbitrary and unable to take into account information about the variety of end user deployments”. (Others may disagree. Feel free to weigh in).
Regardless, there’s lots to patch… Some highlights:
CVE-2020-16875 – Microsoft Exchange Memory Corruption Vulnerability. CVSS, 9.1.
This bug allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server (2016, 2019).
As Trend Micro’s ZDI notes: “That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers.
“We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Credit for the find goes to the prolific Steven Seeley.
CVE-2020-1452 // -1453 // -1576 // -1200 // -1210 // -1595 – Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2020-1452, 1453, 1576, 1200, 1210, and 1595 are all critical remote code execution vulnerabilities identified in Microsoft SharePoint.
As patch management specialist Automox notes: “The result of deserializing untrusted data input, the vulnerability allows arbitrary code execution in the SharePoint application pool and server farm account.
“Variations of the attack such as CVE-2020-1595 (API specific), reflect the importance of patching this vulnerability to reduce the threat surface.”
Credit to Oleksandr Mirosh
CVE-2020-0922 — Remote Code Execution Vulnerability in Microsoft COM for Windows. CVSS 8.8
This vulnerability impacts Windows 7 – 10 and Windows Server 2008 through 2019. The vulnerability exists in the way Microsoft COM handles objects in memory and, when exploited, would allow an attacker to execute arbitrary scripts on a victim machine.
Credit, Yuki Chen, 360 BugCloud
Microsoft’s Patch Tuesday September guidance starts here.
Intel meanwhile patched a critical (CVSS 9.8) bug in its Active Management Technology (AMT) which lets unauthenticated users escalate privilege “via network access”.
The bug, which has shades of colossal “backdoor” CVE-2017-5689 to it, was reported internally and is being patched as part of update Intel-SA-00404.
Google Chrome also has five high severity bugs to patch. Many of these have impact downstream; to pick just one example, in Red Hat Enterprise Linux 6. Other open source-based OS providers like Ubuntu also pushed out patches, including in libX11 and the Linux Kernel — the latter after a Proofpoint researcher, Or Cohen, iscovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could possibly execute arbitrary code.