Tripwire Patch Priority Index for September 2020

Image

Tripwire's September 2020 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft, Apple, and various Linux distributions. Up first on the patch priority list this month is a very high priority vulnerability, which is called "Zerologon" and identified by CVE-2020-1472. It is an elevation of privilege vulnerability that exists due to a flaw in a cryptographic authentication mechanism used by the Netlogon Remote Protocol (MS-NRPC). During the August patch Tuesday patch release, Microsoft released patches for affected operating systems. Note that the recently released Metasploit module targets the Windows operating system. However, various versions of Samba, i.e. within the open source ecosystem, could be vulnerable to this attack (refer to the bugzilla link below) and open source proof-of-concepts are available via Github. Linux vendors such as Fedora, SuSe, and Ubuntu have released advisories and patches for their versions of Samba. Links for more information: https://github.com/rapid7/metasploit-framework/pull/14151 https://www.secura.com/blog/zero-logon https://bugzilla.samba.org/show_bug.cgi?id=14497 Linux Vendor Advisories: https://admin.fedoraproject.org/updates/FEDORA-2020-77c15664b0 https://admin.fedoraproject.org/updates/FEDORA-2020-0be2776ed3 https://admin.fedoraproject.org/updates/FEDORA-2020-bda96ea273 https://www.suse.com/security/cve/CVE-2020-1472 http://www.ubuntu.com/usn/usn-4510-2 http://www.ubuntu.com/usn/usn-4510-1 Next on the list are two more vulnerabilities that have been recently included within the Metasploit Framework. First is a patch for Microsoft Exchange server (CVE-2020-16875). It is a remote code execution vulnerability that exists due to improper validation of cmdlet arguments. In particular, the vulnerability is a result of improper validation of user-supplied template data when creating a DLP policy. An attacker who successfully exploits the vulnerability can run arbitrary code in the context of the SYSTEM user. More details can be found at https://github.com/rapid7/metasploit-framework/pull/14126. Second is a patch for macOS (CVE-2020-9839). For this patch, a race condition was addressed with improved state handling. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5. Note: The new Metasploit module targets macOS versions <= 10.15.4. Metasploit details can be found at: https://github.com/rapid7/metasploit-framework/pull/13992. Up next on the patch priority list this month are patches for Microsoft Scripting Engine, Internet Explorer, and Microsoft Browser. These patches resolve 6 vulnerabilities, including elevation of privilege and memory corruption vulnerabilities. Next on the list are patches for Microsoft Word and Excel, which resolve 7 vulnerabilities including information disclosure and remote code execution vulnerabilities. Next this month are patches that affect components of the Windows operating systems. These patches resolve more than 70 vulnerabilities, including denial of service, elevation of privilege, information disclosure, remote code execution, and memory corruption vulnerabilities. These vulnerabilities affect Connected User Experiences and Telemetry Service, core Windows, Jet Database Engine, Media, GDI, Shell, Print Spooler, RSoP Service Application, State Repository Service, Storage Services, Diagnostics Hub, Codecs Library, Camera Code, and others. Up next is are patches for Visual Studio that resolve two remote code execution vulnerabilities. Finally, administrators should focus on server-side patches. This is a big month for Microsoft servers, which includes patches for Active Directory, Active Directory Federation Services, Windows DNS, Hyper-V, SharePoint, Dynamics, and Windows DHCP. These patches These patches resolve over 30 issues, including cross-site scripting, information disclosure, elevation of privilege, remote code execution, tampering, and spoofing vulnerabilities.