Tripwire's December 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Citrix, Microsoft, Django, and Adobe. Critical Vulnerabilities: Up first on the patch priority list this month is a critical arbitrary code execution vulnerability for the Citrix ADC application. In particular, Citrix ADC and Citrix Gateway (formerly NetScaler) can be exploited by a remote attacker to achieve arbitrary code execution on the affected appliance. Full details of the vulnerability have not been released by Citrix but independent research from Tripwire VERT has identified that a path traversal attempt on NetScaler's virtual IP address can be used to access vulnerable Perl scripts. These vulnerable Perl scripts expose a header-based path traversal vulnerability useful for creating and inserting content into files which can then be processed through the Perl template toolkit. VERT has confirmed that in some scenarios, an attacker can use this limited code execution to achieve arbitrary code execution on the target. More information: https://www.tripwire.com/state-of-security/vert/citrix-netscaler-adc-cve-2019-19781/ https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/ Exploit Alert: Metasploit Exploit Framework Up next on the patch priority list this month are vulnerabilities that have been recently add to Metasploit. Two vulnerabilities, identified by CVE-2019-1405 and CVE-2019-1322 that affect Microsoft UPnP Service and Microsoft Windows have recently been added to Metasploit. Administrators should place the patches for these vulnerabilities on the very high priority list if these patches have not already been installed. Exploit Alert: Canvas Exploit Framework Next on the patch priority list this month are vulnerabilities that have been recently add to Canvas. Four vulnerabilities, identified by CVE-2019-1253, CVE-2019-0841, CVE-2019-0803, and CVE-2019-0623 that affect Microsoft Windows Win32k and Windows AppX Deployment Server have recently been added to Canvas. Administrators should place the patches for these vulnerabilities on the very high priority list if these patches have not already been installed. Exploit Alert: Exploit-DB Up next, system administrators should focus on a Django vulnerability that has recently been added to Exploit-DB. Particularly, CVE-2019-19844 that affects Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Details describing how to exploit this vulnerability have been added to the Exploit-DB database. Other Patch Priorities Up next are patches for Microsoft Browser. December was a light month for the Microsoft Browser with a single CVE for VBScript that resolves a remote code execution vulnerability. Next on the list are patches made available from Adobe via APSB19-55 for Acrobat and Reader. These patches resolve 21 vulnerabilities including fixes for privilege escalation, arbitrary code execution, and information disclosure. Next on the list are patches for Microsoft Excel, Access, PowerPoint, and Word. These patches resolve 5 vulnerabilities including fixes for information disclosure, remote code execution, and denial of service vulnerabilities. Up next are patches for Microsoft Windows. These patches address numerous vulnerabilities across Windows Kernel, GDI, Microsoft Graphics, Microsoft Defender, Hyper-V, Media Player, OLE, Printer Service, and Remote Desktop Protocol (RDP). These resolved vulnerabilities include elevation of privilege, information disclosure, security feature bypass, and remote code execution vulnerabilities. Next, this month are patches for Windows Git for Visual Studio and Visual Studio Live. These patches resolve 7 vulnerabilities including fixes for remote code execution, tampering, and spoofing vulnerabilities. Lastly this month, administrators should focus on server-side patches available for Microsoft Skype for Business Server and SQL Server. These patches resolve 2 vulnerabilities including spoofing and cross-site scripting (XSS).
BULLETIN |
CVE |
Critical Vulnerabilities |
CVE-2019-19781 |
Exploit Alert: Metasploit |
CVE-2019-1405, CVE-2019-1322 |
Exploit Alert: Canvas |
CVE-2019-1253, CVE-2019-0841, CVE-2019-0803, CVE-2019-0623 |
Exploit Alert: Exploit-DB |
CVE-2019-19844 |
Microsoft Browser |
CVE-2019-1485 |
Microsoft SQL Server |
CVE-2019-1332 |
APSB19-55: Adobe Reader and Acrobat |
CVE-2019-16449, CVE-2019-16456, CVE-2019-16457, CVE-2019-16458, CVE-2019-16461, CVE-2019-16465, CVE-2019-16450, CVE-2019-16454, CVE-2019-16445, CVE-2019-16448, CVE-2019-16452, CVE-2019-16459, CVE-2019-16464, CVE-2019-16451, CVE-2019-16462, CVE-2019-16446, CVE-2019-16455, CVE-2019-16460, CVE-2019-16463, CVE-2019-16444, CVE-2019-16453 |
Microsoft Office |
CVE-2019-1463, CVE-2019-1400, CVE-2019-1464, CVE-2019-1462, CVE-2019-1461 |
Microsoft Windows |
CVE-2019-1488, CVE-2019-1458, CVE-2019-1468, CVE-2019-1469, CVE-2019-1478, CVE-2019-1483, CVE-2019-1476, CVE-2019-1467, CVE-2019-1465, CVE-2019-1466, CVE-2019-1470, CVE-2019-1471, CVE-2019-1472, CVE-2019-1474, CVE-2019-1481, CVE-2019-1480, CVE-2019-1484, CVE-2019-1477, CVE-2019-1453, CVE-2019-1487 |
Developer Tools |
CVE-2019-1352, CVE-2019-1354, CVE-2019-1350, CVE-2019-1387, CVE-2019-1349, CVE-2019-1351, CVE-2019-1486 |
Skype for Business Server |
CVE-2019-1490 |
To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), including its PPI, click here. Or, for PPI and more, you can follow VERT on Twitter: @tripwirevert.
