October 2020 Patch Tuesday: Microsoft fixes potentially wormable Windows TCP/IP RCE flaw
On this October 2020 Patch Tuesday:
- Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise
- Adobe has delivered security updates for Adobe Flash Player
- Intel warns about flaws in BlueZ, the official Linux Bluetooth protocol stack
- SAP has released 15 security notes and updates to 6 previously released ones.
Microsoft’s updates
Microsoft has released patches for 87 CVE-numbered flaws in a variety of its offerings: 11 critical, 75 important, and one of moderate severity. None of the fixed vulnerabilities are currently being exploited, though six of them were previously publicly known.
Trend Micro Zero Day Initiative’s Dustin Childs has singled out a few that should be addressed quickly:
CVE-2020-16898 – A Windows TCP/IP vulnerability that could be remotely exploited by sending a specially crafted ICMPv6 router advertisement to an affected Windows server or client and could allow code execution. Researchers at McAfee have dubbed the flaw “Bad Neighbor” because it is located within an ICMPv6 Neighbor Discovery “Protocol”, and say that it “could be made wormable”.
“The only good news is that Microsoft’s internal security team unearthed the vulnerabilities, meaning PoC code likely won’t surface until someone reverse engineers the patch and discovers the source of these vulnerabilities,” noted Nicholas Colyer, Senior Product Marketing Manager at Automox.
CVE-2020-16947 – A remote code execution flaw affecting Microsoft Outlook and Microsoft 365 Apps for Enterprise. The flaw can be triggered by a specially crafted file that a target user is convinced/tricked into opening, but also by the user previewing the file via the Preview Pane (i.e., the user does not have to open the email with the attached file in order for the exploit to work).
CVE-2020-16909 – A bug in the Windows Error Reporting (WER) component that could be used by an authenticated attacker to execute arbitrary code with escalated privileges. “Although this CVE is not listed as being publicly exploited, bugs in this component have been reported as being used in the wild in fileless attacks. Regardless, this and the other bugs in the WER component being fixed this month should not be ignored,” Childs pointed out.
Animesh Jain, Vulnerability Signatures Product Manager at Qualys, advises prioritizing Windows Camera Codec, GDI+, Browser, Hyper-V, Outlook, Media Foundation and Graphics components vulnerabilities for workstations.
She also recommends admins to apply the Sharepoint Server updates to patch two RCEs (CVE-2020-16951 and CVE-2020-16952)
Exploitation of these vulnerabilities requires that a user (authenticated attacker) uploads a specially crafted SharePoint application package to an affected version of SharePoint, Microsoft explained, but if they succeed, they could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm.
Adobe’s updates
Adobe has published a single security bulletin this time, carrying news of security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS.
A critical NULL pointer dereference flaw (CVE-2020-9746) has been fixed, which could lead to an exploitable crash and potentially allow arbitrary code execution in the context of the current user.
“Exploitation of CVE-2020-9746 requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL,” Adobe shared. The vulnerability is not actively exploited.
Users should keep in mind that Flash will reach end-of-life (EOL) by the end of the year, and think about whether the time has finally come to stop using the popular (but often targeted) media player.
Intel’s updates
Intel has also released just one advisory, warning about three vulnerabilities in the BlueZ Bluetooth protocol stack.
One (CVE-2020-12352) could be exploited for privilege escalation, the second one (CVE-2020-24490) for information disclosure, and the third one (CVE-2020-24490) can lead to DoS.
Intel advises affected users to update the Linux kernel to version 5.9 or later, or install kernel fixes released by BlueZ if they can’t perform a kernel update.
SAP’s updates
SAP marked the October 2020 Patch Tuesday by releasing 15 security notes and updates to 6 previously released ones.
The most critical patches are for SAP Solution Manager (an integrated end-to-end platform intended to assist users in adopting new developments, managing the application lifecycle, and running SAP solutions) and SAP Focused Run (a high-volume system and application monitoring, alerting, and analytics solution for service providers). Both incorporate the CA Introscope Enterprise Manager, which features:
- CVE-2020-6364 – An OS command injection vulnerability, and
- CVE-2020-6369 – Hard-coded credentials
Other patches have been provided for newly fixed flaws in a variety of offerings, including SAP NetWeaver, SAP Business Objects Business Intelligence Platform, SAP Landscape Management, SAP NetWeaver AS Java, SAP Commerce Cloud, and others.