July 2020 Patch Tuesday: Microsoft plugs wormable Windows DNS Server RCE flaw
On this July 2020 Patch Tuesday, Microsoft has plugged 18 critical and 105 high-severity flaws, Adobe has delivered security updates for ColdFusion, Adobe Genuine Service, Adobe Download Manager, Adobe Media Encoder and Adobe Creative Cloud Desktop Application, and Oracle is set to deliver fixes for 433 vulnerabilities.
Microsoft’s updates
For the fifth month in a row, Microsoft has fixed over 100 CVE-numbered vulnerabilities: 123, to be precise.
First and foremost, one of the fixed vulnerabilities has been especially singled out: CVE-2020-1350, aka SIGRed, a “wormable” remote code execution flaw in the Windows DNS Server service that affects all Windows Server versions.
The vulnerability could be exploited to achieve unauthenticated code execution at the level of Local System account on an affected system by sending a specially crafted request.
“That makes this bug wormable – at least between affected DNS servers. Microsoft also suggests a registry edit that limits the size of TCP packets the server will process as a workaround, but they don’t list any potential side effects of that registry change. The attack vector requires very large DNS packets, so attacks cannot be conducted over UDP. Considering Windows DNS servers are usually also Domain Controllers, definitely get this patched as soon as you can,” Trend Micro Zero Day Initiative’s Dustin Childs advised.
Chris Hass, Director of Information Security and Research, Automox, pointed out that a wormable vulnerability like this is an attacker’s dream.
“Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,” he told Help Net Security.
“To make matters worse, Microsoft has deemed the exploitation of this vulnerability as ‘more likely’, and considering the nature of the workaround steps Microsoft has provided if a patch cannot be applied right away, we predict that we will see this vulnerability exploited in the wild soon. The only good news is that this is not a vulnerability in the DNS protocol but limited to Microsoft’s DNS server implementation of it; however, this implementation is widespread, especially in larger organizations.”
Microsoft said that while this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address it vulnerability as soon as possible.
Other fixed flaws of note in this batch of fixes include:
- CVE-2020-1147, a RCE bug in .NET Framework, SharePoint Server, and Visual Studio
- CVE-2020-1349, a Microsoft Outlook RCE vulnerability that could be triggered by opening or viewing the e-mail in the Preview Pane
- CVE-2020-1421, yet another LNK RCE,
- CVE-2020-1374, a RDP RCE flaw affecting only the client side
- Six critical RCE vulnerabilities affecting Hyper-V RemoteFX vGPU, which have been fixed by removing the vulnerable graphics drivers and urging users to use Discrete Device Assignment (DDA) instead.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that the Office, Outlook, Remote Desktop Client, DirectWrite, Address Book, LNK, GDI+, Font Library, and VBScript vulnerabilities should be prioritized for workstation-type devices (i.e., any system that is used for email or to access the internet via a browser).
Microsoft has also released servicing stack updates for each supported operating system, and guidance for enabling a request smuggling filter on IIS (web) servers.
“Failure to strictly adhere to the RFC could allow an unauthenticated attacker to tamper with requests and responses on an IIS website if they sent a specially crafted request to an affected IIS site serviced by a front-end load balancer or proxy. If you’re using a front-end load balancer or proxy, you should review the advisory to ensure malformed requests are not being passed to back-end servers,” Childs advised.
Adobe’s updates
Adobe has released security updates for Adobe ColdFusion (for all platforms), Adobe Genuine Service (for Windows and macOS), Adobe Download Manager, Adobe Media Encoder and Adobe Creative Cloud Desktop Application (for Windows), and fixed 13 CVE-numbered flaws. None of the fixed vulnerabilities are actively exploited in attacks.
Adobe considers the ColdFusion (web-application development computing platform) and Creative Cloud Desktop Application updates more important than the others, because these software offerings have historically been at elevated risk of attack. The former fixes two DLL search-order hijacking flaws that could lead to privilege escalation, while the latter plugs three privilege escalation bugs and a critical flaw that could be exploited to achieve arbitrary file system write.
The Download Manager update carries a fix for a single command injection flaw that could lead to arbitrary code execution, the Genuine Service update nixes three privilege escalation flaws, and Media Encoder users get patches for one vulnerability that could lead to information disclosure and two to code execution.
Oracle’s updates
Oracle’s Critical Patch Update (CPU) is also scheduled for today. The final version of the document detailing the fixed flaw is yet to be released, but according to the pre-release announcement, fixes for 433 flaws will be pushed out.
Todd Schell, senior product manager, security, Ivanti, summarized it thusly: “Oracle Java SE is going to resolve 11 vulnerabilities all of which are remotely exploitable without authentication. Highest CVSS v3.1 base score is 8.3. Fusion Middleware is resolving 53 CVEs, 49 of which may be remotely exploited without authentication. Highest CVSS v3.1 base score is 9.8. MySQL is resolving 40 vulnerabilities, six of which may be remotely exploited without authentication. Highest CVSS v3.1 base score is 9.8.”