I’m beginning to think 100+ vulnerabilities in each Patch Tuesday is the “new normal” for Microsoft, as that’s been the range all year. This July release is important because of a few surprises that need immediate attention. This month there are 123 vulnerabilities fixed, with 18 of them marked “Critical” and 106 marked “Important.” While there are no “Exploit Detected” items as of this writing, there are four “Critical” vulnerabilities Microsoft has marked as “Exploitation More Likely”, meaning there is a high probability of an exploit soon. We’ll review the “Critical” vulnerabilities and focus on the most important ones in each category first.
CVE-2020-1350 is a Windows DNS Server Remote Code Execution Vulnerability that is listed with a CVSS score of 10(the highest) and is also listed as “Exploitation More Likely”. This vulnerability would allow an unauthenticated attacker to send a specially crafted packet to a Microsoft DNS server to gain System Level access to the server. This is especially concerning because most Active Directory environments are also running Microsoft DNS. In the article, Microsoft states “We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction.” This vulnerability affects DNS server on Server 2008, 2008R2, 2012, 2012R2, 2016, 2019, and Windows Server versions 1903 up to 2004 (including all Core versions).
The bottom line here is that you should either deploy the corresponding patch for your operating system or perform the workaround (registry change) listed in the article as soon as possible. If you are running N-central or RMM and cannot yet deploy the patch, our automation nerd, Marc-Andre Tanguay, posted Automation policies you can use to deploy the workaround on affected DNS servers. The script can be found here – https://success.solarwindsmsp.com/kb/solarwinds_n-central/Microsoft-DNS-Server-CVE-2020-1350-Workaround .
It should be noted that if you are running Azure AD and DNS, no action is required on your part, as Microsoft will apply the appropriate updates in their cloud.
The other operating system vulnerability listed as “Exploitation More Likely” is CVE-2020-1374, and it is a Remote Desktop Client Remote Code Execution Vulnerability. A user would have to be tricked in connecting to a malicious Remote Desktop server to trigger this vulnerability. The attacker would then have full control over the connecting client. This vulnerability affects Remote Desktop clients on Windows 7 up to the current release of Windows 10, including all supported Server versions.
Next up is a group of 6 vulnerabilities with the same title and details. CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, and CVE-2020-1043 are all listed as a Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability. This vulnerability is rated as “Exploitation Less Likely”.
This vulnerability would allow an attacker to escape the guest VM through third-party video drivers, allowing them to execute code on the host operating system. This affects Server 2008R2, 2012, 2012R2, and 2016(including Core versions). It should be noted that Server 2019 is not vulnerable, as they have deprecated RemoteFX in favor of Discrete Device Assignment.
CVE-2020-1409 is a DirectWrite Remote Code Execution Vulnerability that affects Windows 7 up to the current release of Windows 10 including all supported Server versions. If a user visited a malicious webpage or opened a crafted document, the attacker would be granted full control over the system.
The Windows Address Book Remote Code Execution Vulnerability discussed in CVE-2020-1410 would allow an attacker to execute code if the user opened a malicious vcard on that system. It also affects all supported Windows versions.
CVE-2020-1421 is a LNK Remote Code Execution Vulnerability that also affects Windows 7 through the current Windows 10 release(including Server). If a user clicked on a malicious .LNK file, the attacker would gain the same rights as the logged-on user. As a note, it is always recommended to block LNK files in your email security solution to reduce your attack surface. This vulnerability is classified as “Exploitation Less Likely”.
As with previous months, there is a GDI+ Remote Code Execution Vulnerability that would grant the attacker the same rights as the user, if the user clicked on a specially crafted document. This vulnerability, CVE-2020-1435, is listed as Exploitation Less Likely and affects Windows 7 up to current release of Windows 10.
The last “Critical” operating system vulnerability is the Windows Font Library Remote Code Execution Vulnerability, CVE-2020-1436. This vulnerability also grants the attacker access to the system if a user clicked on a crafted document. Again this one affects all versions from Windows 7 up to 10, but it should be noted that the risk is mitigated on Windows 10 systems because of the use of sandboxing.
There is only one “Critical” browser vulnerability this month, but it is listed as “Exploitation More Likely” and should be given attention. CVE-2020-1403 is a VBScript Remote Code Execution Vulnerability that affects Internet Explorer 11 on Windows 7 up to current release of Windows 10, and all corresponding Server versions. It also affects IE9 on Server 2008(non-R2). It can also affect documents opened in Office that use the IE rendering engine. It is only listed as “Important” on the Server operating systems because of the secure default configuration of the browser.
NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability is also listed as “Exploitation More Likely” and should get some attention. CVE-2020-1147 affects SharePoint, Visual Studio, and the .NET Framework on Windows 7 up to current versions of Windows 10, including Server versions. An attacker could upload a specially crafted file to run in context of the process that deserializes the XML content.
Similar to the previous vulnerability, CVE-2020-1025 is a PerformancePoint Services Remote Code Execution Vulnerability that addresses how XML files are deserialized. This one affects SharePoint 2010, 2013 SP1, 2016, and 2019, and is classified as “Exploitation Less Likely”.
The last two “Criticals” we will review are in Office and Outlook, and they are both classified as “Exploitation Less Likely”.
CVE-2020-1025 is a Microsoft Office Elevation of Privilege Vulnerability that would allow an attacker to bypass an auth token, giving them improper access to the server. It affects Lync Server 2013, SharePoint Enterprise 2016, SharePoint Foundation 2013 SP1, SharePoint Server 2019, and Skype for Business Server 2015 CU8 and 2019 CU2.
CVE-2020-1349 is a Microsoft Outlook Remote Code Execution Vulnerability that could grant an attacker the same rights as a user if the user clicked on a specially crafted document, or even viewed it in the preview pane.
While there are vulnerabilities listed in many areas this month, I cannot stress enough how important the patch for Microsoft DNS server is for this month. While restarting your DNS server (or the Active Directory server it is a part of) was likely not in this week’s plans, you should really consider making this patch your number 1 priority. Since nearly everyone is running DNS with Active Directory, bad actors are likely to see the high target count this offers and develop exploits rather quickly. And if you cannot patch it, at least set aside some time to deploy the workaround to protect this important part of your infrastructure until you can deploy the patch.
The next priority should really be the workstations that are running Remote Desktop Clients, since that vulnerability is likely to be exploited according to Microsoft.
After that, turn your attention to SharePoint, both because of the “Exploitation More Likely” rating and the volume of vulnerabilities fixed this month.
While we have only reviewed the “Critical” patches here, it should be noted that there are 106 patches for operating systems and applications that are listed as “Important”, and as we know, sometimes they can be the ones to be exploited first. Your patch review and approval process should include the “Critical” and the “Important” security patches to ensure you are protecting your systems and reducing your attack surface.
As always, let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd