October 2020 Patch Tuesday—Smaller than usual, but some systems need patching now


This October Patch Tuesday is the first batch this year that fixes less than 100 vulnerabilities. But don’t be fooled by that, as there are several in this group that do warrant your attention. This month Microsoft fixed a total of 88 vulnerabilities, with 11 marked as “Critical,” and the rest “Important” with one “Moderate” exception. Pay special attention to the “Important” ones I cover this month, as many of them are listed as “Exploitation More Likely” and will be in the priority list. While there are no active attacks according to Microsoft, there is a high likelihood some may appear soon for several of these.  First, we’ll review the “Critical” section.

Critical

Operating Systems

The first one we need to pay attention to is the Windows TCP/IP Remote Code Execution Vulnerability that immediately jumped out at me as a concern. CVE-2020-16898 is listed as “Exploitation More Likely.” It especially concerning because an attacker could send a ICMPv6 Router Advertisement Packet to a server and, if successful, would allow the attacker to execute code on the target system. Any system that is internet facing should get the highest priority this month, as it is only a matter of time until bad actors use this vulnerability (along with the Denial of Service vulnerability we cover later on).

This vulnerability affects Windows 10 1709 up to the current version, including Server and Server Core versions. It has a CVSS score of 9.8, so this should be your highest priority this month.

CVE-2020-16891 is a Windows Hyper-V Remote Code Execution Vulnerability that would allow an attacker to force the host machine to run code from a guest operating system on that host. This is generally known as a Hyper-V escape vulnerability, because the attacker can escape the bounds of the guest operating system up to the host. It affects Windows 7 up to the current version of Windows 10, and includes Server 2008, R2, 2012, 2016, 2019, and Server version 1903-2004.

The Media Foundation Memory Corruption Vulnerability labeled as CVE-2020-16915 is listed as “Exploitation Less Likely.” If a user opened a document or visited a malicious webpage, the attacker could gain full rights to the system. It affects Windows 10 1607 to current, including corresponding Server versions.

CVE-2020-16911 is a GDI+ Remote Code Execution Vulnerability that is privilege dependent, meaning a user with admin rights would have more impact that a non-admin user if they clicked on a malicious link or opened a document. It is listed as “Exploitation Less Likely.”

There are two vulnerabilities titled Windows Camera Codec Pack Remote Code Execution Vulnerability. CVE-2020-16967 and CVE-2020-16968 are both listed as “Exploitation Less Likely,” but would grant the attacker the same rights as the user who opened a specially crafted file with the Codec Pack. It affects all supported Windows 10 workstation operating systems.

This final operating system vulnerability is CVE-2020-16923. The Microsoft Graphics Components Remote Code Execution Vulnerability would grant full access to an attacker if the user opened a specially crafted image file. It affects Windows 7 up to the current version of Windows 10, including corresponding Server versions.

Oddly enough, there were no browser fixes in this month’s batch for Internet Explorer or Edge. Perhaps next month we will see more?  

Other Applications

The other “Critical” vulnerabilities are found in Office, SharePoint, Base3D, and in Adobe Flash.

CVE-2020-16947 is a Microsoft Outlook Remote Code Execution Vulnerability that would grant an attacker the same rights as the user. This vulnerability is especially concerning because it affects the preview pane in Outlook, meaning the user would not even have to open the malicious file that was attached if the preview pane feature is active in Outlook. Microsoft lists this one as “Exploitation Less Likely.”

There are two vulnerabilities with the title Microsoft SharePoint Remote Code Execution Vulnerability, and they are listed as CVE-2020-16951 and CVE-2020-16952. They are source markup check vulnerabilities that would require a user to upload an application package to an affected SharePoint server and would allow them to execute code on the server. They affect SharePoint 2013 SP1, SharePoint Enterprise Server 2016, and SharePoint Server 2019, and are listed as “Exploitation Less Likely.”

CVE-2020-17003 is a Base3D Remote Code Execution Vulnerability listed as “Exploitation Less Likely.” It is a memory handling issue in the Base3D rendering engine in Windows.

The final “Critical” is ADV200012 -October 2020 Adobe Flash Security Update, which addresses a vulnerability published in APSB20-58 on Adobe’s site for Adobe Flash. It can be installed using the Windows update supplied in the article for Windows 8.1 up to current version of Windows 10 including Server versions.

Not “Critical” but Really “Important”

Recently, Microsoft released a new version of the Security Update Guide in preview. This guide is what I use to review and sort the fixed vulnerabilities in this blog. This newly designed version will allow me to filter on some of the information I had to dig deeper into the data to find previously; this is great news.  You can get a preview of this format at https://msrc.microsoft.com/update-guide/. Using this new guide, I can more easily uncover the “Important” vulnerabilities that are actually listed as “Exploitation More Likely.” Even though they are not listed as “Critical” they warrant special attention, as sometimes these vulnerabilities end up exploited quickly, and while they may not all be “Remote Code Execution,” bad actors many times use these vulnerabilities after gaining an initial foothold for follow-on or chained attacks. Let’s review them here.

CVE-2020-16899 is a Windows TCP/IP Denial of Service Vulnerability that is similar to the first TCP/IP vulnerability we reviewed in this article. It has the same attack vector but would only result in a Denial of Service instead of Remote Code Execution. Microsoft suggests a workaround of disabling ICMPv6 RDNSS if possible, and the instructions to do so are listed in the linked article. 

CVE-2020-16907 and CVE-2020-16913 are both titled Win32k Elevation of Privilege Vulnerability. This is a kernel driver memory handling vulnerability that would require an attacker to log on to a system. A successful exploit would allow an attacker to execute code on the system. They affect Windows 10 up to current version, including Server operating systems.

There is a Windows Spoofing Vulnerability fix for CVE-2020-16922 that affects Windows 7 up to current Windows 10 versions, including Server. This is a security feature bypass that would allow an attacker to load improperly signed files on a system. 

This final one in this review is CVE-2020-16896 and is a Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability that would allow an attacker to send a specially crafted packet to an RDP server. The response could unintentionally disclose information about the system that would allow an attacker to further compromise the system. Microsoft gives workarounds of disabling RDP if it is not needed, or enabling Network Level Authentication on the server. 

As always, avoid exposing RDP on the Internet wherever possible. It is incredibly easy to discover available and responding RDP server with services like Shodan or other scanners. In my opinion, if you are simply exposing RDP to the internet without additional security in place, you are at a high risk for attack.

Summary

While this month’s batch was lighter than usual, there are some real attention getters here.  I recommend addressing the Windows TCP/IP vulnerabilities first, with highest priority on any Internet-facing systems. Then get those RDP servers patched, since Remote Desktop seems to be one of the most popular attack vectors these days. Next, turn your focus towards patching your Hyper-V systems, and then patching workstations (especially those running Outlook), and finally your SharePoint servers (which by now should be a regular part of your routine considering the volume of SharePoint vulnerabilities fixed this year). 

We will keep our ears to the ground on the TCP/IP vulnerabilities and update you if we start to see attacks leveraging these vulnerabilities.

As always, let’s stay safe out there! 

 

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd