September Patch Tuesday: RDP Vulns and Zero-Days
Microsoft’s September Patch Tuesday covered a total of 80 CVEs, 17 of which were rated critical.
Microsoft’s September Patch Tuesday covered 80 CVEs, 17 of which were rated critical, and included patches for Azure DevOps Server, Chakra Scripting engine, and Microsoft SharePoint. Sixty-two were labeled as important and included patches for Microsoft Excel, Microsoft Edge, and Microsoft Exchange. Only one was rated as moderate.
Remote desktop vulnerabilities
Continuing the trend from last month, several of the critical patches were for Remote Desktop Clients and are CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291 — all Remote Code Execution (RCE) vulnerabilities. These follow the previous months’ fixes for BlueKeep and DejaBlue. These previous flaws can allow an attacker to execute a code on a system level through a crafted pre-authentication RDP packet sent to an affected Remote Desktop Services (RDS) server. However, in these recent disclosures, the attacker would need to use some degree of social engineering to convince users to connect to their controlled server.
Zero days
Microsoft also patched two zero-days, namely CVE-2019-1214 and CVE-2019-1215, which are both elevation of privilege vulnerabilities. CVE-2019-1215 exists in the way Winsock handles objects in memory and would allow attackers to execute code using elevated privileges. CVE-2019-1214 exists in the way Windows Common Log File System (CLFS) handles objects in memory and would allow a hacker to run processes in an elevated context.
Browser components
Microsoft also patched browser components, specifically for VBScript and the Chakra Scripting Engine. For VBScript, these RCE vulnerabilities are labelled CVE-2019-1208 and CVE-2019-1236. For Chakra Scripting Engine, these are CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1298, and CVE-2019-1300. The said vulnerabilities affect Microsoft Edge, and an attacker who successfully takes advantage of these vulnerabilities could gain equal rights as the original user. The patch modifies how Chakra handles objects in memory, where these vulnerabilities can be found.
Other notable patches and updates
An LNK vulnerability (designated as CVE-2019-1280) also saw a patch in this month’s patch Tuesday. This vulnerability could allow remote code execution of .LNK files. This is of note since LNK vulnerabilities have been linked to the Stuxnet worm in the past. Stuxnet spread to the targeted Windows system through an exploit utilized for a crafted malicious .LNK file. The patch corrects the processing of shortcut LNK references.
Important patches included several for Microsoft Office tools, namely Microsoft Excel and Microsoft Exchange. The former was for an RCE vulnerability (CVE-2019-1297) and the latter was for a denial of service (DoS) vulnerability (CVE-2019-1233).
.NET Framework patches have been released every month this year, and this trend continues in September. Among the notable disclosures for this month is the patch for the .NET Framework DoS vulnerability CVE-2019-1301, which corrects how the .NET Core web application handles web requests.
Of note was the appearance of a Kernel Information disclosure vulnerability, designated as CVE-2019-1274. This vulnerability would allow attackers to obtain information that could help to further compromise the system. The patch should modify how Kernel handles objects in memory, where the vulnerability exists. In addition, a released patch for Hyper-V Information Disclosure Vulnerability, designated as CVE-2019-1254, which could also allow an attacker access to sensitive information on an affected system.
Also included in this month’s Patch Tuesday was a security update for Adobe Flash Player, following several non-security-related updates from the previous months. It addresses the vulnerabilities CVE-2019-8069 and CVE-2019-8070.
Users with affected installations are advised to prioritize the updates in order to avoid possible system exploitation through unpatched vulnerabilities. The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting the vulnerabilities included in this month’s Patch Tuesday, updating or creating rules to address the specific vulnerabilities found. Currently protection is provided for CVE-2019-1257, CVE-2019-1295 and CVE-2019-1296 via the following rule:
- 1009971 - Microsoft SharePoint Multiple Remote Code Execution Vulnerabilities
Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit CVE-2019-0787 via the following MainlineDV filter:
- 36123: RDP: Microsoft Remote Desktop Services Memory Corruption Vulnerability (CVE-2019-0787)
We are working hard to continue to provide protection where possible. You can track of the latest released rules through the following advisory.