Exploits & Vulnerabilities
September Patch Tuesday Updates Exchange, SharePoint
This month’s update includes 129 updates for the Microsoft Office suite, with 15 specifically addressing SharePoint vulnerabilities.
This month’s update includes 129 updates for the Microsoft Office suite, with 15 specifically addressing SharePoint vulnerabilities. Of the total number, 23 have been rated Critical and 105 as Important. No zero days have been observed, but four vulnerabilities are under close scrutiny for their potential abuse. Specifically, CVE-2020-16875 can be exploited for remote code execution (RCE), CVE-2020-1596 for man-in-the-middle (MiTM) attacks, while CVE-2020-0836 and CVE-2020-1228 can be abused for domain name system (DNS) denial of service (DoS). 12 of the vulnerabilities included have also been reported by the Zero Day Initiative (ZDI), including three critical gaps that can be used for RCE. This update brings us to seven consecutive months of patching more than 110 gaps per batch, and brings the year’s total number close to a thousand updates.
Under close observation
Four vulnerabilities – one rated as Critical and three as Important – will be closely observed for potential abuse. Researchers are calling for system administrators to immediately patch CVE-2020-16875, an RCE flaw in the Microsoft Exchange server. Using a malicious attachment or email sent to a vulnerable Exchange server, a malicious actor can abuse the gap to remotely execute arbitrary code and install programs, access or change data, or create new user accounts. CVE-2020-1596 is a transport layer security (TLS) protocol vulnerability that exists when TLS components use weak hash algorithms. This flaw can be abused by an attacker to obtain more information and extend the initial compromise done to the encrypted channel. CVE-2020-0836 and CVE-2020-1228 occur when the DNS is not able to handle queries, and can be exploited by an attacker to send malicious DNS queries and cause the service to be nonresponsive.
SharePoint gaps
Seven of the 15 SharePoint vulnerabilities are ranked Critical and can be exploited for RCE attacks. CVE-2020-1200, CVE-2020-1210, CVE-2020-1452, CVE-2020-1453, and CVE-2020-1576 occur when the software fails to verify the source markup of an application package, and can be exploited remotely should an attacker run a specially crafted package to an affected version of the software. CVE-2020-1595 exists in the software where the application programming interfaces (APIs) are not properly protected from unsafe data input. A malicious actor can abuse this flaw by luring a user to access a susceptible API on an affected version of the software. CVE-2020-1460 exists when SharePoint Server fails to identify and filter malicious active server page (ASP) web controls. With a malicious page exploiting the said gap in the affected server version, an attacker can perform actions undermining the security context of the software’s application pool process.
ZDI disclosed critical gaps
Among the critical vulnerabilities disclosed under the ZDI process are CVE-2020-1039, CVE-2020-1129, and CVE-2020-1319. CVE-2020-1039 is an RCE gap that exists when the Microsoft Jet Database engine is not able to handle objects in memory properly; this can be abused by luring a user to open a specially designed malicious file to execute arbitrary code. CVE-2020-1129 and CVE-2020-1319 are vulnerabilities that exist in the manner that the codecs library handles objects in memory. A malicious actor can take control of the affected system to access or change data, install programs, and create new accounts with full administrative rights via a program process with a specifically designed image file.
Trend Micro solutions
While there are no urgent security advisories particularly for zero days in this release and not all gaps disclosed have been observed as being exploited, the number of Microsoft software updates has shown no signs of letting up. Patch management and security teams could be under pressure in maintaining systems for the volume of updates released since the year started. Aside from the varied scenarios of deploying updates for equipment in the office, teams will have to implement the necessary patches for those remotely working in the safety of their homes. Users are still advised to download the fixes to ensure that their machines are safe from attacks via vulnerability abuse.
Trend Micro™ Deep Security™ and Vulnerability Protection protect users from exploits that target these vulnerabilities via the following rules:
- 1010491 - Microsoft Windows Active Directory Information Disclosure Vulnerability (CVE-2020-0664)
- 1010494 - Microsoft Windows Active Directory Information Disclosure Vulnerability (CVE-2020-0856)
Trend Micro™ TippingPoint™ protects customers through the following rules:
- 38094: LDAP: Microsoft Windows Active Directory Information Disclosure Vulnerability
- 38106: LDAP: Microsoft Windows Active Directory addRequest Information Disclosure Vulnerability