This month’s Microsoft Patch Tuesday addresses 50 vulnerabilities with only 8 of them labeled as Critical. Of the 8 Critical vulns, one is for browser and scripting engines, 3 are for .NET Framework and one for ASP.NET. In addition, Microsoft has patched 3 critical RCEs in Remote Desktop Gateway and Remote Desktop Client. Adobe issued patches today for Illustrator CC and Experience Manager.
Update January 17, 2020: A new detection in Qualys Web Application Scanning was added. See “Detecting with Qualys WAS” below.
Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
Qualys Research Labs discovered a local privilege escalation vulnerability in OpenBSD’s dynamic loader. The vulnerability could allow local users or malicious software to gain full root privileges. OpenBSD developers have confirmed the vulnerability and released security patches in less than 3 hours.
Qualys Research Labs also provided proof-of-concept exploits in the security advisory.
Multiple authentication vulnerabilities in OpenBSD have been disclosed by Qualys Research Labs. The vulnerabilities are assigned following CVEs: CVE-2019-19522, CVE-2019-19521, CVE-2019-19520, CVE-2019-19519. OpenBSD developers have confirmed the vulnerabilities and also provided a quick response with patches published in less than 40 hours.
The BlueKeep vulnerability, initially released in May 2019, is currently being exploited in the wild. Cybersecurity researchers have spotted initial attacks of Bluekeep RDP vulnerability. Here’s a reminder about BlueKeep and instructions for using Qualys to identify attacks and remediate this vulnerability.
The release of the Qualys Vulnerability Signature, version 2.4.722-4, includes changes for Oracle Database signatures. The 2.4.722-4 release is live as of October 11, 2019.
Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability (CVE-2019-1367) and Microsoft Defender Denial of Service Vulnerability (CVE-2019-1255).
According to the Microsoft advisory CVE-2019-1367, the Internet Explorer scripting engine vulnerability has been exploited in active attacks in the wild. Users are advised to manually update their systems immediately.
UPDATE: Added methods to detect Internet Explorer installs vulnerable to CVE-2019-1367 using only Free Qualys Global IT Asset Inventory, as well as how to patch by CVE with Qualys Patch Management.
Cisco published an update for Cisco IOS XE operating system to patch a critical vulnerability that could allow a remote attacker to bypass authentication on devices running an outdated version of Cisco REST API virtual service container.
The security issue is tracked as CVE-2019-12643 and has received a maximum severity rating score of 10 based on CVSS v3 Scoring system.
In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181 & CVE-2019-1182) can be considered “wormable” and equates them to BlueKeep. Of the three “Important” RDP vulnerabilities, one (CVE-2019-1223) is a DoS, and the other two (CVE-2019-1224 and CVE-2019-1225) disclose memory contents. Microsoft update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
This month’s Patch Tuesday addresses 39 vulnerabilities, with 9 of them labeled as Critical. Out of the Criticals, most are browser-related, with the rest including Windows, and .net Framework. A Privilege Escalation vulnerability exists in Windows kernel which has been exploited in wild. Adobe also patched 9 Critical and Important vulnerabilities this month for Adobe Acrobat and Reader.
On the basis of volume and severity this Patch Tuesday is light in weight.
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Out of the 9 vulnerabilities, 6 can be exploited through browsers.
Active Attacks on Win32k Privilege Escalation
Microsoft has reported that there are active attacks detected against CVE-2018-8611. Microsoft has ranked this patch as Important. It is important to prioritize Windows kernel patching.
Adobe Patches and Mitigations
Adobe released nine patches for Acrobat/Reader, with 6 rated as critical and 3 as important. In early December, Adobe also released out-of-band patches for Adobe Flash. CVE-2018-15982 is rated as critical and has been exploited in wild. CVE-2018-15983 is labeled as important.