I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.
I decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project (github). I named it _Vulristics _(from “Vulnerability” and “Heuristics”). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.
Let's say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases (NVD, CVE page on the Microsoft website, Vulners.com, etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.
Currently, there are the following scripts available:
Of course, we can do much more than that. I have plans to add:
If you have good ideas please share them in the chat. The help in coding will be also pretty much appreciated.
Finally, some obvious warnings:
So keep in mind that if you actively use it for bulk operations, you may have problems with the owners of these third-party sources, for example, your IP address will simply be banned. So be careful and reasonable!
But enough about my tool, let's talk about the results for July MS Patch Tuesday. There were 123 vulnerabilities in July. 18 are critical and 105 are important. As for the public exploits, I checked the vulnerabilities with a report_ms_patch_tuesday_exploits.py and found nothing.
There are no exploits for these vulnerabilities on Vulners. Microsoft also believes that there are no Exploitation detected vulnerabilities this time.
But we see 8 Exploitation of more likely vulnerabilities:
Windows DNS Server RCE (CVE-2020-1350), called SIGRed, is the star of this Patch Tuesday. It's extremely critical and has existed for 17 years, affecting Windows Server versions from 2003 to 2019. Getting RCE with only a DNS request is really impressive. Checkpoint guys made a great article about this vulnerability with video of PoC . When this vulnerability was released, there was a feeling that there would be a public RCE exploit soon. But still there are only several Rickroll jokes and DoS exploit by maxpl0it, which looks workable, but for some reason is not present in the exploit databases, for example in exploit-db.Therefore, Vulners does not see it, as I mentioned above. Indeed, searching for exploits and exploit validation are important tasks!
In second place, of course, RDP Client RCE (CVE-2020-1374). When a client connects to an infected server it become susceptible to an RCE attack. All versions from Windows 7 (and possibly earlier!) to the latest version of Windows 10 (2004) are vulnerable. Of course, the exploitation of this vulnerability requires social engineering or Man-in-the-Middle attack.
NET Framework, SharePoint Server, and Visual Studio RCE (CVE-2020-1147) involves the deserialization of XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content.
VBScript RCE (CVE-2020-1403). An attacker would have to convince a user to execute malicious code through phishing or to visit a malicious website, where the user would download and execute a crafted file. In fact, we see tons of these vulnerabilities every Patch Tuesday, but still no exploits.
Windows Graphics Component Elevation of Privilege vulnerabilities (CVE-2020-1381, CVE-2020-1382). An attacker logs onto a vulnerable system and executes a specially crafted application to run processes in an elevated context.
Looking at other vulnerabilities, the products with the most vulnerabilities are Hyper-V RemoteFX vGPU (RCEs) and Windows Runtime (EoPs).
RCEs in Hyper-V RemoteFX vGPU (CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043). Microsoft patch simply disables RemoteFX functionality. According to Microsoft: “RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.”
Among other vulnerabilities, vulnerability management vendors highlight
RCE in PerformancePoint Services (CVE-2020-1439). PerformancePoint is a SharePoint component and the vulnerability is similar to the Exploitation more likely SharePoint vulnerability (CVE-2020-1147) we discussed above.
Microsoft Word RCEs (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448). Exploitation of this vulnerability requires an attacker to send a specially crafted file to a victim, or to convince a user to visit a crafted website hosting a malicious file which the user must open with a vulnerable version of Microsoft Word. Obviously, this is good for phishing.
Jet Database Engine RCEs (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407). To exploit this vulnerability, an attacker must convince a victim to open a specially crafted file or visit a malicious website.
Visual Studio Code ESLint Extention RCE (CVE-2020-1481). To exploit this vulnerability, an attacker would need to convince a user to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute in the context of the current user, with the same rights and permissions.
Windows Modules Installer Elevation of Privilege (CVE-2020-1346) was mentioned by rapid7: "In this particular case, the Servicing Stack Updates released this month should been installed prior to installing the cumulative update/monthly rollup or security update patch. While it was not explicitly outlined, following these directions from Microsoft for CVE-2020-1346 may have a direct impact on the order of operations when resolving other issues such as CVE-2020-1350."