On this September 2020 Patch Tuesday:
- Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
- Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
- Intel has released four security advisories
- SAP has released 10 security notes and updates to six previously released notes
Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.
Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.
“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”
Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.
“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.
“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”
Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.
Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.
CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.
He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.
“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.
Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.
Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.
The AEM and AEM Forms updates are more important than the rest.
The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.
None of the fixed vulnerabilities are being currently exploited in the wild.
Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).
The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.
SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).
Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.
Microsoft Exchange servers are an ideal target for attackers looking to burrow into enterprise networks, says Microsoft, as “they provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance.”
And while they are not the initial entrance point in the majority of cases, the company has witnessed lately a rise in attacks aimed at compromising Exchange servers by exploiting an unpatched flaw – more specifically CVE-2020-0688, a patch for which was released in February 2020.
While the attackers need to have compromised, valid email credentials to access the server before attempting to exploit the flaw, they are obviously succeeding in getting their hands on them. (Kevin Beaumont explained why that’s not much of a problem.)
“This is an attacker’s dream: directly landing on a server and, if the server has misconfigured access levels, gain system privileges,” the Microsoft Defender ATP Research Team noted. And, unfortunately, there are still too many internet-facing, unpatched Exchange servers out there.
The attack chain
According to Microsoft, April was the month when multiple campaigns began to target Exchange servers.
After gaining access, the attackers proceeded to install web shells to allow them to control the server remotely, and then started exploring its environment for info on domain users and groups, other Exchange servers in the network, and mailboxes, as well as scanning for vulnerable machines on the network.
They achieved persistence on the compromised Exchange server by adding new user accounts and elevating their privileges, then proceeded extract credentials from the Security Account Manager (SAM) database, the Local Security Authority Subsystem Service (LSASS) memory, and the Domain Controler.
They used WMI (Windows Management Instrumentation) and PsExec (a Microsoft tool for running processes remotely) to achieve lateral movement, exported mailboxes via Exchange Management Shell commands, created a network architecture that would allow them to bypass network restrictions and remotely access machines through Remote Desktop Protocol (RDP) and, finally, they compressed the data and put it in a web-accessible path for easy pickup.
Mitigation and prevention
“As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques,” the team noted.
The attackers are also trying to disable security tools like Microsoft Defender Antivirus, archive scanning and automatic updates to increase their stealth.
Aside from doing the best possible thing – implement the latest security updates as soon as they become available – admins are advised to:
- Audit MS Exchange servers regularly for vulnerabilities, misconfigurations, and suspicious activity
- Regularly review highly privileged groups and the list of users in sensitive roles for anomaliers (e.g., suspicious additions)
- Practice the principle of least-privilege, maintain credential hygiene, and enable multi-factor authentication.
Microsoft naturally also touts its Microsoft Defender Advanced Threat Protection security platform as a means to add protection to Exchange servers, automatically block behaviors like credential theft and suspicious use of PsExec and WMI, prevent attackers from tampering with security services, and to prioritize alerts so that attacks are spotted before they can do much damage.
Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don’t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there.
What Rapid7 discovered
The scan also revealed more depressing statistics:
- Over 31,000 Exchange 2010 servers have not been updated since 2012
- Nearly 800 Exchange 2010 servers have never been updated
- There are 10,731 Exchange 2007 servers and over 166,000 Exchange 2010 servers. (The former versions is no longer supported, and the latter will reach that status in October 2020.)
Attackers are looking to exploit CVE-2020-0688
Despite Microsoft releasing patches for CVE-2020-0688 in February 2020, and despite the fact that soon after attackers began probing for vulnerable servers and using freely available PoC exploits and a Metasploit module released in early March to breach them, far too many organizations have yet to implement the patch.
Security updates fixing the flaw have been provided for:
- MS Exchange Server 2010 Service Pack 3 Update Rollup 30
- MS Exchange Server 2013 Cumulative Update 23
- MS Exchange Server 2016 Cumulative Update 14, 15 and 3
- MS Exchange Server 2019 Cumulative Update 4
What makes random exploitation difficult?
The one thing that makes random exploitation of the flaw difficult is that attackers need compromised, valid email credentials to access the server before attempting to exploit CVE-2020-0688. But motivated, well-resourced attackers who are looking to breach a specific organization will, no doubt, find a way to get their hands on the required credentials.
Still, the fact that there is such a huge number of outdated and unpatched MS Exchange mail servers out there doesn’t bode well.
“Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide. In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them,” noted Richard Bejtlich, Principal Security Strategist at Corelight.
“It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives – namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others. The bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization’s information, but the information of anyone with whom you exchange emails.”
Check out Rapid7’s blog post for instructions on how to find out whether your MS Echange servers need patching and how to check whether they’ve already been compromised through CVE-2020-0688.
It’s March 2020 Patch Tuesday and Microsoft has dropped fixes for 115 CVE-numbered flaws: 26 are critical, 88 important, and one of moderate severity. The good news is that none of them under active attack.
For the time being, Adobe seems to be skipping this Patch Tuesday and there’s no indication whether the customary security updates are just delayed or there won’t be any at all in the coming days.
Last month, Microsoft plugged 99 security holes in a variety of its products. Unexpectedly, this month the number is even higher.
The 26 critical flaws all allow remote code execution, but some are more easily exploited than others.
For example, CVE-2020-0852 affects Microsoft Word and exploitation can be achieved without the target having to open a specially crafted file that would trigger it.
“Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user,” noted Trend Micro’s Zero Day Initiative’s Dustin Childs, and pointed out that having a bug that doesn’t require tricking someone into opening a file should be enticing to malware and ransomware authors.
Also, once again, the company fixed yet another RCE (CVE-2020-0684) that can be triggered by a vulnerable target system process a specially crafted .LNK file.
CVE-2020-0872 is a RCE affecting Microsoft Application Inspector (version v1.0.23 or earlier), the recently released source code analyzer that comes in handy for checking open source components for unwanted or risky features.
“To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component,” Microsoft explained.
“Although Microsoft doesn’t list this as being publicly known at the time of release, it appears this was actually fixed in version 1.0.24, which released back in January,” Childs noted. “It’s not clear why it’s being included in this month’s patch release, but if you use Application Inspector, definitely go grab the new version.”
CVE-2020-0905 is a RCE affecting the Dynamics Business Central client and could allow attackers to execute arbitrary shell commands on a target system.
“While this vulnerability is labeled as ‘Exploitation Less Likely,’ considering the target is likely a critical server, this should be prioritized across all Windows servers and workstations,” urged Animesh Jain, Product Manager of Vulnerability Signatures at Qualys.
Childs is of the same mind. “Exploitation of this Critical-rated bug won’t be straightforward, as an authenticated attacker would need to convince the target into connecting to a malicious Dynamics Business Central client or elevate permission to System to perform the code execution. Still, considering the target is likely a mission-critical server, you should test and deploy this patch quickly,” he added.
It must also be pointed out that, in this batch of fixes, there is one for a spoofing vulnerability in Microsoft Exchange Server, but this flaw is less serious than CVE-2020-0688, a fix for which was released in February but is still being actively exploited in the wild. Admins are advised to plug that security hole ASAP (if they haven’t already).
Mozilla updates Firefox
Adobe might not have released security updates on this March 2020 Patch Tuesday, but Mozilla released Firefox 74, with TLS 1.0 and TLS 1.1 disabled by default, stricter rules for add-ons, a tool for preventing Facebook from tracking users around the web, and several developer features.
No critical flaws have been fixed in this edition of the popular browser and Firefox ESR68.6 (also released today).
Richard Melick, Sr. Technical Product Manager, Automox, pointed out that while none of the Firefox flaws patched this time are under active exploitation, the time to weaponization averages 7 days, so users/admins should upgrade as soon as possible.
“Impacting the iPhone, CVE-2020-6812 stood out as a vulnerability that would allow a website with camera or microphone access to gather information on the user through the connected AirPods. While not the most critical, this information could be gathered and help adversaries track a user and further gather more personally identifiable information if left unpatched. Essentially, if you’re listening in, someone else may be as well,” he added.
CVE-2020-0688, a remote code execution bug in Microsoft Exchange Server that has been squashed by Microsoft in early February, is ripe for exploitation and could become a vector for ransomware groups in coming months, warns cybersecurity researcher Kevin Beaumont.
Organizations running on-premise Exchange – any supported version (2010, 2013, 2016, 2019) up until the recent patch – would do well to patch as soon as possible, as scanning for vulnerable internet-facing servers has already begun.
CVE-2020-0688, initially classified by Microsoft as a memory corruption vulnerability turned out to be caused by Exchange Server failing to properly create unique cryptographic keys at the time of installation.
More technical details and a demonstration of CVE-2020-0688 exploitation have been published on Tuesday by Trend Micro’s Zero Day Initiative, which served as an intermediary between Microsoft and the anonymous researcher who discovered it.
ZDI security researcher Simon Zuckerbraun reiterated their initial position that the flaw should be rated as Critical.
“Microsoft rated this as Important in severity, likely because an attacker must first authenticate. It should be noted, however, that within an enterprise, most any user would be allowed to authenticate to the Exchange server,” he explained.
“Similarly, any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will.”
🚨 Microsoft Exchange remote code execution using IIS, simple ascii web request to code execution as SYSTEM on all versions of Exchange (including unsupported) using internet interface🚨 Needs authentication, I’ll explain why not a big hurdle in thread. https://t.co/GKBGuEv28E
— Kevin Beaumont (@GossiTheDog) February 25, 2020
Having SYSTEM access to an Exchange Server and running Mimikatz could also give attackers access to plain-text user passwords, Beaumont noted.
As noted before, the probing for vulnerable servers has already begun (some of it possibly by security researchers):
That was quick, since 2 hours ago seeing likely mass scanning for CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability). pic.twitter.com/Kp3zOi5AOA
— Kevin Beaumont (@GossiTheDog) February 25, 2020
CVE-2020-0688 mass scanning activity has begun. Query our API for “tags=CVE-2020-0688” to locate hosts conducting scans. #threatintel
— Bad Packets Report (@bad_packets) February 25, 2020
No mitigations or workarounds exist for this flaw, so Exchange Server administrators should deploy the patch as soon as their testing is complete.
“Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release. As demonstrated, that certainly seems likely,” Zuckerbraun concluded.