Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.

Vulristics

I decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project (github). I named it _Vulristics _(from “Vulnerability” and “Heuristics”). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.

Let's say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases (NVD, CVE page on the Microsoft website, Vulners.com, etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.

Currently, there are the following scripts available:

1. report_ms_patch_tuesday.py - analyze and group Microsoft Patch Tuesday CVEs.
2. report_cve.py - collect and preprocess CVE ID-related data from NVD, Microsoft.com and Vulners.
3. report_ms_patch_tuesday_exploits.py - get Microsoft Patch Tuesday CVEs and filter vulnerabilities with public exploits (based on Vulners.com).

Of course, we can do much more than that. I have plans to add:

• analysis of the vulnerability description based on keywords and phrases (it's good that such descriptions usually have a fairly regular structure)
• analysis of references
• danger and relevance metrics counting (vulnerability quadrants)
  and so on.

If you have good ideas please share them in the chat. The help in coding will be also pretty much appreciated.

Finally, some obvious warnings:

• This tool is NOT an interface to any particular database.
• The tool makes requests to third-party sources.

So keep in mind that if you actively use it for bulk operations, you may have problems with the owners of these third-party sources, for example, your IP address will simply be banned. So be careful and reasonable!

July MS Patch Tuesday Report

But enough about my tool, let's talk about the results for July MS Patch Tuesday. There were 123 vulnerabilities in July. 18 are critical and 105 are important. As for the public exploits, I checked the vulnerabilities with a report_ms_patch_tuesday_exploits.py and found nothing.

There are no exploits for these vulnerabilities on Vulners. Microsoft also believes that there are no Exploitation detected vulnerabilities this time.

Exploitation more likely

But we see 8 Exploitation of more likely vulnerabilities:

Remote Code Execution

• .NET Framework, SharePoint Server, and Visual Studio (CVE-2020-1147)
• Remote Desktop Client (CVE-2020-1374)
• VBScript (CVE-2020-1403)
• Windows DNS Server (CVE-2020-1350)

Elevation of Privilege

• Windows Graphics Component (CVE-2020-1381, CVE-2020-1382)
• Windows Runtime (CVE-2020-1399)

Information Disclosure

• Windows Kernel (CVE-2020-1426)

Windows DNS Server RCE (CVE-2020-1350), called SIGRed, is the star of this Patch Tuesday. It's extremely critical and has existed for 17 years, affecting Windows Server versions from 2003 to 2019. Getting RCE with only a DNS request is really impressive. Checkpoint guys made a great article about this vulnerability with video of PoC . When this vulnerability was released, there was a feeling that there would be a public RCE exploit soon. But still there are only several Rickroll jokes and DoS exploit by maxpl0it, which looks workable, but for some reason is not present in the exploit databases, for example in exploit-db.Therefore, Vulners does not see it, as I mentioned above. Indeed, searching for exploits and exploit validation are important tasks!

In second place, of course, RDP Client RCE (CVE-2020-1374). When a client connects to an infected server it become susceptible to an RCE attack. All versions from Windows 7 (and possibly earlier!) to the latest version of Windows 10 (2004) are vulnerable. Of course, the exploitation of this vulnerability requires social engineering or Man-in-the-Middle attack.

NET Framework, SharePoint Server, and Visual Studio RCE (CVE-2020-1147) involves the deserialization of XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content.

VBScript RCE (CVE-2020-1403). An attacker would have to convince a user to execute malicious code through phishing or to visit a malicious website, where the user would download and execute a crafted file. In fact, we see tons of these vulnerabilities every Patch Tuesday, but still no exploits.

Windows Graphics Component Elevation of Privilege vulnerabilities (CVE-2020-1381, CVE-2020-1382). An attacker logs onto a vulnerable system and executes a specially crafted application to run processes in an elevated context.

Other Product based (14)

Looking at other vulnerabilities, the products with the most vulnerabilities are Hyper-V RemoteFX vGPU (RCEs) and Windows Runtime (EoPs).

Hyper-V RemoteFX vGPU

• Remote Code Execution (CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043)

Windows Runtime

• Elevation of Privilege (CVE-2020-1249, CVE-2020-1353, CVE-2020-1370, CVE-2020-1404, CVE-2020-1413, CVE-2020-1414, CVE-2020-1415, CVE-2020-1422)

RCEs in Hyper-V RemoteFX vGPU (CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043). Microsoft patch simply disables RemoteFX functionality. According to Microsoft: “RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.”

Other Vulnerability Type based (101)

Remote Code Execution

• DirectWrite (CVE-2020-1409)
• GDI+ (CVE-2020-1435)
• Jet Database Engine (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407)
• LNK (CVE-2020-1421)
• Microsoft Excel (CVE-2020-1240)
• Microsoft Graphics (CVE-2020-1408)
• Microsoft Graphics Components (CVE-2020-1412)
• Microsoft Office (CVE-2020-1458)
• Microsoft Outlook (CVE-2020-1349)
• Microsoft Project (CVE-2020-1449)
• Microsoft SharePoint (CVE-2020-1444)
• Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448)
• PerformancePoint Services (CVE-2020-1439)
• Visual Studio Code ESLint Extention (CVE-2020-1481)
• Windows Address Book (CVE-2020-1410)
• Windows Font Driver Host (CVE-2020-1355)
• Windows Font Library (CVE-2020-1436)

Denial of Service

• Bond (CVE-2020-1469)
• Local Security Authority Subsystem Service (CVE-2020-1267)
• Windows WalletService (CVE-2020-1364)

Elevation of Privilege

• Group Policy Services Policy Processing (CVE-2020-1333)
• Microsoft Defender (CVE-2020-1461)
• Microsoft Office (CVE-2020-1025)
• Microsoft OneDrive (CVE-2020-1465)
• Visual Studio and Visual Studio Code (CVE-2020-1416)
• Windows (CVE-2020-1388, CVE-2020-1392, CVE-2020-1394, CVE-2020-1395)
• Windows ALPC (CVE-2020-1396)
• Windows ActiveX Installer Service (CVE-2020-1402)
• Windows AppX Deployment Extensions (CVE-2020-1431)
• Windows CNG Key Isolation Service (CVE-2020-1359, CVE-2020-1384)
• Windows COM Server (CVE-2020-1375)
• Windows Credential Enrollment Manager Service (CVE-2020-1368)
• Windows Credential Picker (CVE-2020-1385)
• Windows Diagnostics Hub (CVE-2020-1393, CVE-2020-1418)
• Windows Error Reporting Manager (CVE-2020-1429)
• Windows Event Logging Service (CVE-2020-1365, CVE-2020-1371)
• Windows Function Discovery Service (CVE-2020-1085)
• Windows Kernel (CVE-2020-1336, CVE-2020-1411)
• Windows Lockscreen (CVE-2020-1398)
• Windows Mobile Device Management Diagnostics (CVE-2020-1372, CVE-2020-1405)
• Windows Modules Installer (CVE-2020-1346)
• Windows Network Connections Service (CVE-2020-1373, CVE-2020-1390, CVE-2020-1427, CVE-2020-1428, CVE-2020-1438)
• Windows Network List Service (CVE-2020-1406)
• Windows Network Location Awareness Service (CVE-2020-1437)
• Windows Picker Platform (CVE-2020-1363)
• Windows Print Workflow Service (CVE-2020-1366)
• Windows Profile Service (CVE-2020-1360)
• Windows Push Notification Service (CVE-2020-1387)
• Windows SharedStream Library (CVE-2020-1463)
• Windows Storage Services (CVE-2020-1347)
• Windows Subsystem for Linux (CVE-2020-1423)
• Windows Sync Host Service (CVE-2020-1434)
• Windows System Events Broker (CVE-2020-1357)
• Windows UPnP Device Host (CVE-2020-1354, CVE-2020-1430)
• Windows USO Core Worker (CVE-2020-1352)
• Windows Update Stack (CVE-2020-1424)
• Windows WalletService (CVE-2020-1344, CVE-2020-1362, CVE-2020-1369)
• Windows iSCSI Target Service (CVE-2020-1356)

Information Disclosure

• Connected User Experiences and Telemetry Service (CVE-2020-1386)
• Microsoft Edge PDF (CVE-2020-1433)
• Microsoft Graphics Component (CVE-2020-1351)
• Microsoft Office (CVE-2020-1342, CVE-2020-1445)
• Skype for Business via Internet Explorer (CVE-2020-1432)
• Skype for Business via Microsoft Edge (EdgeHTML-based) (CVE-2020-1462)
• Windows Agent Activation Runtime (CVE-2020-1391)
• Windows Error Reporting (CVE-2020-1420)
• Windows GDI (CVE-2020-1468)
• Windows Imaging Component (CVE-2020-1397)
• Windows Kernel (CVE-2020-1367, CVE-2020-1389, CVE-2020-1419)
• Windows Mobile Device Management Diagnostics (CVE-2020-1330)
• Windows Resource Policy (CVE-2020-1358)
• Windows WalletService (CVE-2020-1361)

Cross Site Scripting

• Azure DevOps Server (CVE-2020-1326)
• Microsoft SharePoint (CVE-2020-1450, CVE-2020-1451, CVE-2020-1456)
• Microsoft SharePoint Reflective (CVE-2020-1454)
• Office Web Apps (CVE-2020-1442)

Spoofing

• Microsoft SharePoint (CVE-2020-1443)

Among other vulnerabilities, vulnerability management vendors highlight

RCE in PerformancePoint Services (CVE-2020-1439). PerformancePoint is a SharePoint component and the vulnerability is similar to the Exploitation more likely SharePoint vulnerability (CVE-2020-1147) we discussed above.

Microsoft Word RCEs (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448). Exploitation of this vulnerability requires an attacker to send a specially crafted file to a victim, or to convince a user to visit a crafted website hosting a malicious file which the user must open with a vulnerable version of Microsoft Word. Obviously, this is good for phishing.

Jet Database Engine RCEs (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407). To exploit this vulnerability, an attacker must convince a victim to open a specially crafted file or visit a malicious website.

Visual Studio Code ESLint Extention RCE (CVE-2020-1481). To exploit this vulnerability, an attacker would need to convince a user to clone a repository and open it in Visual Studio Code. Attacker-specified code would execute in the context of the current user, with the same rights and permissions.

Windows Modules Installer Elevation of Privilege (CVE-2020-1346) was mentioned by rapid7: "In this particular case, the Servicing Stack Updates released this month should been installed prior to installing the cumulative update/monthly rollup or security update patch. While it was not explicitly outlined, following these directions from Microsoft for CVE-2020-1346 may have a direct impact on the order of operations when resolving other issues such as CVE-2020-1350."