Résumé de Tenable - Rapport Microsoft August 2019 Patch Tuesday : DejaBlue
Microsoft’s August 2019 Security Updates, released on August 13, address over 90 vulnerabilities, 29 of which are critical.
Microsoft’s August 2019 Patch Tuesday release contains updates for 93 CVEs, 29 of which are rated Critical. This month brings patches for the usual suspects, namely the various flavors of Microsoft Windows, Office Products, Browsers IE and Edge, as well as Microsoft Dynamics, to name a few. As always, we recommend administrators take immediate action and ensure patches are applied across your organization. In cases where immediate patching is not an option, mitigation steps should be followed as per Microsoft’s recommendations. While none of the CVE’s this month appears to be exploited in the wild yet, several are likely to be exploited. Here, we break down and highlight a few of the most important CVEs from this month’s release.
CVE-2019-1181 & CVE-2019-1182 & CVE-2019-1222 & CVE-2019-1226 | Remote Desktop Services Remote Code Execution Vulnerability
Coming mere months after the May release of CVE-2019-0708 (BlueKeep), Microsoft released patches for four critical remote code execution vulnerabilities in Remote Desktop Services, dubbed DejaBlue by researcher Michael Norris. Exploitation requires little more than sending a specially crafted request to a targeted system’s Remote Desktop Service via RDP. The vulnerability can be exploited pre-authentication and requires no user interaction, making these bugs incredibly dangerous. Successful exploitation would allow an attacker to execute arbitrary code on a targeted host. CVE-2019-1181 and CVE-2019-1182 both offer mitigation options from Microsoft, similar to those offered around BlueKeep; Enabled Network Level Authentication (NLA) and Block TCP port 3389 at the perimeter firewall (Assuming the default port is in use on your hosts). While Microsoft notes these have not been exploited, it’s very likely that a Proof of Concept (PoC) will surface in the near future.
Additionally, three related CVEs were patched affecting Windows Remote Desktop Protocol. CVE-2019-1223 is a Denial of Service (DoS) vulnerability, while CVE-2019-1224 and CVE-2019-1225 are both information disclosure vulnerabilities. While Microsoft only rates these three vulnerabilities as important, it’s encouraging to see so much focus around RDP in the wake of BlueKeep and improving the security of a crucial component in Windows.
CVE-2019-0736 | Windows DHCP Client Remote Code Execution Vulnerability
A memory corruption vulnerability exists in the Windows DHCP client. A remote unauthenticated attacker could send a malicious DHCP response to a vulnerable machine, which the target then executes as code with SYSTEM permissions. DHCP also saw an update for CVE-2019-1213, a memory corruption vulnerability in Windows Server DHCP that could lead to remote code execution, along with two Denial of Service Vulnerabilities CVE-2019-1206 and CVE-2019-1212.
CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in the Windows Operating System Advanced Local Procedure Call (ALPC). If an attacker has gained login access via some other means to a vulnerable host, that attacker could then execute malicious code that runs with SYSTEM permissions, rather than being restricted by the current user’s session permissions. CVE-2019-1162 is credited to Tavis Ormandy of Google Project Zero, who today published details of the work around finding the flaw. In addition to the research, Tavis also released a tool to ease in finding these flaws, and we expect to see more on this front in future months.
CVE-2019-1201 & CVE-2019-1205 | Microsoft Word Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Word. A specially crafted file could perform actions and run commands as the current user. Successful exploitation would require social engineering to get the target user to execute a malicious file, either through sending that file to the targeted user, or hosting the malicious file on a website with which the target user interacts. This vulnerability still requires the end user to open the malicious Word file to be executed. An interesting detail found in the advisories: Microsoft Outlook Preview Pane is an attack vector for these vulnerabilities. A related CVE, CVE-2019-1200 in Microsoft Outlook, could also lead to remote code execution by enticing a user to open a specially crafted file.
CVE-2019-0965 | Windows Hyper-V Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. While exploitation does require the attacker to be able to execute a crafted application on a guest operating system, this highlights the dangers of insider threats. While exploitation is less likely in this scenario, Microsoft still rates the severity as Critical, since arbitrary code could be executed on the host operating system.
Solutions Tenable
Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains August 2019.
With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:
A list of all of the plugins released for Tenable’s August 2019 Patch Tuesday update can be found here.
En savoir plus
Articles connexes
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
March 10, 2023Learn about a new tool that streamlines MITRE ATT&CK mapping. Plus, known vulnerabilities remain a major cyber risk – just ask LastPass. Also, discover why SaaS data protection remains difficult. Plus, a look at the U.S. National Cybersecurity Strategy. And much more!
The Ransomware Ecosystem: In Pursuit of Fame and Fortune
July 28, 2022The key players within the ransomware ecosystem, including affiliates and initial access brokers, work together cohesively like a band of musicians, playing their respective parts as they strive for fame and fortune.
Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group
July 20, 2022Having gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone quiet. What can we learn from this extortion group’s story and tactics?
Navigating Security Challenges Around OT in the DoD’s Manufacturing Lines
April 15, 2024How operational technology can revolutionize logistics, supply chain management, and overall efficiency.
CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
April 12, 2024A critical severity command injection vulnerability in Palo Alto Networks PAN-OS has been exploited in limited targeted attacks. While a fix is not yet available, patches are expected to be released on April 14 and mitigation steps are available.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning