October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

patch tuesday october 2020

There were 11 critical bugs and six that were unpatched but publicly known in this month’s regularly scheduled Microsoft updates.

Microsoft has pushed out fixes for 87 security vulnerabilities in October – 11 of them critical – and one of those is potentially wormable.

There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

This month’s Patch Tuesday overall includes fixes for bugs in Microsoft Windows, Office and Office Services and Web Apps, Azure Functions, Open Source Software, Exchange Server, Visual Studio, .NET Framework, Microsoft Dynamics, and the Windows Codecs Library.

A full 75 are listed as important, and just one is listed as moderate in severity. None are listed as being under active attack, but the group does include six issues that were known but unpatched before this month’s regularly scheduled updates.

“As usual, whenever possible, it’s better to prioritize updates against the Windows operating system,” Richard Tsang, senior software engineer at Rapid7, told Threatpost. “Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today.”

11 Critical Bugs

One of the most notable critical bugs, according to researchers, is a remote code-execution (RCE) problem in the TCP/IP stack. That issue (CVE-2020-16898) allows attackers to execute arbitrary code with elevated privileges using a specially crafted ICMPv6 router advertisement.

Microsoft gives this bug its highest exploitability rating, meaning attacks in the wild are extremely likely – and as such, it carries a severity rating of 9.8 out of 10 on the CvSS vulnerability scale. True to the season, it could be an administrator’s horror show.

“If you’re running an IPv6 network, you know that filtering router advertisements is not a practical workaround,” said Dustin Childs, researcher at Trend Micro’s Zero-Day Initiative (ZDI), in his Patch Tuesday analysis. “You should definitely test and deploy this patch as soon as possible.”

Threatpost Webinar Promo Retail Security

Click to Register!

Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said that an exploit for the bug could be self-propagating, worming through infrastructure without user interaction.

“An attacker can exploit this vulnerability without any authentication, and it is potentially wormable,” he said. “We expect a proof-of-concept (PoC) for this exploit would be dropped soon, and we highly encourage everyone to fix this vulnerability as soon as possible.”

Threatpost has reached out for more technical details on the wormable aspect of the bug.

“Luckily, if immediate patching isn’t viable due to reboot scheduling, Microsoft provides PowerShell-based commands to disable ICMPv6 RDNSS on affected operating systems,” said Tsang. “The PowerShell command `netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable` does not require a reboot to take effect.”

Another of the critical flaws is an RCE bug in Microsoft Outlook (CVE-2020-16947). The bug can be triggered by sending a specially crafted email to a target; and because the Preview Pane is an attack vector, victims don’t need to open the mail to be infected (ZDI already has a proof-of-concept for this). It can also be used in a web-based attack by convincing users to visit a malicious URL hosting triggering content.

“The specific flaw exists within the parsing of HTML content in an email. The issue results from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length heap-based buffer,” according to Childs. That bug is rated 8.1 on the CvSS scale.

A critical Windows Hyper-V RCE bug (CVE-2020-16891, 8.8 on the CvSS scale) meanwhile allows an attacker to run a specially crafted program on an affected guest OS to execute arbitrary code on the host OS.

And, other critical problems impact the Windows Camera Codec (CVE-2020-16967 and CVE-2020-16968, both 7.8 on the CvSS scale), both resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer.

“If the current user is logged on with administrative user rights, an attacker could take control of the affected system,” according to Microsoft. “An attacker could then install programs; view, change or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Two other critical flaws are RCE problems in SharePoint Server (CVE-2020-16951 and CVE-2020-16952, both 8.6 on the CvSS scale). They exploit a gap in checking the source markup of an application package. Upon successful exploitation, the attacker could run arbitrary code in the context of the SharePoint application pool or server farm account.

“In both cases, the attacker would need to upload a specially crafted SharePoint application package to an affected version of SharePoint to get arbitrary code execution,” explained Childs. “This can be accomplished by an unprivileged SharePoint user if the server’s configuration allows it.”

Tsang added that PoCs are “starting to flow out in the wild, so bringing a closure to this pair of critical remote code execution vulnerabilities is a must.”

The remaining critical bugs are RCE issues in Media Foundation Library (CVE-2020-16915, rating 7.8); the Base3D rendering engine (CVE-2020-17003, rating 7.8); Graphics components (CVE-2020-16923, rating 7.8); and the Windows Graphics Device Interface (GDI) (CVE-2020-16911, rating 8.8).

Regarding the latter, the vulnerability exists in the way GDI handles objects in memory, according to Allan Liska, senior security architect at Recorded Future.

“Successful exploitation could allow an attacker to gain control of the infected system with the same administrative privileges as the victim,” he said, via email. “This vulnerability could be exploited by either tricking a victim into visiting a compromised website with a specially crafted document or opening a specially crafted document via a phishing attack.”

Tsang added, “A mitigating factor here is that users with fewer privileges on the system could be less impacted, but still emphasizes the importance of good security hygiene as exploitation requires convincing a user to open a specially-crafted file or to view attacker-controlled content. Unlike CVE-2020-16898, however, this vulnerability affects all supported versions of Windows OS, which may suggest affecting unsupported/earlier versions of Windows as well.”

6 Publicly Known Bugs

There are also a half-dozen vulnerabilities that have been unpatched until this month, but which were publicly known.

“Public disclosure could mean a couple things,” Todd Schell, senior product manager of security at Ivanti told Threatpost. “It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean that a PoC code has been made available.”

When it comes to these publicly known bugs, a Windows Error Reporting (WER) elevation-of-privilege issue (CVE-2020-16909) stands out, according to Childs, given that bugs in the WER component were recently reported as being used in the wild in fileless attacks.

The six publicly disclosed bugs. Source: Trend Micro’s ZDI.

As for the others, two of are EoP bugs, in the Windows Setup component and the Windows Storage VSP Driver; two are information-disclosure problems in the kernel; and one is an information-disclosure issue in .NET Framework.

“These info-disclosure bugs leak the contents of kernel memory but do not expose any personally identifiable information,” Childs said.

One of the info-disclosure bugs, CVE-2020-16938, now has a PoC exploit that was dropped on Twitter on Tuesday, by @jonasLyk. He claimed that a “recent update changed the permissions on partitions and volume device objects, granting everybody read access. This means that by opening the device directly you can read the raw data without any [privileges].”

With exploits emerging already, Schell pointed out that “a public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.” In fact, the mean time to exploit a vulnerability from the moment of its disclosure is 22 days, according to a research study from the RAND Institute.

Overall, the lighter patch load of 87 fixes is a significant departure from the 110+ patches the software giant has released every month since March.

“Security teams are still reeling from efforts around reducing exposure to CVE-2020-1472 (Zerologon), and today’s Patch Tuesday thankfully brings a slightly lightened load of vulnerabilities compared to the previous seven months, with no vulnerabilities currently known to be exploited in the wild,” Jonathan Cran, head of research at Kenna Security, told Threatpost. “That said, several of the vulnerabilities in today’s update should be treated with a priority due to their usefulness to attackers [the critical bugs in the Win10 IPv6 stack, Outlook and Hyper-V]. These vulnerabilities all fall into the ‘patch quickly or monitor closely’ bucket.

Also, some products were notably absent from the fixes list.

“There are a couple of interesting things this month,” Schell told Threatpost. “There are no browser vulnerabilities being resolved. At the time of release, Microsoft did not have any CVEs reported against IE or Edge and no listing of the browsers as affected products this month. Not sure I remember the last time that has happened.”

Patch Tuesday rolls out this month as Microsoft launches the preview of its new update guide.

“It has provided a few nice improvements,” Schell said. “Quick access to more of the risk-focused information can be found in the vulnerabilities view. Columns like ‘Exploited’ and ‘Publicly Disclosed’ allow you to sort and view quickly if there are high-risk items.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles