In this month’s Patch Tuesday Roundup, Microsoft released updates to address 115 vulnerabilities, 26 of which are critical. There were several vulnerabilities, including a crop of RCEs in the ChakraCore scripting engine for Internet Explorer and Microsoft Edge.
According to Satnam Narang, Principal Research Engineer, Tenable:
“This month’s Patch Tuesday is a considerable release, containing fixes for 115 vulnerabilities with 26 of them rated as critical and 88 rated as important. In contrast, Microsoft released fixes for 99 vulnerabilities, with only 16 rated as critical. Of the 58 elevation of privilege vulnerabilities patched this month, the most severe are CVE-2020-0788, CVE-2020-0877, CVE-2020-0887.
These are elevation of privilege flaws in Win32k due to improper handling of objects in memory. Elevation of Privilege vulnerabilities are leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges. Microsoft rates these vulnerabilities as “exploitation more likely,” according to their exploitability index.Microsoft also patched several memory corruption vulnerabilities. The most notable ones include one in Internet Explorer (CVE-2020-0824), and two in its scripting engine (CVE-2020-0832, CVE-2020-0833) due to the way objects are handled in memory.
These vulnerabilities would provide an attacker the ability to execute code with the privileges of the current user. In order to exploit the flaws, an attacker would either need to use social engineering tactics to convince their victim to visit a malicious website hosting the exploit code, or compromise an existing website directly or through the compromise of an advertiser. Once again, Microsoft rates these vulnerabilities as “exploitation more likely” according to their exploitability index.”
Microsoft released ADV200005, a security advisory for a critical remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3). An unauthenticated attacker could exploit the flaw by sending a specially crafted packet to the vulnerable SMBv3 server. At this time, there is no patch available. However, Microsoft provided workaround instructions to help prevent attackers from exploiting the vulnerability which include disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall. Microsoft cautions that these fixes only prevent potential exploitation server side, and will not protect vulnerable SMB clients. Microsoft notes that in order to exploit an SMB Client, the attacker would need to configure a malicious SMB server and convince users to connect to it.
The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog. Soon after the accidental disclosure, references to it were removed from the blog post. The flaw was identified as CVE-2020-0796, though it is unclear whether or not Microsoft will use this identifier once their patch is released.
This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks. It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.
At this point, organizations would be wise to review and implement the workarounds Microsoft has provided and begin prioritizing patch management for the flaw once patches are released.
