Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange

I would like to start this post by talking about Microsoft vulnerabilities, which recently turned out to be much more serious than it seemed at first glance.

Older Vulnerabilities with exploits

“Zerologon” Netlogon RCE (CVE-2020-1472)

One of them is, of course, the Netlogon vulnerability from the August 2020 Patch Tuesday. It’s called “Zerologon”. I would not say that Vulnerability Management vendors completely ignored it. But none of them (well, maybe only ZDI) emphasized in their reports that this vulnerability would be a real disaster.

Why? Because there were no details and there were no public exploits back then. That started to change dramatically when the full review by Secura was published.

It became clear that this was not a privilege escalation. In fact, it was Remote Code Execution without authentication. Then an exploit appeared on Github. It was tested and approved by experts.

After this all the Vulnerability Management vendors (Qualys, Tenable, Rapid7) made their blog posts about this vulnerability. And CISA even released an Emergency Directive to patch all the Domain Controllers of Federal Agencies in just 4 days!

An exploit for this vulnerability has become available in Mimikatz.

And so it was not surprising when Microsoft began to detect the real life exploitations all this vulnerability.

And the story is far from over. For example there is an article about new methods of exploiting this vulnerability that doesn’t require the change of the password, so it will be harder to detect such exploitation.

EoPs in Microsoft Spooler (CVE-2020-1048) and Windows Update Orchestrator (CVE-2020-1313)

Some more examples without so much hype. It’s about an appearance of public exploits for

This is interesting because all the Vulnerability Management vendors simply ignored these vulnerabilities in their Patch Tuesday reviews. 😉 Who could say that these two would be really exploitable among hundreds others?

Vulnerability prioritization is not a silver bullet

I think it’s just a good demonstration that vulnerability prioritization is not a silver bullet and if you want to protect your infrastructure, you should install all the patches on all the hosts or monitor security news carefully (and doing both is even better). For monitoring I use my own telegram channel @avleonovnews. It updates automatically, and the script not only shows news from different feeds, but also tries to highlight everything related to vulnerabilities, exploits, patches, etc. So, I invite you to check it out.

September 2020 Patch Tuesday

Now let’s finally look at the September vulnerabilities. There were 129 vulnerabilities: 23 of them were critical, 105 were important and 1 was moderate. There were no vulnerabilities with detected exploitation.

Exploitation more likely (7)

There were 7 vulnerabilities marked as “Exploitation more likely”. But none of them were mentioned by Vulnerability Management vendors. Probably it’s because there were no RCEs, only Elevation of Privilege and Information Disclosure.

Elevation of Privilege

Information Disclosure

Other Product based (30)

The software products with the most vulnerabilities were Microsoft Dynamics 365 (On-Premise), Microsoft SharePoint and Windows Kernel. Vulnerability Management vendors focussed on Microsoft SharePoint Remote Code Execution vulnerabilities. There were 7 of them (CVE-2020-1200CVE-2020-1210CVE-2020-1452CVE-2020-1453CVE-2020-1460CVE-2020-1576CVE-2020-1595)! Only one, CVE-2020-1460, requires authentication. Rapid7 also mentions two rare “Tampering” SharePoint vulnerabilities (CVE-2020-1440CVE-2020-1523). “Fortunately, the description on this vulnerability does say prior authentication on an affected SharePoint Server is required, but with that in hand, an attacker can target specific users and alter the targets profile data.”

Microsoft Dynamics 365 (On-Premise)

Microsoft SharePoint

Windows Kernel

Other Vulnerability Type based (92)

Among other vulnerabilities, the most interesting, of course, are various Remote Code Executions.

A funny story happened with RCE in Microsoft Exchange Server (CVE-2020-16875). All Vulnerability Management vendors marked it as top priority. But Microsoft later changed the description to indicate the bug can only be reached by an authenticated user. So, the risk became much lower.

Other RCE groups mentioned by Vulnerability Management vendors:

Remote Code Execution

Denial of Service

Elevation of Privilege

Security Feature Bypass

Information Disclosure

Spoofing

What vulnerabilities of other types do VM vendors mention in their report?

Denial of Service in Windows DNS (CVE-2020-0836CVE-2020-1228).  “In order to exploit this issue, an authenticated attacker would need to send a crafted, malicious DNS query to an affected host, resulting in an exhaustion of resources causing the device to become unresponsive.”

Security Feature Bypass in Windows Defender Application Control (CVE-2020-0951). Comment from ZDI expert: “An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. However, what’s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.