Microsoft Patch Tuesday June 2020: The Bleeding Ghost of SMB

Leave a reply

Microsoft Patch Tuesday June 2020: The Bleeding Ghost of SMB. This time, Microsoft addressed 129 vulnerabilities: 11 critical and 118 important. In fact, in the file that I exported from the Microsoft website, I saw 2 more CVEs (CVE-2020-1221, CVE-2020-1328) related to Microsoft Dynamics 365 (on-premises). But there is no information on them on the Microsoft website, in the MITRE CVE database and NVD. Does this mean that these CVE ids were mentioned unintentionally and related to some critical issues? I don’t think so, but this is strange.

This time there were no vulnerabilities with detected exploitation, so let’s start with the group “Exploitation more likely” according to Microsoft.

Exploitation more likely (15)

Remote Code Execution

Denial of Service

Elevation of Privilege

Security Feature Bypass

Information Disclosure

I think the SMB vulnerabilities should be addressed first.

  1. Remote Code Execution in SMBv1 (CVE-2020-1301) protocol is called “SMBLost”. The attacker should send a specially crafted packet to the target SMBv1 server. But unlike the famous EternalBlue, the attacker have to be authenticated and there should be a shared partition on the server (e.g. “c:\” or “d:\”), so it should be much less harmful. Anyway, if SMBv1 is not a mission critical component of your infrastructure, disable it!
  2. Denial of Service in SMBv3 Client or Server (CVE-2020-1284). An authenticated attacker have to send a specially crafted packet to a vulnerable SMB server or host a maliciously configured SMBv3 server and convince the client to connect to it. The vulnerability exists in Windows 10 Version 2004 and Windows Server, version 2004 (Server Core installation).
  3. The most interesting SMB vulnerability is Information Disclosure in SMBv3 Client/Server (CVE-2020-1206). It is called “SMBleed”. And what makes it interesting is that the company, that discovered this vulnerability, ZecOps, released a PoC that combines SMBleed exploitation with the exploitation of March SMBGhost (CVE-2020-0796) vulnerability to gain unauthenticated RCE! (write up , PoC) And it seems much more reliable than the code that was published earlier (for example, PoC by chompie1337). This means that we are one step closer to real attacks that will exploit this vulnerability.

Of course, you can say that SMBleed, SMBGhost and this new DoS vulnerability (CVE-2020-1284) affect only different versions of Windows 10 and Windows Server Core installations 1903, 1909, 2004. These Windows Server versions are pretty rare for a corporate environments and vulnerable desktops are not such a big problem. Well, yes, but can you guarantee that you do not have virtual machines with Windows 10 that are used as servers? You can only guarantee this with a good IT inventory process!

What about other “Exploitation more likely” vulnerabilities? Well of course it’s worth mentioning RCEs in Microsoft browsers (CVE-2020-1219): Internet Explorer 11 and Microsoft Edge. Also a lot of RCEs in VBScript (CVE-2020-1214, CVE-2020-1215, CVE-2020-1230, CVE-2020-1213, CVE-2020-1216, CVE-2020-1260). So, keep your web browser up-to-date and try not to click on suspicious links.

Other Product based (36)

Microsoft SharePoint

Windows Kernel

Windows Runtime

Among the products with the biggest number of vulnerabilities, we can once again highlight Microsoft SharePoint, and especially Remote Code Execution (CVE-2020-1181). “An authenticated attacker can execute code as the application’s pool process”. Other vulnerabilities are the Elevation of Privilege and Information Disclosure in Windows Kernel and Windows Runtime.

Other Vulnerability Type based (78)

Remote Code Execution

Denial of Service

Memory Corruption

Elevation of Privilege

Security Feature Bypass

Information Disclosure

Spoofing

Code Injection

Among other vulnerabilities, the most important are the various RCEs.

  • 2 RCE in Microsoft Excel (CVE-2020-1225, CVE-2020-1226). This might be interesting for phishing.
  • Yet another RCE in LNK file processing (CVE-2020-1299). This is the third this year.
  • RCE in Windows CAB files processing (CVE-2020-1300). Quote from zdi: the attackers “could also spoof a network printer and dupe a user into installing the specially crafted CAB file disguised as a printer driver. Users are often conditioned into trusting printer drivers when offered one, so it would not be surprising to see this get exploited”.
  • VM vendors also pay attention to RCE in Chakra Scripting Engine (CVE-2020-1073), GDI+ (CVE-2020-1248), Jet Database Engine (CVE-2020-1208, CVE-2020-1236), Windows OLE (CVE-2020-1281) and Windows Shell (CVE-2020-1286).

What else besides RCEs?

  • Nice Denial of Service in Windows Registry, but “an attacker would need access to the system in order to launch a crafted application to exploit this flaw.”
  • A lot of Elevation of Privilege, but VM vendors highlight only vulnerabilities in OpenSSH for Windows (CVE-2020-1292) and Windows GDI (CVE-2020-0915, CVE-2020-0916).
  • Security Feature Bypass in Microsoft Outlook (CVE-2020-1229). It may “allow attackers to automatically load remote images – even from within the Preview Pane” and may be used with GDI+ RCE.
  • Among Information Disclosure vulnerabilities, ZDI highlights vulnerabilities in Microsoft Edge (CVE-2020-1242) and in Windows Diagnostics & feedback (CVE-2020-1296).

In conclusion

It’s rather interesting month, but the focus is still mainly on SMB RCE vulnerabilities and the possible use of these vulnerabilities in malware attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.