Article: Patching, Patching, Patching!
by Jim Gatwood
Principal Consulting Architect
Jim Gatwood is the Principal Consulting Architect at Fulcrum Technology Solutions. Gatwood has been a part of the Security team since 2020.
One of the most effective defenses against Cyber Intrusion is to stay patched. CIS control #3 prescribes a solid Continuous Vulnerability Management process. That includes staying up to date, assessing, and addressing the vulnerabilities that your systems have. Ideally you want these processes automated as much as possible. Automating the Identification and the Remediation is something that the experts at Fulcrum can help you with.
Right now, is a very good time to review your patching strategy. I say that because in the last three months there have been some very critical vulnerabilities in products that are essential to most businesses’ operation. These products are used heavily in most businesses.
I will start with the newest that the Microsoft July 2020 Patch fixed. This is a CVSS score of 10.0 (the highest) and is considered wormable. That means that DNS servers on the web can be sent a DNS request that executes code that can look for other vulnerable DNS servers as well as penetrating the customer parameter.
- Code Named SigRed CVE-2020-1350 CVSS 10.0 (any Microsoft DNS server) – By exploiting the flaw, “a hacker [can] craft malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,” the team says. CVE-2020-1350 affects all Windows Server versions from 2003 to 2019
The vulnerability exists due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled. Specifically, sending a DNS response with a SIG record over 64KB can “cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer,” the team says.
“If triggered by a malicious DNS query, it triggers a heap-based buffer overflow, enabling the hacker to take control of the server and making it possible for them to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more,” Check Point says.
- Several others including a Code execution reading a .cab file, yet another SMB V1 remote code execution, and a browser and graphics engine remote code execution that is not fixed for Windows 7.
Others not normally automatically patched that have had critical vulnerabilities discovered include: Citrix, Palo-Alto, and Cisco
- Citrix Application Delivery Controller (ADC) and Gateway – About 20 vulnerabilities that can be used to remotely access and gain root level. This device is normally outward facing to internet. SANS storm center reported yesterday that they are seeing scans for this vulnerability in their internet honeypots.
- CVE-2020-2032 GlobalProtect app 5.0 versions earlier than GlobalProtect app 5.0.10 on Windows ability to exploit a race condition and execute code as SYSTEM during a GlobalProtect upgrade.
- Several CVE’s together the ability to bypass authentication in the Panorama web interface.
- CVE-2020-2021 (SAML) authentication can be spoofed – When Security Assertion Markup Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3
- CVE-2020-3406 CVSS 6.5 – A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
- CVE-2020-3332 CVSS 8.1 (Bad for remote workers right now) – A vulnerability in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Series Routers could allow an authenticated, remote attacker to inject arbitrary shell commands that are executed by an affected device. The vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary shell commands or scripts with root privileges on the affected device.
Contact Fulcrum today to schedule a time to discus how we can help you with your Vulnerability and Patch Management Strategies! firstname.lastname@example.org | 832.954.2800
The Fulcrum Difference
At Fulcrum Technology Solutions, we differentiate ourselves from other technology- and business-consulting firms with a unique guarantee: when you hire Fulcrum, we commit to finish the job. Whether working under a time-and-materials contract or a cost-plus arrangement, we will not leave until we’ve delivered exactly what we said we’d do. Our word defines us, and motivates us to give you the service that you deserve!