Tuesday, July 14, 2020

Microsoft Patch Tuesday for July 2020 — Snort rules and prominent vulnerabilities

By Jon Munshaw.

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products.

While only a few vulnerabilities are considered critical, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation.

The security updates cover several different products including the Hyper-V engine, Microsoft Word and the rest of the Microsoft Office suite of products.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here.

Cisco Talos discovered six of the critical vulnerabilities that Microsoft fixed this month, all of which could allow an adversary to execute remote code by exploiting the RemoteFX feature in the Windows Hyper-V engine. These bugs affect some Intel and AMD drivers.

It is likely that an attacker could use these vulnerabilities to exploit users remotely. They could also be used to escape out of a Hyper-V virtual machine to access the host machine. We could not use the vulnerabilities to escape out of a VMware virtual machine. Microsoft elected to disable RemoteFX in Hyper-V to resolve these issues. For more information, check out our full Vulnerability Spotlight here.

The other critical bug we want to specifically highlight is CVE-2020-1350, a remote code execution vulnerability in the Windows DNS server. This vulnerability was assigned a base CVSS score of 10, the highest possible, showing just how dangerous exploitation of it could be. DNS is one of the core components of networking, so any potential attack could cause major disruptions. Due to the possibility that this vulnerability could be exploited in a self-replicating way, we urge users to patch immediately.

An adversary could exploit CVE-2020-1350 by sending malicious requests to a Windows DNS server, allowing them to run arbitrary code in the context of the Local System Account. Windows servers configured as DNS servers are vulnerable to this type of exploitation.

Most of the other vulnerabilities in this month’s Patch Tuesday are considered important. Visit Microsoft’s update page for complete details. 

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 54509 - 54511, 54516 - 54518, 54521 - 54525, 54534, 54535.

No comments:

Post a Comment