Patch Tuesday – July 2020

Microsoft releases 123 security updates, including a patch for a critical Windows Server DNS bug and Hyper-V RemoteFX vGPU gets disabled.

Windows and Windows Server

Let’s start with the most serious bug Microsoft patched this month.

Windows DNS server wormable vulnerability

Discovered by Sagi Tzaik of Check Point, SigRed (CVE-2020-1350) is a remote code execution (RCE) vulnerability in Windows DNS servers where they fail to properly handle requests. A hacker could send a malicious request to a Windows DNS server and run arbitrary code in the context of the Local System Account. Only unpatched Windows systems configured as DNS servers are vulnerable.

SigRed affects all versions of Windows Server from 2003 to 2019. Because the vulnerability is wormable, i.e. it can spread across a network without any user interaction, it could lead to all devices being infected if just one server is compromised with arbitrary code. Check Point’s technical analysis says:

“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.”

The bug has been assigned the highest severity rating. And while it’s not thought that it was being actively exploited in the wild prior to this month’s Patch Tuesday, Microsoft thinks it highly likely that hackers will weaponize SigRed.

According to Check Point, the SigRed vulnerability has been present in Windows Server for 17 years. Organizations that can’t apply this month’s Windows Server update immediately should set the maximum length of a DNS message over TCP to 0xFF00. The TcpReceivePacketSize registry value can be set using the commands below:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters" /v "TcpReceivePacketSize" /t REG_DWORD /d 0xFF00 /f

net stop DNS && net start DNS

For more information on this workaround, see Microsoft’s website here.

RemoteFX vGPU has been disabled

A series of RCE vulnerabilities in Hyper-V RemoteFX vGPU have been addressed this month by Microsoft disabling the feature. Because RemoteFX vGPU was deprecated in Windows Server 2019 and Windows 10 version 1803, Microsoft has decided to disable the feature instead of fixing the vulnerabilities.

RemoteFX vGPU is a graphics virtualization feature that lets a single physical GPU be shared by multiple virtual machines. Discrete Device Assignment (DDA) is a newer and more secure technology that uses GPU pass-through to dedicate one or more physical GPUs to a single virtual machine. Because DDA lets virtual machines run the native graphics driver with full access to the GPU’s features, it provides the best compatibility and performance.

Microsoft offers organizations that need advice about GPU acceleration here.

Other important patches

There are six other Windows RCEs rated critical this month related to Windows graphics components, the Remote Desktop Client, Windows Address Book, Windows font library, and how shortcuts (.lnk files) are processed.

Internet Explorer 11 gets a patch for a VBScript RCE flaw that could let an attacker take control of a system with full user rights. Legacy Edge (EdgeHTML) gets two patches that fix information disclosure vulnerabilities when used with Skype for Business and the built-in PDF reader.

Microsoft Office

Outlook versions 2010 to 2019, and Click-to-Run, get a patch for a critical RCE where Outlook fails to properly handle objects in memory. An attacker could use a malicious file to run actions in the context of the logged in user. There are 5 other RCEs, rated important. The Windows Jet Database Engine also gets a patch for an RCE vulnerability rated important. It could let an attacker run arbitrary code.

Exchange, SQL, and SharePoint Server

SharePoint Server gets patches for 3 critical RCE flaws. And there’s one SharePoint Server elevation of privilege bug patched, also rated critical.

Adobe software

Adobe released security updates this month for Download Manager, ColdFusion, Genuine Service, Media Encoder, and Creative Cloud. The updates for Download Manager and Media Encoder plug critical flaws that could let an attacker run arbitrary code on affected systems. Another critical vulnerability affects Creative Cloud Desktop and if left unpatched, it could let an attacker create or modify files.

That’s it for another month.