Microsoft corrected 88 vulnerabilities — including four zero-days — for June Patch Tuesday, but the BlueKeep RDP flaw disclosed last month continues to grab headlines.
Of the 88 common vulnerabilities and exposures (CVEs) — 22 rated critical — with most of the bugs concentrated in supported versions of the Windows client and server operating systems. All the public disclosures are elevation of privilege vulnerabilities; attackers won’t use them to burrow into vulnerable systems, but they will help a threat actor strengthen their grip once they sneak past perimeter defenses.
“Especially if they’re a lesser-privileged user, these four [zero-day] vulnerabilities give them a variety of different options to elevate their privilege level and gain further access,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah. “At that point, they can set up their backdoors. They can gain additional credentials. They can create new accounts and gain that persistence.”
Despite the high number of zero-days addressed in June Patch Tuesday’s security updates, the BlueKeep Remote Desktop Protocol (RDP) flaw (CVE-2019-0708) that came to light in May remains more of a threat to the enterprise, Goettl said. At last count, approximately 1 million systems were reportedly vulnerable to BlueKeep. Microsoft issued a fix for Windows 7, Windows XP, Windows Server 2003 and 2008 systems and also issued a second warning for administrators to patch quickly.
Goettl suspects that organizations with public-facing RDP services also may have lots of legacy operating systems and are unable to roll out patches in a timely fashion, which, all told, is a recipe for disaster.
“There are a million entry points with somewhere between hundreds to thousands of systems behind each one of those. It’s the makings of a WannaCry-level event, for sure,” Goettl said.
The BlueKeep issue — and the emergence of a new attack called GoldBrute that uses botnets to crack weak passwords on public-facing RDP systems — means organizations should take a closer look at their remote connectivity configuration and practices.
“Companies should be asking themselves, are they running RDP publicly? If so, why is it public-facing, and how is it configured?” Goettl said. “Ideally, you should block RDP at the perimeter and restrict access to RDP remotely through things like a VPN tunnel instead. Having RDP be public-facing is way too easy a target.”
Enterprises should take additional security measures such as turning on network-level authentication and ensuring that RDP credentials use strong passwords that change regularly, Goettl said. While there is no immediate threat, he said six research firms have developed code that demonstrates how to execute the BlueKeep exploit, and it’s only a matter of time before a threat actor develops their own.
“Whether it’s days or weeks away, there’s someone who will take advantage of this. It’s too good of an opportunity,” he said.
June Patch Tuesday security updates close four zero-day exploits
Public disclosures make affected systems even more tempting targets, so administrators must determine what systems to prioritize when they apply June Patch Tuesday security updates.
Chris GoettlDirector of product management, Ivanti
“Enough information got released along with proof-of-concept code that attackers already have a jump-start on us, so these four public disclosures are at higher risk of potential exploit,” Goettl said.
Rated important, the CVE-2019-0973 vulnerability in the Windows installer could allow an attacker to introduce a bad library and run exploit code with elevated system privileges. The attacker could then perform a number of actions, such as install programs, delete data and create accounts with full user rights. The vulnerability affects all supported Windows desktop and server operating systems.
A flaw in the Windows shell (CVE-2019-1053) gives an attacker a way to escape the protective sandbox in the shell run code above their privilege level to manipulate data or create new accounts, to name a few of the possible outcomes. This vulnerability, rated important, affects all supported Windows operating systems.
CVE-2019-1064, also rated important, refers to a bug in the Windows AppX Deployment Service of Windows 10 on the client side and Windows Server 2016 and later for servers. The attacker would need to log into a system, then could run a specially crafted program to exploit the vulnerability and perform several actions including deleting data and installing programs. Administrators who implement application control can prevent these kinds of untrusted payloads from running and avoid letting a vulnerable system become a pawn in more sophisticated operation, Goettl said.
“In an [advanced persistent threat] situation, it might not be the way the attacker gets onto a system, but it could definitely be a way an attacker will elevate their privilege level once they gained access,” he said.
The final public disclosure (CVE-2019-1069), rated important, refers to a vulnerability in the Windows task scheduler for Windows 10 systems on the client side and Windows Server 2016 and later on servers. This exploit exposes the way the task scheduler validates certain file operations and could let an attacker run unprivileged code on the target system.
Microsoft further fortifies Exchange Server
Microsoft also issued an advisory (ADV190018) to alert administrators about a security update for supported versions of Exchange Server — not for any directly exploitable flaw, but for “enhanced security as a defense in depth measure,” according to the company. Knowledge base articles related to the update indicate this correction supersedes an April security update.
While details are scarce, this effort to shore up Exchange Server’s defenses is not uncommon for the company due to the high level of privileges the application requires to operate as a messaging platform, which makes it a valuable target for attackers, Goettl said.
“We saw several vulnerabilities earlier this year. Some were patchable. Some required configuration changes. Ultimately, there was a lot of advice from Microsoft that people should evaluate and lock down permissions more with Exchange Server,” he said.