September Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Remote Desktop Client
Microsoft has patched four remote code execution (RCE) vulnerabilities in the Remote Desktop Client: CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291. To exploit these vulnerabilities an attacker would need to get a user to connect to a malicious or compromised RDP server. The vulnerabilities were discovered by Microsoft as a result of internal vulnerability testing against the Remote Desktop Client. These patches should be prioritized on all systems where the Remote Desktop Client is used.
Microsoft has also released patches covering three RCE vulnerabilities in SharePoint: CVE-2019-1257, CVE-2019-1295, and CVE-2019-1296. One involves uploading a malicious application package, while the other two are deserialization vulnerabilities in the SharePoint API. These patches should be prioritized for all SharePoint servers.
Azure DevOps Server / Team Foundation Server
Azure DevOps Server and Team Foundations Server (TFS) are affected by a Remote Code Execution vulnerability (CVE-2019-1306) that is exploited through malicious file uploads. Anyone who can upload a file can run code in the context of the Azure DevOps / TFS account. This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.
Actively Attacked Privilege Escalation
Microsoft has also patched two privilege escalation vulnerabilities that have been exploited in the wild. CVE-2019-1214 is a vulnerability in the Common Log File System (CLFS) driver, and CVE-2019-1215 applies to the Winsock driver. These impact all supported versions of Windows, and patching should be prioritized. Privilege escalation vulnerabilities are commonly used along with Remote Code Execution where the RCE does not grant administrative rights.
Update: Following Patch Tuesday, Microsoft updated their entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
Today was a light release for Adobe. They have fixed two critical vulnerabilities in Flash Player, which should be prioritized on any workstation-type systems. Adobe also fixed an Important-rated insecure DLL loading vulnerability in Application Manager.
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Jimmy Graham. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2019/09/10/september-patch-tuesday-79-vulns-17-critical-remote-desktop-client-sharepoint-exploited-privesc