Seven Monkeys Vulnerability – SPOT Report – August 2019 Patch Tuesday
By Dave Farquhar,
August Patch Tuesdays tend to get overlooked due to the many other things that come out of Black Hat and DEFCON. This month’s updates are heavier than usual, and notable for one thing they don’t include.
Microsoft has urged its customers to deploy updates as quickly as possible, since two of the vulnerabilities it patched are wormable.
Microsoft’s collection for August fixed 93 bugs, the most notable of which is a collection of flaws in Windows’ RDP service similar to the Bluekeep vulnerability disclosed in May. This collection is known as Seven Monkeys, because there are seven of them. They affect Windows 7 SP1, Windows Server 2008R2 SP1, Windows Server 2012 and 2012R2, Windows 8.1, Windows 10, Windows Server 2016 and Windows Server 2019. Microsoft has placed some urgency on these, asking customers to update as soon as possible, because CVE-2019-1181 and 1182 are wormable. The CVEs CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226, make it possible for unauthenticated attackers to execute malicious code by sending a specially crafted message when Network Level Authentication is turned off, which is often in large organizations.
Speaking of Microsoft, Google Project Zero researcher Tavis Ormandy discovered a flaw in an obscure Windows service called CTF that goes back to every Windows version from Windows XP onward. CVE-2019-1162 was published 8/13/12019 to address this vulnerability by correcting how Windows handles calls to ALPC. Keep in mind an attacker has to be on a machine to use this flaw, be vigilant about deploying updates, to keep attackers from being in a position to use this one.
Microsoft wasn’t the only one with a heavy Patch Tuesday. Adobe fixed 119 flaws, covering nearly every product in its portfolio except Flash. Don’t forget about Adobe. If you want an above-average vulnerability management program, be disciplined about pushing Adobe updates every month. It will save you problems down the road. If you haven’t pushed the June update to Flash yet, deploy it as well.
Enterprise Resource Planning solutions like those from SAP don’t get a lot of publicity, but these tools have flaws too. This month SAP released 12 updates, including four critical updates, its highest number since 2014. Traditional vulnerability management vendors often don’t write signatures for SAP, ceding that market to vendors like Deepwatch partner Onapsis.
New mitigations for these vulnerabilities are scarce. Filtering content over e-mail is perhaps the best mitigation for a broad spectrum of vulnerabilities such as this month’s. Exploit protection products such as Microsoft’s EMET or Malwarebytes Anti-Exploit can provide useful mitigations on desktop software, especially Adobe products, but they do not block every type of exploit.
Qualys and Tenable have detections for all of the new vulnerabilities that Microsoft and Adobe patched this month. At present, specific detections for the CTF vulnerability discovered by Google don’t exist, but any Windows version from XP onward is vulnerable.
If you have products from SAP in your environment, the SAP vulnerabilities are best detected with Onapsis. If you’re not sure if SAP has a presence in your company, searching the contents of Tenable plugin IDs 20811 and 22869 for the string SAP, or searching the Applications tab of Qualys’ Assets component for the string SAP, are the easiest way to locate it.
Deploying new updates every month is an essential part of any vulnerability management program. Deploying new updates keeps your company’s tech debt from growing, and some months, will even cut somewhat into your existing tech debt since many updates supercede older updates.
Dave Farquhar, Vulnerability Management SME