This month there are 123 vulnerabilities fixed, with 18 of them marked “Critical” and 106 marked “Important.” I’m beginning to think 100+ vulnerabilities in each Patch Tuesday is the “new normal” for Microsoft, as that’s been the range all year.
While there are no “Exploit Detected” items as of this writing, there are four “Critical” vulnerabilities Microsoft has marked as “Exploitation More Likely”, meaning there is a high probability of an exploit soon. We’ll review the “Critical” vulnerabilities and focus on the most important ones in each category first.
CVE-2020-1350 is a Windows DNS Server Remote Code Execution Vulnerability that is listed with a CVSS score of 10(the highest) and is also listed as “Exploitation More Likely”. This vulnerability would allow an unauthenticated attacker to send a specially crafted packet to a Microsoft DNS server to gain System Level access to the server. This is especially concerning because most Active Directory environments are also running Microsoft DNS. In the article, Microsoft states “We consider this to be a wormable vulnerability, meaning that it has the potential to spread via malware between vulnerable computers without user interaction.” This vulnerability affects DNS server on Server 2008, 2008R2, 2012, 2012R2, 2016, 2019, and Windows Server versions 1903 up to 2004 (including all Core versions).
The bottom line here is that you should either deploy the corresponding patch for your operating system or perform the workaround (registry change) listed in the article as soon as possible. If you are running N-central or RMM and cannot yet deploy the patch, our automation nerd, Marc-Andre Tanguay, posted Automation policies you can use to deploy the workaround on affected DNS servers. The script can be found here - https://success.solarwindsmsp.com/kb/solarwinds_n-central/Microsoft-DNS-Server-CVE-2020-1350-Workaround .
It should be noted that if you are running Azure AD and DNS, no action is required on your part, as Microsoft will apply the appropriate updates in their cloud.
The other operating system vulnerability listed as “Exploitation More Likely” is CVE-2020-1374, and it is a Remote Desktop Client Remote Code Execution Vulnerability. A user would have to be tricked in connecting to a malicious Remote Desktop server to trigger this vulnerability. The attacker would then have full control over the connecting client. This vulnerability affects Remote Desktop clients on Windows 7 up to the current release of Windows 10, including all supported Server versions.
Next up is a group of 6 vulnerabilities with the same title and details. CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, and CVE-2020-1043 are all listed as a Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability. This vulnerability is rated as “Exploitation Less Likely”.