SpiderLabs Blog

Patch Tuesday, January 2020

Written by Karl Sigler | Jan 14, 2020 8:56:00 PM

Happy 2020! Microsoft is helping you celebrate the new decade with patches for 49 CVEs. Of those CVEs, eight are rated as "Critical," and 41 are rated as "Important." Among the "Critical" CVEs are four Remote Code Execution (RCE) vulnerabilities in the .NET Framework, and three RCE vulnerabilities in Remote Desktop (two for the client and one for the gateway). Ever since BlueKeep, RDP has been getting a monthly going through with a fine-toothed comb and a magnifying glass.

The list of vulnerabilities rated as "Important" are multiple RCE vulnerabilities for the Office Suite and several Privilege Escalation vulnerabilities in various Windows components. Notable in that list is a Spoofing vulnerability in the Windows CryptoAPI (CVE-2020-0601). This could allow an attacker to spoof a valid encryption key and potentially hijack encrypted connections via a practically undetectable man-in-the-middle attack or pretend to be a website that uses encryption like a banking or e-commerce website. An attacker could use a spoofed certificate to sign software as “official and trusted” which could grease the rails for attackers to place malware on systems with more ease.

Specifically, the vulnerability is in how Windows handles and validates Public encryption keys using specific ECC (Elliptic Curve Cryptography) algorithms. An ECC key has two parts to it; the actual bytes that define the encryption key itself and then metadata in the form of ECC parameters. When Windows validates these keys, it only does so by checking the key bytes and not the parameters. This would allow an attacker to generate a false key that would be validated as long as the key bytes match (even if the parameters do not). This vulnerability was introduced in Windows 10 since, prior to that, Windows didn't support ECC parameters.

Finally, today also marks the official "End of Life" for Windows 7 and Windows Server 2008. These Operating Systems have been around for a decade, and end of mainstream support occurred back in 2015. Given that much notice, we hope that organizations still using these operating systems have a plan in place to upgrade those systems if they haven't gotten rid of them already.

The End of Life means that Microsoft will no longer provide security updates like the ones listed below. This will increase the risk assumed by those organizations that continue to run Windows 7 or 2008 and we expect attackers will begin actively looking for those operating systems as a "soft spot" for a compromise. For instance, shortly after Windows XP went into End of Life, we saw widespread exploitation with the WannaCry campaign. While Microsoft did eventually release security fixes for XP, there's no assurance that the same would occur with Windows 7 if there were a similar campaign today. With the concerns around last year's potentially "wormable" BlueKeep (CVE-2019-0708) and new vulnerabilities discovered every month, this is not a time to let your systems go without security patches.

Users still running Windows 7 should upgrade to Windows 10, and servers still running Windows 2008 should be upgraded to at least Windows 2012, or you might want to consider replacing your local servers with cloud services.

Luckily none of the vulnerabilities patched today have any known exploit available (yet), so let's start the new decade off right and get to patching. Stay safe out there!

 

Critical

.NET Framework Remote Code Execution Vulnerability
CVE-2020-0646, CVE-2020-0605, CVE-2020-0606
Remote Code Execution

ASP.NET Core Remote Code Execution Vulnerability
CVE-2020-0603
Remote Code Execution

Internet Explorer Memory Corruption Vulnerability
CVE-2020-0640
Remote Code Execution

Remote Desktop Client Remote Code Execution Vulnerability
CVE-2020-0611
Remote Code Execution

Windows RDP Gateway Server Remote Code Execution Vulnerability
CVE-2020-0609, CVE-2020-0610
Remote Code Execution

 

Important

ASP.NET Core Denial of Service Vulnerability
CVE-2020-0602
Denial of Service

Hyper-V Denial of Service Vulnerability
CVE-2020-0617
Denial of Service

Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2020-0620
Elevation of Privilege

Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
CVE-2020-0656
Spoofing

Microsoft Excel Remote Code Execution Vulnerability
CVE-2020-0650, CVE-2020-0651, CVE-2020-0653
Remote Code Execution

Microsoft Graphics Component Information Disclosure Vulnerability
CVE-2020-0622, CVE-2020-0607
Information Disclosure

Microsoft Office Memory Corruption Vulnerability
CVE-2020-0652
Remote Code Execution

Microsoft Office Online Spoofing Vulnerability
CVE-2020-0647
Spoofing

Microsoft OneDrive for Android Security Feature Bypass Vulnerability
CVE-2020-0654
Security Feature Bypass

Microsoft Windows Denial of Service Vulnerability
CVE-2020-0616
Denial of Service

Microsoft Windows Elevation of Privilege Vulnerability
CVE-2020-0641
Elevation of Privilege

Remote Desktop Web Access Information Disclosure Vulnerability
CVE-2020-0637
Information Disclosure

Update Notification Manager Elevation of Privilege Vulnerability
CVE-2020-0638
Elevation of Privilege

Win32k Elevation of Privilege Vulnerability
CVE-2020-0624, CVE-2020-0642
Elevation of Privilege

Win32k Information Disclosure Vulnerability
CVE-2020-0608
Information Disclosure

Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2020-0634
Elevation of Privilege

Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2020-0615, CVE-2020-0639
Information Disclosure

Windows CryptoAPI Spoofing Vulnerability
CVE-2020-0601
Spoofing

Windows Elevation of Privilege Vulnerability
CVE-2020-0635, CVE-2020-0644
Elevation of Privilege

Windows GDI+ Information Disclosure Vulnerability
CVE-2020-0643
Information Disclosure

Windows Remote Desktop Protocol (RDP) Gateway Server Denial of Service Vulnerability
CVE-2020-0612
Denial of Service

Windows Search Indexer Elevation of Privilege Vulnerability
CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633
Elevation of Privilege

Windows Security Feature Bypass Vulnerability
CVE-2020-0621
Security Feature Bypass

Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2020-0636
Elevation of Privilege