Rappel Constructeur Microsoft
Threat Research

September, 2019 Patch Tuesday updates a raft of Windows weaknesses

With nearly 80 major vulnerabilities addressed, this is not an update cycle you want to skip

In this month’s security updates, Microsoft fixes 78 vulnerabilities: By the company’s reckoning, 17 of the fixes address critical issues, 60 important ones, and one bug of moderate severity. Many of these fixes are related to Windows internal components that an attacker could leverage to gain remote code execution or perform local privilege elevation.

The Remote Desktop Protocol (RDP) is once again under the spotlight, but this time, it isn’t the server that is impacted, but the RDP client. Not one to be left out, Adobe is also issuing an update to repair one critical vulnerability in Flash, and they produced one advisory.

Here is the list of products or components patched in this month’s update rollup:
– RDP client
– Hyper-V
– Windows kernel (drivers, ALPC)
– Windows graphical components (DirectX, GDI, Win32k, DirectWrite)
– .NET framework
– Windows VBScript Engine
– Microsoft Edge, Internet Explorer, & ChakraCore
– Office
– Jet Database Engine
– Sharepoint
– Lync 2013
– Project Rome SDK
– Yammer
– Azure DevOps and Team Foundation Server
– Many other Windows components

There are reports that the two elevation of privilege vulnerabilities affecting Windows components are actively being exploited.

It’s worth reminding readers that the availability of patches does not mean that your computer has installed them, yet. To find and download this month’s Cumulative Update patch yourself, search for the term “2019-09” at the Microsoft Update Catalog website.

Let’s have a closer look at some of the interesting vulnerabilities:

Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2019-1214)

It is possible to produce an out of bound write in the kernel driver in charge of the common log file system. An attacker, after having control of the machine, could leverage this vulnerability to elevate its privilege. This vulnerability is being exploited in the wild.

Windows Elevation of Privilege Vulnerability (CVE-2019-1215)

There exists a use after free vulnerability in the Winsock 2 Instable File System Layer kernel driver. As with the previous vulnerability, an attacker could elevate its privilege locally. By default, the driver is disabled on Windows (this can be checked with this command in an elevated shell: “sc qc ws2ifsl”). This means that by default the vulnerability is not exposed. This vulnerability is being exploited in the wild.

Remote Desktop Client Remote Code Execution Vulnerabilities (CVE-2019-0787, -0788)

These two vulnerabilities could be used to gain remote code execution on RDP client. The scenario here would be that an attacker first needs to control a machine with RDP server running, usually a Windows Server or a virtual machine. A legitimate user or administrator would then need to execute through the RDP session on the compromised machine the malicious that would attack the RDP client. A successful attack, would allow the attacker to gain remote code execution on the machine of the tricked user and pivot to it.

Microsoft SharePoint Remote Code Execution Vulnerabilities (CVE-2019-1257, -1295, -1296)

SharePoint suffers from multiple unsafe deserialization on BDC models. A successful attack would allow an attacker to execute arbitrary code on the server.

Sophos detection guidance

Sophos has published the following antivirus and intrusion protection signatures to address some of the vulnerabilities referenced above.

CVE SAV IPS Intercept-X
CVE-2019-1214 Exp/20191214-A 2300610 N/V
CVE-2019-1215 Exp/20191215-A 2300611 N/V
CVE-2019-1285 Exp/20191285-A 2300616 N/V
CVE-2019-1256 Exp/20191256-A 2300612 N/V

N/V = Not Validated. The PoC code provided with MAPP advisories does not include active exploits and as such is not applicable to Intercept X testing. The IX ability to block the exploit depends on actual exploit weaponization approach which we won’t see until it’s spotted in the wild. The SAV and IPS detections developed for the PoCs do not guarantee interception of in-the-wild attacks

In addition, the following IPS signatures refer to some of the vulnerabilities referenced in the preceding text.

CVE

SID

CVE-2019-0788 2300609
CVE-2019-1214 2300610
CVE-2019-1215 2300611
CVE-2019-1216 2300606
CVE-2019-1219 2300604
CVE-2019-1256 2300612
CVE-2019-1257 2300602, 2300603
CVE-2019-1284 2300615
CVE-2019-1285 2300616
CVE-2019-1295 2300605
CVE-2019-1296 2300607, 2300608

How long does it take to have Sophos detection in place?

We aim to add detection to critical issues based on the type and nature of the vulnerabilities as soon as possible. In many cases, existing detections will catch exploit attempts without the need for updates.

What if the vulnerability/0-day you’re looking for is not listed here?

If we haven’t released an update for a specific exploit, the most likely reason is that we did not receive the data that shows how the exploit works in the real world. As many of this month’s exploits were crafted in a lab and have not been seen in the wild, nobody has enough information (yet) about how criminals would, hypothetically, exploit any given vulnerability. If or when we receive information about real attacks, we will create new detections, as needed.