Why Patch Management Matters
Written by: Black Kite
The Rising Trend of Vulnerabilities
Vulnerabilities within Microsoft, Oracle , Citrix, Juniper Networks, Palo Alto Networks and Cisco are on the rise with remote-work, causing IT teams to either apply patches or apply work-arounds to evade any critical attacks to their systems. Reduced budgets are also not always allowing for an upgrade to improved versions.
What is Patch Management?
Patch management is a strategy for systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. This intervention enables systems to stay updated and bug-free on existing patches. It also helps IT teams determine which patches are appropriate.
Patch management aims to implement strategies for effecting change, controlling change and adapting to change. In other words, it serves to keep IT infrastructure patching up to date by ensuring that patches are installed properly, systems are tested after installation, and all associated procedures are documented.
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal
Using this vulnerability, an unauthenticated, remote attacker could carry out a directory traversal attack and gain access to sensitive files on the targeted devices. The access is scoped to the web services file system only, and does not apply to the ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense) system files or underlying operating system (OS) files.
The vulnerability stems from lack of proper input validation of URLs in HTTP requests processed by the affected devices.
This vulnerability affects Cisco products running Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration. Below are the affected configurations of ASA and FTD software.
WINDOWS DNS SERVER, CVE-2020-1350
This vulnerability was towards the “Windows DNS Server”, which is the Microsoft implementation and an essential part of a Windows Domain environment. Dubbed SIGRed CVE-2020-1350 is wormable, earning the highest possible score of 10.0 on the Common Vulnerability Scoring System (CVSS) severity scale.
DNS, also known as the “Internet phonebook,” is a network protocol for translating the IP addresses to human-friendly hostnames. As an integral component of the internet, there are a number of solutions and DNS server implementations out there, but only a few are commonly used.
In this CVE, the bug stems from the utilization of a forwarded query from a DNS server. By nature, DNS is hierarchical, and decentralized. It means that when a DNS server does not know an answer to a query it receives, the query is redirected in the hierarchy to a DNS server above.
By sending a DNS response that contains a large (bigger than 64KB) SIG record, one can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer. Because the service operates in an elevated privileges (SYSTEM), Domain Administrator rights are given to an intruder, thus potentially exposing the entire corporate infrastructure. As a temporary workaround, until the patch is applied, setting the maximum length of a DNS message (over TCP) to 0xFF00 is recommended.
Wormable vulnerability: Wormable vulnerabilities can spread between vulnerable computers through malware without user interaction.
Oracle Critical Updates
Oracle published a batch of vulnerabilities for multiple security bugs in its Critical Patch Update of 2020. This record-breaking 443 security patches addresses 284 CVEs, across 29 Oracle product families. By exploiting those vulnerabilities, a remote attacker can cause the application to crash or execute arbitrary operations. Users of the impacted product versions are advised to upgrade accordingly to the latest edition. The affected products include but are not limited to:
Some of the remarkable CVEs in this batch are CVE-2020-14701 and CVE-2020-14706, which are found in the User Interface component of the Oracle Communications Applications SD-WAN Aware and SD-WAN Edge. These were marked by Oracle as easily exploitable, since they allow an attacker with network access to compromise SD-WAN Aware and SD-WAN Edge via the HTTP. Effective exploitation of these vulnerabilities will result in SD-WAN Aware and SD-WAN Edge being completely taken over. Oracle has acknowledged that “attacks can have a huge effect on additional goods.”
PAN-OS Command Injection Vulnerability, CVE-2020-2034
The PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges. An attacker may require some degree of detailed information about an affected firewall configuration, or conduct brute-force attacks to exploit this vulnerability. This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.
Upgrading to PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions fixes the issue. The vulnerability earned a score of CVSS 8.1, which is of high severity.
Microsoft Zoom Vulnerability
This vulnerability was reported by an anonymous security researcher and is a 0day on Zoom Client for Windows. It is only exploitable on Windows 7 and older Windows systems. Although official support for Windows 7 by Microsoft concluded in January, there are still millions of home and enterprise users extending Microsoft’s Extended Security Updates.
The vulnerability allows a remote attacker to inject code on the victim’s device where Zoom Client is enabled for Windows (any version currently supported). This is done by having the user perform some standard behavior, such as opening a document file. During the course of the attack no security warning is given to the user.
Juniper Networks Junos OS., CVE-2020-1654
On the Juniper Networks SRX Series (firewall, application visibility and control, IPS) an attacker can execute arbitrary code via sending malformed HTTP messages. The malformed message could be sent through either the HTTP server or the HTTP client.
Continued processing of this malformed HTTP message may result in an extended Denial of Service (DoS) condition. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This issue does not affect Juniper Networks Junos OS prior to 18.1R1. SRX.
How to practice patch management?
Hundreds of vulnerabilities are published each month. Within this sea of bugs, CVE codes, severities, patches and workarounds, IT teams become overwhelmed and miss critical updates.
Insufficient resource management as a result of lack of risk prioritization also causes problems. As with any cyber risk-related issue, teams do not find themselves comfortable with risk prioritization and have difficulty in tying vulnerabilities/bugs to the risk management process.
The Simple Steps to Patch Management
Patch management requires 4 basic steps: assessment, analysis, application, and assurance.
- Assessment: The identification of relevant vulnerabilities and updates.
- Analysis: Risky vulnerabilities are detected and analyzed.
- Analysis of the risk assessment is evaluated to determine the full scope of the rollout and develop a remediation strategy.
- Application: Application of Step 2. The determined updates are completed.
- Strategy: This strategy should provide a continuous improvement through assurance.
How Black Kite Helps
An effective patch management process requires a combination of automation and best practices. Manual patch management can be inefficient for a secure system. Black Kite collects details related to the version number of your system and software from an internet-wide scanner. The details are then converted into the corresponding common platform enumeration, and correlated with NIST NVD and MITRE CVSS databases to detect any unmitigated known vulnerabilities.
Black Kite ties each and every vulnerability inherent on a digital asset to the cyber risk management using;
1- Black Kite technical report where each finding contributes to the overall risk score
2- Financial Impact Rating, where each finding feeds the Financial-Cyber Risk
3- Compliance module, where the findings correlate with the control items of regulations, standards and best practices such as NIST 800-53, NIST CSF, HIPAA, GDPR, PCI-DSS, etc.
See our Automated Continuous Cyber Risk Monitoring tool to get more informed of what we can do for you.
Featured image by Ulrike Leone from Pixabay