It's 2019 and SQL Server can be pwned by an SQL query, DHCP failover server failed by a packet, Edge, IE by webpages...
Meanwhile, Adobe gives Flash the month off. SAP emits fixes, though
Patch Tuesday Summer is now firmly upon us, and depending on where you are, the weather could be just about anything from stupidly hot to unbearably wet and cold right now given the state of the climate.
Well, anyway, Microsoft, Adobe, and SAP have dropped the July editions of their monthly security updates, so there's at least one storm to weather. How's that for a silky smooth transition?
Redmond plugs up SQL holes, leaky containers, and the usual crop of browser bugs
For Microsoft, July brings fixes for a total of 78 CVE-listed vulnerabilities.
Among the more serious flaws addressed this month is CVE-2019-1068, a remote code execution vulnerability in SQL Server. An attacker could exploit the flaw by sending a specially-crafted query to execute code with the permissions of the Database Engine. The bug was publicly disclosed earlier, but so far no attacks have been spotted in the wild.
Real-world exploitation is unlikely, in our eyes, because a hacker would have to somehow execute an arbitrary SQL query, and if that's the case, the installation is essentially pwned anyway.
"It doesn’t provide you keys to the kingdom, but it does have elevated privileges," noted Dustin Childs, of the Trend Micro Zero Day Initiative, though.
"The update also impacts SQL Server 2017 on Linux and Linux Docker Containers. Considering SQL Servers are generally part of an enterprise’s critical infrastructure, definitely test and deploy this patch to your SQL Servers quickly."
Docker was also the focus of CVE-2018-15664, a privilege escalation flaw that would let an attacker escape the container and acquire full read/write privileges on the host machine. The exploit can be triggered via the Docker command line. That vulnerability was also publicly disclosed prior to today, but was not targeted in the wild.
The same can not be said for CVE-2019-0880 and CVE-2019-1132, a pair of elevation of privilege vulnerabilities in Windows that require local access. Trend Micro says both flaws have been exploited in the wild, but in-depth details had not been disclosed.
Other patches of note include the fix for CVE-2019-0785, a remote execution vulnerability in DHCP for Windows Server. That flaw, which was not exploited or disclosed publicly, allows remote code execution by way of a malformed DHCP packet, if the DHCP server is configured in failover mode.
"A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server," Redmond notes.
"An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server. However, the DHCP server must be set to failover mode for the attack to succeed.
"The security update addresses the vulnerability by correcting how DHCP failover servers handle network packets."
As it does every month, Microsoft addressed a handful of remote code execution bugs in the scripting engines for its Edge and Internet Explorer browsers. Those vulnerabilities, 11 in all, were critical flaws that allow for remote takeover by way of poisoned web pages. None have been exploited nor disclosed publicly... yet.
Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patchedREAD MORE
Outlook for Android users will want to pay attention to CVE-2019-1105, a spoofing vulnerability that would allow an attacker to use a specially ncrafted email message to allow for further cross-site scripting attacks.
Redmond also addressed two remote code execution flaws (CVE-2019-1110 and CVE-2019-1111 and one information disclosure bug (CVE-2019-1112) in Excel and one cross-site scripting flaw (CVE-2019-1137 in Office SharePoint.
Adobe forgoes Flash and Acrobat fixes, SAP cleans up SMDAgent hole
It looks like two of the most popular exploit targets on the internet are getting a bit of a break this month. Neither Flash nor Acrobat/Reader are getting security patches from Adobe for the first time in years.
SAP posted 20 security fixes this month, including a fix for an OS command injection flaw in Solution Manager Diagnostic Agent (SMDAgent) that potentially allows for remote takeover of the targeted machine.
"The Diagnostic Agent is a component that manages the communication between every SAP system and Solution Manager related to monitoring and diagnostic events," said Onapsis security researcher Agus Dendarys.
"In short, exploiting this OS command injection vulnerability in SolMan’s Diagnostic Agent would allow an attacker to bypass a whitelist validation, take full control of the admin user, change critical security configurations or stop a system."
Happy patching one and all. ®