Akamai’s Perspective on September’s Patch Tuesday

IPSec vulnerabilities

IPSec is a group of secure network protocol suites that encrypts and authenticates data packets among computers over an IP network.  IPSec is mostly used in VPN.

This Patch Tuesday introduced three critical remote code execution vulnerabilities in two core protocols in IPSec: IKEv1 and IPv6.

The vulnerabilities are present in the code flow that is responsible for processing and parsing incoming packets. Because of this, and because they can be triggered remotely by an unauthenticated attacker, they are all ranked critical and scored CVSS 9.8.

Windows Internet Key Exchange protocol extensions 

Internet Key Exchange (IKE) is one of the common protocols used for negotiation of encryption keys. 

Scope

Systems with IPSec enabled that use IKEv1 are vulnerable. Windows Servers are vulnerable as they enable both IKEv1 and IKEv2.

General recommendations

It is recommended that organizations disable IPSec if it is not in use.

CVEs

The IKE vulnerabilities were found by Yuki Chen of Kunlun Lab.  The vulnerabilities seem to be caused by integer overflows or underflows in the functions IkeQueueRecvRequest, IkeDecryptOakNDPacket, and IkeDecryptOakPacket, which may result in an out-of-bounds (OOB) write. These vulnerabilities do not require an attacker to send multiple requests, making their exploitation more feasible.

IPv6

Microsoft Dynamics CRM vulnerabilities

Microsoft’s Dynamics CRM is part of Microsoft’s Dynamics 365. While usually offered as a cloud-based service, the critical vulnerabilities addressed in this month’s patch are for the on-premises installation of the application. Both vulnerabilities are considered critical, with a CVSS score of 8.8 and were found by Fabian Schmidt.

Scope

The Microsoft Dynamics CRM needs to be deployed before it can be used or accessed, and it does not come by default. Since its port list is fairly general, a good way to look for its presence is to look for the registry key “HKLM\SOFTWARE\Microsoft\MSCRM”. In our monitored environments, this product was rare to the point of nonexistence.

General recommendations

While patching should be the immediate priority, in cases where it can’t be done immediately, we believe it should be possible to reduce the attack vector using segmentation. Segmentation can be done on two levels:

• Ringfencing — You can limit the scope of workstations that can access the CRM servers to only the employees that should access the system (usually IT and CS personnel). 

  • In addition, if the CRM servers only run the CRM and nothing else, you can also limit network communication to the port list required for the CRM, according to Microsoft’s documentation.

• User-based segmentation — Since the attack requires an authenticated user, it should also be a good mitigation vector.

OLE DB and ODBC vulnerabilities

OLE DB and ODBC are both API specifications that were designed to abstract away the connection between a data consumer and a data source. Whereas ODBC is older and procedural, OLE DB is newer, implemented using the Component Object Model (COM), and also supports nonrelational databases.

Eleven remote code execution vulnerabilities were found by researcher Haifei Li, all marked important and scored CVSS 8.8; it is likely that Li has put a lot of effort into exploiting the mechanisms used for DB connectivity on Windows. Six of the vulnerabilities are in the OLE DB provider for SQL server, and the other five are in the ODBC driver.

OLE DB vulnerabilities

The six OLE DB vulnerabilities have the exact same attack flow description in their FAQ sections. The description has an error in it (about which we informed the Microsoft Security Response Center) — it mentions an attacker-controlled server receiving a malicious packet instead of sending one. The following is the corrected text:

ODBC vulnerabilities

The attack scenario (for all five vulnerabilities) involves tricking an authenticated user into opening a malicious file in Microsoft Access — a Database Management System (DBMS) application that is a member of the Microsoft 365 suite. The malicious file should be opened via ODBC, which will consequently trigger the vulnerable code in the ODBC driver and will lead to arbitrary code execution on the victim’s machine with the same permission level as the Access process.

The malicious file should be in MDB format, which specifies a database’s structure and entries, and (optionally) data entry forms, queries, stored procedures, etc. The MDB file format is relatively old, and its successor from Access 2007 — the .accdb file — offers additional features and capabilities.

Scope

According to several resources, 135,000 organizations use the Microsoft Access application as their DBMS solution. Among the environments we monitor, 27% of data centers have the Microsoft Access application installed on some of the network machines.

Microsoft SharePoint vulnerabilities

Microsoft SharePoint is a web-based document management and storage system, which integrates with other Microsoft Office products. There are four remote code execution vulnerabilities this month, three with an 8.8 CVSS score, and one with a score of 8.1.

Scope

SharePoint requires a dedicated installation and is not available by default. It can be installed on a single server or in a cluster. In our monitored environments, we’ve seen that 21% of networks had at least one SharePoint server.

General recommendations

Since SharePoint servers are usually meant to serve for document sharing, it might be difficult to segment or limit user access to them without harming normal operations. However, since the four vulnerabilities require specific privileges for exploitation to work, it should be possible to reduce the attack surface through those permissions. Reducing and managing user permissions can be a long and arduous process, so of course the recommended course of action is to patch your servers.

While it probably won’t be possible to drop all Manage List and Page Creation permissions, perhaps the list of privileged users can be culled, or limited across libraries or lists. In addition, you can perhaps increase monitoring on those privileged users, and raise security alerts on smaller abnormalities surrounding their logon activity, or create custom rules that require a logon alert plus SharePoint access.

CVE

Windows Kerberos vulnerabilities

Kerberos stands as the backbone of the Windows domain architecture. It is the default authentication mechanism, having replaced New Technology LAN Manager. There are two vulnerabilities this time, both discovered by James Forshaw. Both vulnerabilities revolve around encryption downgrade and have a CVSS score of 8.1. By modifying the connection between the victim and the domain controller to use the weaker RC4-md4 encryption, an attacker could crack the victim’s Kerberos session key for elevation of privileges.

Scope

Kerberos is part of every Windows domain architecture.

General recommendations

Microsoft’s recommendation is that Kerberos Armoring can protect from the two vulnerabilities. You can refer to this page for more information. The vulnerabilities finder, James Forshaw, mentioned that just enabling Kerberos Armoring isn’t sufficient, and that the KDC must enforce this requirement, and not just support it.

In addition, one of the requirements for the vulnerabilities to work is an impersonation attack (but Forshaw states that it isn’t necessarily the case with CVE-2022-33679), so that the attacker stands between the victim and the domain controller. Impersonation attacks are a common attack vector, and can be pretty “loud.” Therefore, using IDS or IPS solutions, or active threat hunting, can help alleviate some of the risk.