September is the first month of the Fall season and as more leaves start to rain down, apparently so do more patches from Microsoft. September Patch Tuesday has brought with it a whopping 80 vulnerabilities including 17 which are categorized as “Critical”. In this month’s BigFix Patch Tuesday Webinar, we discussed what these patches mean, why they carry such a high severity, and how BigFix is helping our clients optimize their planning and deployments to achieve high levels of compliance even in the smallest of maintenance windows. 

The most severe vulnerabilities are referred to as “zero day” vulnerabilities, and Microsoft addressed two of those this month, CVE-2019-1214 and CVE-2019-1215. Both have been exploited prior to Microsoft providing a patch and exist due to improper handling of objects in memory by the respective drivers/service. In each case, the vulnerability exists as an Elevation of Privileges (EoP) where an attacker may not be able to gain access directly, but deployed alongside a separate attack, they could then gain administrative rights and significantly compromise the endpoint. 

Here are the CVE specifics: 

  • CVE-2019-1214 – Elevation of Privileges with the Common Log File System Driver 
  • CVE-2019-1215 – Elevation of Privileges impacting the Windows Socket 2 IFS Layer service (ws2ifsl.sys service) to disrupt network connectivity 

While both vulnerabilities exist on all versions of Windows Desktop and Server operating systems, 1214 has been primarily seen attacking older operating systems which creates more urgency and precedence on an organization’s Windows 7 migration plans.  As of February 2020, we will no longer have access patches for Windows 7. Continue to keep a close eye on the patches coming out over the next several months; we expect to see an uptick in patches for Windows 7 endpoints as attackers know their window of opportunity could expand greatly as Windows 7 approaches end of support. 

Microsoft also continues to see their Remote Desktop Protocol (RDP) service exploited. There was an article published recently by ProPublica.org detailing the latest targets of hackers: medical clinics and local governments. The investigation revealed that the events were originating at the Managed Service Provider (MSP) and specifically in unpatched RDP vulnerabilities. CVE-2019-1290 and CVE-2019-1291 are not wormable as were their predecessors (BlueKeep and DejaBlue), however, they are designed to trick a user into connecting to a malicious RDP session allowing an attacker to assume control. 

The final CVE we discussed during the webinar is CVE-2019-1280. This infamous CVE is a Remote Code Execution (RCEresulting from how Microsoft handles shortcut files (.lnk). This vulnerability may sound familiar because it was part of the bundled Stuxnet attack on the Iranian Nuclear Plant in 2010. If left unpatched, an attacker could present a remote file to the user and if executed, would then give the attacker the same access to the endpoint that the current user has. 

Eighty vulnerabilities are a significant number for one month. Teams are trying to patch as quickly and efficiently as possible but there are many moving pieces to consider and work around. BigFix has several components that can save teams a significant amount of time in the planning, testing, and deployment of a patch release of this size. During this month’s webinar, we discussed two features of BigFix — Patch Policies and Next Level Filtering — which help operations teams achieve 100% Patch Compliance as quickly and efficiently as possible. 

Patch Policies 

Patch Policies were introduced exclusively to the WebUI and have been crucial to operations teams looking to schedule patches rather than creating baselines for newly distributed Fixlets. Patch Policies offer the ability to “set and forget” patching.  

As an example, let’s assume your patching plan/methodology is: 

  1. Plan: When the patches are released you plan what you are going to include/exclude in your deployment, and you consider any other relevant sensitivities. 
  2. Deploy to Test/Dev: You test those patches against your test/dev machines.
  3. Deploy to Pilot/Test Groups: Afterwards, deploy those patches to your pilot group before deploying to the entire organization.
  4. Deploy to Company-wide: You then rollout to production and the entire organization. 

Assuming the Test/Dev and Pilot/Test groups have static schedules. We could set a Patch Policy to deploy critical security patches every 2nd Tuesday at 9:00PM to only the Test/Dev endpoints, then deploy the same patches a day later to the Pilot/Test groups. Prior to that deployment, we could exclude any patches that caused issues to endpoints in the Test/Dev Group and adjust those policies accordingly as we eventually promote to Production. 

BigFix Patch Policies, used in this example, save time by automating the creation of baselines for this repeatable process for each group.  They save time by promoting baselines to the next group and by optimizing your maintenance windows by instructing endpoints to download their patches prior to the patch window start in order to minimize patch execution time. 

Next Level Filtering 

During last month’s webinar, the BigFix team discussed Custom Filters and the benefits they provide by narrowing down the content that organizations may be looking for regularly. Next Level Filtering which we talked about in this month’s webinar takes filtering to the next level. 

Custom Filters provide a wealth of benefits in narrowing search criteria. Custom Filters provides the ability to search for “all of the patches that the source release date is 9/1/19 to 9/30/19”. Using a custom XML file, you can create a site and add that file to the site. This file will create a new domain in the Domain List. The XML file has relevance within its body that can be edited to “only include patches for a given month that are Critical, Moderate, Important and do not include .NET”. 

The benefit of being able to filter at this level of granularity provides the ability to have custom filter that includes only the patches your organization cares about for a given month instead of having to review and select all of the Microsoft patches that need to be added to your monthly baseline. Using your newly created domain/filter, you can select all of the patches, right-click, and add them to your new/existing baseline. 

Summary  

Patch management is extremely crucial to every organization’s security posture. However, it tends to be one of the more cumbersome pieces involved in maintaining a high level of compliance. Using Patch PoliciesCustom Filtering, and Advanced Filtering, BigFix can help teams achieve high levels of compliance, provide streamlined workflows that reduce manual steps and time, and provide a surgical level of patching as opposed to traditional blanket patching. If these process improvements are something your organization and patch teams are interested in exploring deeper, please schedule time with your BigFix Specialist. 

Author:  Marcus Hayden.   Editors:  Dan Imbach and Cy Englert.

Further Reading