Advisory overview
Qualys Vulnerability R&D Lab has released new
vulnerability checks in the Enterprise TruRisk Platform to protect
organizations against
140 vulnerabilities
that were fixed in
9 bulletins
announced today by Microsoft. Customers can immediately audit
their networks for these and other new vulnerabilities by accessing
their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 9 security
bulletins
to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
100401
-
Vendor Reference
-
KB4532691,
KB4532693,
KB4537762,
KB4537764,
KB4537767,
KB4537776,
KB4537789,
KB4537810,
KB4537814,
KB4537820,
KB4537821
-
CVE Reference
-
CVE-2020-0673,
CVE-2020-0706
-
CVSS Scores
-
Base 7.6 /
Temporal 5.6
-
Description
-
Microsoft releases the security update for Internet Explorer February 2020
The KB Articles associated with the update:
KB4537820
KB4537776
KB4532693
KB4537789
KB4532691
KB4537821
KB4537810
KB4537764
KB4537762
KB4537814
KB4537767
QID Detection Logic:
This QID checks for the file version of Mshtml.dll
The following versions of Mshtml.dll with their corresponding KBs are verified:
KB4537820 - 11.0.9600.19626
KB4537776 - 11.0.10240.18485
KB4532693 - 11.0.18362.657
KB4537789 - 11.0.16299.1685
KB4532691 - 11.0.17763.1039
KB4537821 - 11.0.9600.19626
KB4537810 - 9.0.8112.21414
KB4537764 - 11.0.14393.3503
KB4537762 - 11.0.17134.1304
KB4537814 - 10.0.9200.22975
KB4537767 - 10.0.9200.22975 , 9.0.8112.21414 , 11.0.9600.19626
-
Consequence
-
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
-
Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
110344
-
Vendor Reference
-
KB4484156,
KB4484163,
KB4484250,
KB4484254,
KB4484255,
KB4484256,
KB4484259,
KB4484264,
KB4484265,
KB4484267
-
CVE Reference
-
CVE-2020-0693,
CVE-2020-0694,
CVE-2020-0695,
CVE-2020-0696,
CVE-2020-0697,
CVE-2020-0759
-
CVSS Scores
-
Base 9.3 /
Temporal 6.9
-
Description
-
Microsoft has released February 2020 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB4484255
KB4484156
KB4484267
KB4484259
KB4484264
KB4484265
KB4484256
KB4484250
KB4484163
KB4484254
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected office system.
-
Consequence
-
Successful exploitation allows an attacker to execute code remotely.
-
Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update January 2020
-
Microsoft Edge Based On Chromium Prior to 80.0.361.48 Multiple Vulnerabilities (ADV200002)
-
Severity
-
Serious
3
-
Qualys ID
-
372371
-
Vendor Reference
-
ADV200002
-
CVE Reference
-
CVE-2019-18197,
CVE-2019-19880,
CVE-2019-19923,
CVE-2019-19925,
CVE-2019-19926,
CVE-2020-0601,
CVE-2020-6378,
CVE-2020-6379,
CVE-2020-6380,
CVE-2020-6381,
CVE-2020-6382,
CVE-2020-6385,
CVE-2020-6387,
CVE-2020-6388,
CVE-2020-6389,
CVE-2020-6390,
CVE-2020-6391,
CVE-2020-6392,
CVE-2020-6393,
CVE-2020-6394,
CVE-2020-6395,
CVE-2020-6396,
CVE-2020-6397,
CVE-2020-6398,
CVE-2020-6399,
CVE-2020-6400,
CVE-2020-6401,
CVE-2020-6402,
CVE-2020-6404,
CVE-2020-6405,
CVE-2020-6406,
CVE-2020-6408,
CVE-2020-6409,
CVE-2020-6410,
CVE-2020-6411,
CVE-2020-6412,
CVE-2020-6413,
CVE-2020-6414,
CVE-2020-6415,
CVE-2020-6416,
CVE-2020-6417
-
CVSS Scores
-
Base 6.8 /
Temporal 5.6
-
Description
-
Microsoft Edge based on Chromium is affected by the multiple vulnerabilities.
Affected Version:
Microsoft Edge based on Chromium Prior to version 80.0.361.48
QID Detection Logic: (authenticated)
Operating System: Windows
The install path is checked via registry "HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\shell\open\command". The version is checked via file msedge.exe.
QID Detection Logic: (authenticated)
Operating System: MacOS
The QID checks for vulnerable version of Microsoft Edge from installed application list.
-
Consequence
-
An attacker who tries to exploit these vulnerabilities can disclose sensitive information, bypass security restrictions, crash the application or execute arbitrary code in the context of the browser by redirecting them to a specially crafted web page.
-
Solution
-
Customers are advised to upgrade to Edge version 80.0.361.48 or later
For further details refer to ADV200002
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV200002
-
Microsoft Exchange Server Security Update for February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
50098
-
Vendor Reference
-
CVE-2020-0688,
CVE-2020-0692
-
CVE Reference
-
CVE-2020-0688,
CVE-2020-0692
-
CVSS Scores
-
Base 9 /
Temporal 7.4
-
Description
-
The following vulnerabilities exist in Microsoft Exchange:
CVE-2020-0688: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server. The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.
CVE-2020-0692: An elevation of privilege vulnerability exists in Microsoft Exchange Server. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to change parameters in the Security Access Token and forward it to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user. To address this vulnerability, Microsoft has changed the way EWS handles these tokens.
Affected Software:
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2019 Cumulative Update 4
KB articles covered: 4536987, 4536988, 4536989.
QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe if it is lesser than:
The version for Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 is 14.3.496.0
The version for Microsoft Exchange Server 2013 Cumulative Update 23 is 15.0.1497.6
The version for Microsoft Exchange Server 2016 Cumulative Update 14 is 15.1.1847.7
The version for Microsoft Exchange Server 2016 Cumulative Update 15 is 15.1.1913.7
The version for Microsoft Exchange Server 2019 Cumulative Update 3 is 15.2.464.11
The version for Microsoft Exchange Server 2019 Cumulative Update 4 is 15.2.529.8
-
Consequence
-
Depending on the vulnerability being exploited, an attacker could run arbitrary code in the context of the System user or allow the attacker to perform activities such as accessing the mailboxes of other users.
-
Solution
-
Customers are advised to refer to CVE-2020-0688, CVE-2020-0692 for information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0688
CVE-2020-0692
-
Microsoft Edge Security Update for February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
91602
-
Vendor Reference
-
4532691,
4532693,
4537762,
4537764,
4537776,
4537789
-
CVE Reference
-
CVE-2020-0663,
CVE-2020-0706,
CVE-2020-0710,
CVE-2020-0711,
CVE-2020-0712,
CVE-2020-0713,
CVE-2020-0767
-
CVSS Scores
-
Base 7.6 /
Temporal 5.6
-
Description
-
Microsoft releases the security update for Microsoft Edge February 2020
The KB Articles associated with the update:
KB4537762
KB4532691
KB4537789
KB4532693
KB4537776
KB4537764
QID Detection Logic:
This QID checks for the file version of edgehtml.dll
The following versions of edgehtml.dll with their corresponding KBs are verified:
-
Consequence
-
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
-
Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide
-
Microsoft Windows Servicing Stack Security Update February 2020
-
Severity
-
Medium
2
-
Qualys ID
-
91603
-
Vendor Reference
-
ADV990001
-
CVE Reference
-
N/A
-
CVSS Scores
-
Base 6.8 /
Temporal 5
-
Description
-
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
Microsoft has released Servicing Stack security updates for Windows 2008, Windows 7, Windows 2008 R2, Windows 10 1903, and Windows 10 1909.
QID Detection Logic (Authenticated):
This authenticated QID will check for file version of CbsCore.dll
-
Consequence
-
Successful exploitation may allow unauthorized disclosure of information, unauthorized modification or disruption of service.
-
Solution
-
Customers are advised to refer to advisory ADV990001 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
ADV990001
-
Microsoft SQL Server Reporting Services Update for February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
91604
-
Vendor Reference
-
CVE-2020-0618
-
CVE Reference
-
CVE-2020-0618
-
CVSS Scores
-
Base 6.5 /
Temporal 5.4
-
Description
-
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.
The security update addresses the vulnerability by modifying how the Microsoft SQL Server Reporting Services handles page requests.
Affected Software:
Microsoft SQL Server 2012 SP4
Microsoft SQL Server 2014 SP3
Microsoft SQL Server 2016 SP2
KBs targeted: 4532098, 4535288, 4532095, 4535706, 4532097.
QID Detection Logic:
This authenticated QID detects vulnerable file versions of the above mentioned software by:
Microsoft SQL Server 2016 SP2: fetching ReportServer\bin\ReportingServicesWebServer.dll from HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSRS13.MSSQLSERVER\Setup\SQLPath and is lesser than 13.0.5102.14 or 13.0.5622.0.
Microsoft SQL Server 2014 SP3: fetching ReportServer\bin\Microsoft.ReportingServices.ProcessingObjectModel.dll from HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSRS12.MSSQLSERVER\Setup\SQLPath and is lesser than 12.0.6118.4 or 12.0.6372.1.
Microsoft SQL Server 2012 SP4: fetching sqlservr.exe version from HKLM\SYSTEM\CurrentControlSet\Services and is lesser than 2011.110.7493.4.
-
Consequence
-
Successful exploitation allows an authenticated, remote attacker to execute code in the context of the Report Server service account.
-
Solution
-
Customers are advised to refer to CVE-2020-0618 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2020-0618
-
Microsoft Windows Security Update for February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
91605
-
Vendor Reference
-
KB4532691,
KB4532693,
KB4537762,
KB4537764,
KB4537776,
KB4537789,
KB4537794,
KB4537803,
KB4537810,
KB4537813,
KB4537814,
KB4537820,
KB4537821,
KB4537822
-
CVE Reference
-
CVE-2020-0655,
CVE-2020-0657,
CVE-2020-0658,
CVE-2020-0659,
CVE-2020-0660,
CVE-2020-0661,
CVE-2020-0662,
CVE-2020-0665,
CVE-2020-0666,
CVE-2020-0667,
CVE-2020-0668,
CVE-2020-0669,
CVE-2020-0670,
CVE-2020-0671,
CVE-2020-0672,
CVE-2020-0675,
CVE-2020-0676,
CVE-2020-0677,
CVE-2020-0678,
CVE-2020-0679,
CVE-2020-0680,
CVE-2020-0681,
CVE-2020-0682,
CVE-2020-0683,
CVE-2020-0685,
CVE-2020-0686,
CVE-2020-0689,
CVE-2020-0691,
CVE-2020-0698,
CVE-2020-0701,
CVE-2020-0703,
CVE-2020-0704,
CVE-2020-0705,
CVE-2020-0707,
CVE-2020-0708,
CVE-2020-0709,
CVE-2020-0714,
CVE-2020-0715,
CVE-2020-0716,
CVE-2020-0717,
CVE-2020-0719,
CVE-2020-0720,
CVE-2020-0721,
CVE-2020-0722,
CVE-2020-0723,
CVE-2020-0724,
CVE-2020-0725,
CVE-2020-0726,
CVE-2020-0727,
CVE-2020-0728,
CVE-2020-0729,
CVE-2020-0730,
CVE-2020-0731,
CVE-2020-0732,
CVE-2020-0734,
CVE-2020-0735,
CVE-2020-0736,
CVE-2020-0737,
CVE-2020-0738,
CVE-2020-0739,
CVE-2020-0740,
CVE-2020-0741,
CVE-2020-0742,
CVE-2020-0743,
CVE-2020-0744,
CVE-2020-0745,
CVE-2020-0746,
CVE-2020-0747,
CVE-2020-0748,
CVE-2020-0749,
CVE-2020-0750,
CVE-2020-0751,
CVE-2020-0752,
CVE-2020-0753,
CVE-2020-0754,
CVE-2020-0755,
CVE-2020-0756,
CVE-2020-0757,
CVE-2020-0792,
CVE-2020-0817,
CVE-2020-0818
-
CVSS Scores
-
Base 9.3 /
Temporal 7.7
-
Description
-
Microsoft releases the security update for Windows February 2020
The KB Articles associated with the update:
KB4537762
KB4537794
KB4532691
KB4537814
KB4537813
KB4537822
KB4537803
KB4537820
KB4537821
KB4537764
KB4537776
KB4532693
KB4537789
KB4537810
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB4537762 - 10.0.17134.1304
KB4537794 - 6.2.9200.22978
KB4532691 - 10.0.17763.1039 , 10.0.17763.864
KB4537814 - 6.2.9200.22978
KB4537813 - 6.1.7601.24548
KB4537822 - 6.0.6003.20731
KB4537803 - 6.3.9600.19629
KB4537820 - 6.1.7601.24548
KB4537821 - 6.3.9600.19629
KB4537764 - 10.0.14393.3503
KB4537776 - 10.0.10240.18485
KB4532693 - 10.0.18362.476 , 10.0.18362.657
KB4537789 - 10.0.16299.1685
KB4537810 - 6.0.6003.20731
-
Consequence
-
An attacker who successfully exploited this vulnerability could execute arbitrary code.
-
Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide Windows
-
Microsoft Malicious Software Removal Tool (MSRT) Privilege Escalation Vulnerability - February 2020
-
Severity
-
Critical
4
-
Qualys ID
-
91606
-
Vendor Reference
-
CVE-2020-0733
-
CVE Reference
-
CVE-2020-0733
-
CVSS Scores
-
Base 4.6 /
Temporal 3.4
-
Description
-
Microsoft Windows Malicious Software Removal Tool is a freely-distributed virus removal tool developed by Microsoft for the Microsoft Windows operating system.
An elevation of privilege vulnerability exists when the Windows Malicious Software Removal Tool (MSRT) improperly handles junctions.
Affected Software:
Microsoft Malicious Software Removal Tool (MSRT) before 5.80 are affected.
QID Detection Logic:
This QID checks for the file %windir%\System32\mrt.exe and version less than 5.80.16723.5
-
Consequence
-
Successful exploitation allows attacker to run a specially crafted application to elevate privileges.
-
Solution
-
Refer to Microsoft security advisory KB890830 for details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB890830
These new vulnerability checks are included in Qualys
vulnerability signature
2.4.816-3.
Each Qualys account is automatically updated with the latest
vulnerability signatures as they become available. To view the
vulnerability signature version in your account, from the
Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
-
Ensure access to TCP ports 135 and 139 are available.
-
Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
-
100401
-
110344
-
372371
-
50098
-
91602
-
91603
-
91604
-
91605
-
91606
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.