THE THREAT
On October 13th, 2020, Microsoft released its Patch Tuesday vulnerability list, addressing 87 security issues. Two critical vulnerabilities from this release are especially concerning. CVE-2020-16898, also known as Bad Neighbor, is a remote code execution vulnerability affecting multiple versions of Windows 10 and Windows Server 2019 [1]. This vulnerability received the highest criticality rating of all Microsoft vulnerabilities for the month of October (9.8/10), and Microsoft has stated that exploitation is considered likely.
CVE-2020-16952
is a remote code execution vulnerability affecting multiple versions of Microsoft SharePoint Server [2]. Proof of Concept (PoC) exploit code for this vulnerability emerged on the evening of October 13th. eSentire expects exploitation by threat actors in the immediate future due to the availability of a PoC exploit code.
Organizations are strongly encouraged to apply the applicable Microsoft patches as soon as possible.
What we’re doing about it
- MVS has local plugins to identify both CVE-2020-16898 and CVE-2020-16952
- MVS customers seeking assistance with their review or scans, please contact your MVS consultant or the eSentire Security Operations Center (SOC)
- eSentire security teams continue to track this topic for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the official security patches provided by Microsoft
- If patching for CVE-2020-16898 is not currently possible, apply the workarounds provided by Microsoft
Additional information
CVE-2020-16898 is due to a failure that takes place when TCP/IP stack handles ICMPv6
Router Advertisement packets. Exploitation of the vulnerability would allow a threat actor to execute remote code on vulnerable servers. This vulnerability is especially concerning as it is wormable, meaning that threat actors could craft an exploit that automatically spreads between vulnerable Windows devices.
CVE-2020-16952 is due to a failure by SharePoint to check the source markup of an application package. Successful exploitation would allow a remote threat actor to execute code in the context of the SharePoint application pool/server farm account. Authentication is required in order to exploit this vulnerability [3]. CVE-2020-16952 was rated Exploitation Less Likely by Microsoft, but this is likely to change due to the public release of PoC exploit code.
Exploitation in the wild has not been identified for either of the vulnerabilities mentioned in this advisory.
CVE-2020-16898 Affected Products:
- Windows 10 Version 1709
- Windows 10 Version 1803
- Windows 10 Version 1809
- Windows 10 Version 1903
- Windows 10 Version 1909
- Windows 10 Version 2004
- Windows Server 2019
- Windows Server, version 1903
- Windows Server, version 1909
- Windows Server, version 2004
CVE-2020-16952 Affected Products:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Server 2019
References:
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
[3] https://srcincite.io/advisories/src-2020-0022/
