Threat Response: Critical Vulnerability in Microsoft XML deserialisation

23-07-2020

A SAFE DIGITAL JOURNEY

Last week (July 14th) we sent out a notice about patches Microsoft released, among which a critical vulnerability in Windows DNS Server. Over the last few days details have emerged on another critical vulnerability that has been fixed in the same round of updates. This vulnerability is related to the way XML is deserialised and is present in several Microsoft products, namely the .Net Framework, Sharepoint and Visual Studio. As the .Net Framework is affected, many products that use this framework might also be at risk. The vulnerability is filed under CVE-2020-1147[1] and has received a CVSS score of 9.8. At the time of writing there is no known public exploit available, however many details are being posted [2] that simplify the development of an exploit. In this message we inform you of the threat and potential mitigations.

As the .Net Framework is also affected, there can also be risks to Linux systems that have .Net Core installed. Several Linux distributions have made patches available, some examples:  [3] [4].

Impact

This vulnerability allows for arbitrary code execution on the affected systems. The code will have the same privileges as the process performing the xml deserialisation. This makes the impact high.

Risk

There is no public or active exploit available. As lots of detailed information has been publicised that simplifies exploit development, it is expected that public/active exploits will follow soon. Northwave assesses the risk of this vulnerability to be high.

Mitigation

Northwave repeats the recommendation to install the patches released last week as soon as possible. This recommendation has gained more weight with this additional vulnerability. Additionally, there are no known alternative mitigations or work arounds for this issue.

Lastly, non-Windows systems that have .Net Core installed should be updated as soon as possible.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

[2]: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

[3]: https://access.redhat.com/security/cve/cve-2020-1147

[4]: https://centos.pkgs.org/8/centos-appstream-x86_64/aspnetcore-runtime-3.1-3.1.6-1.el8_2.x86_64.rpm.html

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.