July 2024 Patch Tuesday

Summary

In this conversation, the hosts discuss the vulnerabilities and patches released in the July Patch Tuesday. They cover a wide range of topics, including the high number of CVEs from Microsoft, the Windows Remote Desktop Licensing vulnerability, the Windows layer two bridge network RCE, PowerShell vulnerabilities, BitLocker and Secure Boot vulnerabilities, and an RCE vulnerability in the Xbox wireless adapter. They also mention the importance of protecting home networks and being aware of the devices connected to them.

Transcript

Tom Bowyer: Happy Patch Tuesday everybody. We made it to July. Yeah, I can't believe it's July already, but thanks again for your continued support through all of our podcasts and webinars, YouTube videos, et cetera, et cetera. We do here on Automox. We really appreciate all your support.

We are up over 25,000 subscribers on YouTube. So, obviously a solid win and yeah, your support makes these podcasts possible where you get to hear us rant every Patch Tuesday about vulnerabilities that, you know, we enjoy so much, but yeah.

Jason Kikta: on about why the internet's on fire.

Tom Bowyer: always on fire from all the fun stuff we gotta deal with every Patch Tuesday, but you know, we made it and this month is a very, very spicy month. I think even more spicier than any month so far, as far as vulnerabilities are concerned coming out of these release notes and yeah, just curious your thoughts, Jason.

Jason Kikta: Ahem.

Yeah. I mean, Yeah, going, I mean, June was a pretty solid month where we had 49 CVEs and I remember we were talking about, I think it was May that had that set the record for most number of CVEs across all vendors. and then now to see 138 in July, nearly triple, you know, double and a half, what we had in June, 138 CVEs this month from Microsoft

is, you know, somewhat shocking and it's interesting too, because, you know, honestly, we don't have time to cover it all, but we saw a lot of runs of the same thing. And I just have to say, if you have Microsoft SQL server, good luck because I, I literally lost count trying to count all of the like 8.8 high or, you know, those eights, eights are what critical? No, they're highs.

Tom Bowyer: Yeah.

Jason Kikta: Yeah, I mean, just like just on and on and on it went of, of just, there were so many highs in it and it just went page after page after page. So, yeah, there's a lot to do this month. That's, that's for sure.

Tom Bowyer: Yeah, I mean, I think people are just preparing for the summer camp, you know, at Vegas, right?

Jason Kikta: Yeah. Yeah. I mean, some of this is definitely that bump, you know, that we see every year pre hacker summer camp out in Vegas of, you know, Black Hat and DEF CON where researchers want to be able to talk about things that they've discovered and developed, but they want to be responsible about it. And so they want to make sure that there's a patch on the street before they go out there and tell the, tell a big crowd, that there's a vulnerability without a patch being available, but

it's, you know, and I think some of those, some of the shown through, although it was interesting with the, all the SQL server ones were all anonymous. And that always makes me suspicious about where those are coming from because there are, I mean, there are legitimate reasons to, to provide something anonymously, but it always, always just makes me suspect a little bit what that might've been used for, how it might've been discovered.

Tom Bowyer: You

Jason Kikta: So probably something not strictly speaking legal or legal in every country. Yeah, it's just, and this first one here, Ryan, we were looking at it, this Windows Remote Desktop Licensing thing. And we're not quite certain how many devices are exposed to it, but it looks like the high end might be 2 million. Is that right?

Tom Bowyer: Yeah.

Ryan Braunstein: Yeah, I mean, that's our initial assessment of it. Yeah, I find that one to be really interesting because if somebody was on your internal network or something like that, it could probably be really easy to just get into. And even more so if your RDP licensing server is exposed to the internet and not behind a VPN, which I think is like, yeah.

Jason Kikta: Yeah, that's pretty terrifying to be able to get. And that one was RCE as well, right? That one was RCE. Yeah, that's pretty significant if, because this is a widely used service and people try not to expose individual endpoints, but they'll expose the servers. And those servers require licensing. And if those are indeed, if all of those have

Ryan Braunstein: Yes. Yeah.

Tom Bowyer: Yeah.

Jason Kikta: have the need for a licensing server and don't have a special situation like, we have pre-installed certificates or we have unlimited licensing, then that's, that is a major, major threat out there. So, definitely one to pay attention to on that. And that was CVE 2024. Do we have the number? It just keeps on going.

Tom Bowyer: Yeah.

Ryan Braunstein: Yeah.

Yeah, there's a few. Yeah. I would say...

Tom Bowyer: There's a bunch of them. There's a whole bunch of them.

Jason Kikta: that's right. Yeah, yeah, yeah. There is a chunk of those. So yeah, yeah, just

Ryan Braunstein: I would say if you're not knowledgeable about whether or not you need remote desktop licensing in your environment, it would behoove you to search whether or not that feature is enabled on any of your servers. And if not necessary, disable it.

Jason Kikta: Yeah, which is Microsoft's advice, but the way they talked about it leads me to believe that it's on by default because they didn't say, you know, hey, if you have this turned on, it was if you haven't turned this off, which is their inside way of saying like this is on by default.

Ryan Braunstein: Yeah. Yeah. Definitely worth looking into your servers to see if that's turned on at all.

Tom Bowyer: Yeah.

Jason Kikta: Hahaha!

Tom Bowyer: Yeah, I just I don't know I feel like this one is just ripe for exploitation, you know, yeah, I think about school districts. I think about you know state SLED type Windows environments and it's always get it done quick and you know one or two people will run the whole like counties IT infrastructure and all that stuff is usually exposed to the internet Right

Jason Kikta: Hmm.

Water treatment plants with our luck. Yeah.

Tom Bowyer: not behind VPN or you know if they're using a VPN it's probably one of those really good VPNs that are in the news every month right? So yeah this feels to me like one of just another one of those like it's gonna get a POC on GitHub in the next week or two and then you know everyone's favorite ransomware actor is gonna throw this in their exploit kit and

Jason Kikta: That's great, that's great.

Tom Bowyer: go to town on a lot of these other small businesses and stuff like that. That's where my hit is with this one.

Jason Kikta: Yeah. And if it doesn't, if it doesn't get something on GitHub, somebody's going to get on stage in Vegas and talk about it and walk you through it. So move, move quickly.

Tom Bowyer: Absolutely, absolutely. I mean, and there's some other good ones too, right? Like 2024 38053, which is this Windows layer two bridge network RCE. And you know, that's another one where I'm just like.

Ryan Braunstein: Yeah.

Jason Kikta: Ha!

Ryan Braunstein: Yeah.

Tom Bowyer: Honestly just shaking my head because I feel like it's just I'm on your local network and if you have a if you have a network adapter, so I'm plugged into the LAN like you're screwed right like is that that's how I'm reading it

Jason Kikta: So.

I mean, this brings me back to, so it's, you know, late nineties, like 1997, hopefully past the statute of limitations. Ping of Death comes out. This might have been 96, 96, 97. I'm a freshman at Carnegie Mellon and Ping of Death comes out and we had unlimited fun on that thing. Just like knocking over like your friend's computers and just kicking them offline. Yeah. Well, and then.

Tom Bowyer: "Your

friends computers."

Jason Kikta: we had this one we had this one professor and he had this like ancient Windows NT server and so we would just like blast Ping of Death away at it like everyone the floor would coordinate because no one wanted to turn in our it was Intro to Modern Math which is just a terrible class and nobody wanted to

nobody wanted to turn in their homework. So we were just like blast the Ping of Death at this NT server until it fell over. And this poor professor keeps going like, yeah, added more RAM to that thing again, like I don't know, it's really sorry that it just can't handle a load of students turning in their homework. And we're all just like, you know, just keep blasting that thing away and getting more time to turn in our assignments. And we'd even get some students who are like, hey, like, I want to actually turn my stuff in on time. Can you guys just like, give me five more minutes and and but this this

Tom Bowyer: No.

Jason Kikta: feels this layer two bridge network driver RCE feels like it's of that era where you just had these like kind of fundamental flaws. And this coupled with that, the you know, the Wi Fi driver flaw from last month. I mean, obviously, there's people looking around and some fundamental things that have been in Windows for a very long time. And was this the one that they even had patches going back to Server 2000? Sorry, yeah, Server 2008, I think.

This might've been one of them. Yeah, a lot of them, they went way back. They're even back porting some patches. These things have obviously been in there for a very long time and gone unnoticed. And that's pretty concerning. Same with the next one of 2024, 38060, Microsoft Windows Codex Library RCE.

Ryan Braunstein: Yeah.

Tom Bowyer: I think most of them are, most of these ones.

Jason Kikta: Yeah, it's a .TIFF file, right? If you can upload a .TIFF file to a server, you get RCE and like, God, I think the last time I was playing around with .TIFF files, I was, I was no kidding on like Windows 3.1, like Windows 3 .11, Windows for Workgroups. I don't even think I was playing around with them by the time I got to Windows 95. So my goodness, how long has that thing been around?

Tom Bowyer: Yeah.

Yeah, absolutely.

Ryan Braunstein: Yeah, that one just feels so random. Like, it's completely out of nowhere.

Jason Kikta: Yeah. I mean, it's like somebody's just going out and grabbing like old versions of Windows and then just, just fuzzing it. And then saying like, is this code still there? And like, there it is something because it's just, we're, we're doing some greatest hits here.

Tom Bowyer: Hahaha

Yeah.

Ryan Braunstein: Yeah. I think on that one, I also questioned this as any authenticated attacker, like does that mean guest users? Guest users are technically authenticated users. Like maybe make sure that that's disabled a bit to kind of mitigate, you know, anonymous authentication. So.

Tom Bowyer: I know.

Jason Kikta: Yeah, does guest count?

Right. Right.

Yeah. And it says, it says no, no, no user interaction required. So, I mean, does a server design make it say, it's a .TIFF file. Let me kind of pre parse it to generate an image preview or something. And that's how the code gets called. I'm not sure, but I I'm guessing it as something along those lines. And it's just, it's, it's just very wild, low effort, old school stuff that seems to keep popping up.

Ryan Braunstein: Yeah.

Tom Bowyer: Yeah.

Jason Kikta: It seems to be it feels like it's accelerating, not decelerating.

Tom Bowyer: Yeah.

Ryan Braunstein: Yeah, I'm interested to see that chain, to see kind of how that goes across.

Tom Bowyer: Yeah. And then like those services, like if you're running IIS or another Windows service exposed to the internet, like what's the impact there, right? Cause you just upload a file. It lands on disk. Like if .TIFF Auto gets, if it gets a preview, like you mentioned Jason, right? Like are my IIS servers exposed here? Like all this is kind of very loose on the details, but I think it provides such an interesting attack surface. And you know

standard Microsoft fashion, they save all the good stuff for their internal methods boards, right? Yeah, but I do agree. I feel like this year so far has been very, very like people exploring these old APIs that, you know, people haven't explored in a long time and

Jason Kikta: Yeah, yeah.

Tom Bowyer: you know, I also see it across other OSs too, like macOS, We've, we talked about it earlier this year where they had all those RCEs and their image processing library. Right? Like this is, this all feels to me like once, you know, the White House released that, "Hey, everyone move to Rust." All this stuff starts popping up. Cause I assume all this stuff's written in like C or C++ or you know, some other C derivative and it's not memory safe.

Jason Kikta: Yeah.

Because it's been around forever.

Tom Bowyer: People are just getting creative on the things that they're fuzzing and looking into.

Jason Kikta: Speaking of getting creative, these PowerShell vulnerabilities, my goodness. Tom, could you walk us through these a little bit more?

Tom Bowyer: Yeah, like they're within PowerShell itself. So I mean, like everything that details are very limited, but you know, it sounds to me that basically you can, you know, elevate your privileges or, you know, other attacks just by running PowerShell. And I'm guessing it's like how it's parsing

you know, the PowerShell scripts itself or some other mechanism in here. But yeah, like passing some weird value to PowerShell or something. It's just one of those, like I said, who's fuzzing PowerShell these days, you know?

Jason Kikta: I mean, it looks like it was worth it. I mean, if you got that many PrivEscs.

Ryan Braunstein: I mean.

Tom Bowyer: Thank you.

Yeah, like, you know, as an unprivileged user.

I mean, I guess you do get that like that that prompt when you're trying to run PowerShell, but not always, right? Like there is an interesting attack vector here for non non-privileged So it, yeah. I mean, really the only thing you could do was update it, right? Like, I don't know, or turn it off completely, right?

Ryan Braunstein: Yeah.

I was going to ask, yeah. Yeah, because my other question was going to be, can you set up any restrictions around remoting or anything that could protect you, or is it just baked in to PowerShell to where it's just you can get around it? So, yeah.

Tom Bowyer: Yeah, they don't have much in it as far as the attack vector goes, but like I said, I'm assuming it's some kind of overflow somewhere in there. And, you know, I elevate my privileges, which it's just, you know, it's like bash, like who's looking into the PowerShell internals and looking for these kinds of vulnerabilities that, yeah, very interesting, very, very interesting.

And then there's other security vulnerabilities too in like security products. You know, like we have all these BitLocker ones and Secure Boot ones and it's just...

Ryan Braunstein: Secure Boot. Yeah. The Secure Boot one feels interesting because I really feel like they just popped up in April. There was like just some recent Secure Boot vulnerabilities that came up that were just recently patched. So it's kind of like, well, this is awkward.

Jason Kikta: Hehehe

Tom Bowyer: You know like BitLocker and Secure Boot you just trust, you I mean mostly just blindly trust that they're  safe right like it's a security security you know I mean I guess we're all kind of guilty in the industry of just kind of blindly trust our security tools and you know they're it's a security tool so it's supposed to be safe right but You know I always caution people that it's still just another software product and it's just as vulnerable as

everything else in the industry. So don't blindly trust it, right? Cause there's always an attack vector there, bypasses or elevation or privilege or something.

Ryan Braunstein: because you have a TPM chip does not mean you're safe.

Tom Bowyer: I Always love those videos on the internet of you know they.. they hook up their JTag right there to the TPM chip and they grab them they grab the key as it's booting, right? Part of it gets it a part of me is like that's kind of fun-ish right like like You know, it is meant to prevent some of those like "Evil Maid" style attacks, but at the same time right like those keys

Jason Kikta: That's right.

Yep.

Tom Bowyer: will be unencrypted at some point in time, you know?

Ryan Braunstein: I literally just swapped out a mobo over the weekend and it just, it had secure boot on it and everything and it let me just reset the pin for the computer and I got right in. So it ain't all that safe. Like I'm just saying.

Tom Bowyer: Hahaha

Jason Kikta: Yeah.

Speaking of the call coming from inside the house, you found a really funny one here, Ryan, for Xbox, right?

Ryan Braunstein: Yeah, yeah, this one I just thought once again, super random, super out of nowhere, but the Xbox wireless adapter has an RCE vulnerability on it, which doesn't seem like much like in terms of like the corporate landscape, but as we're moving to kind of like the work from home area, it kind of stresses that importance of protecting your home network and like keeping, you know, the random IoT devices.

around your home, like alarm systems and TVs and the random adapters you get from Amazon, like patched and at least kind of have some level of understanding of what might be out there for them. I think it was Tom that brought up with this one, the WiFi range, people completely underestimate how far your WiFi goes out there and just how easy it would be to, you know,

Tom Bowyer: Yeah.

Ryan Braunstein: I would air crack it or like you know like you know

Tom Bowyer: Just driving in my car with this big WiFi dongle on the roof, right? And I'm just like RCE and all these all these kids, you know Xbox is the summer. That's what it feels like to me like the ultimate troll Yeah, or like the you know like the jailbreaking community right there's always a community for like rooting your PlayStation or rooting your

Ryan Braunstein: Exactly, a little war driving phase. Yeah.

I mean they're gonna be out all summer.

Tom Bowyer: TV or rooting your Xbox. And this is such an interesting one because like you don't even have to plug it in. Like I'm sure eventually someone will just they'll have a little program and you download it and you're like, as long as the Xbox is in range or something or and you'll just broadcast some WiFi packets and if you get RCE and then you know, you flash it and get root access and it's yeah, very, very interesting attack surface for sure.

Ryan Braunstein: Yeah, not that's a

Yeah, not to ruin a kid's summers, but you know, like sometimes you should probably know what your kids have in your house if you're going to work from home. Just, you know, I was a kid once and I had my mom not understand the computers or anything like that and the stuff that we were doing. But, you know, not to ruin any kid's summers, but know what your kids are getting into a bit.

Tom Bowyer: Hahaha

Jason Kikta: Hahaha

Tom Bowyer: Yeah, and there's not like there's EDR for Xbox, right? So it, you know, I don't expect, I don't know, update your Xbox, you'll be safe. Because this one is quite interesting, honestly.

Ryan Braunstein: Yeah. Yeah.

Jason Kikta: Yeah.

Tom Bowyer: Speaking of other interesting things, you know, OpenSSH.

Jason Kikta: Yeah.

Tom Bowyer: The vuln, right? Where it was a regression introduced in 8.5. So it's, you know, I haven't seen much honestly after the, like last week, there was a lot and was it the week before last? I don't remember, but there was a lot of hoo-ha in the industry about it. People kind of panicking, but that all really seems to have calmed down.

Jason Kikta: Yeah. I mean, I think it helps that it is, you know, it's a complex one to, to, you know, burn through enough cycles to set conditions on the system to allow for exploitation, right? Like you are chaining a lot of things together. It is extremely noisy. It's time consuming. You know, you're talking something on the order of like 10 hours on the low end. and obviously.

Tom Bowyer: I haven't really seen much from it since then.

Jason Kikta: you know, you don't want to necessarily take that for granted because someone could have a breakthrough on, you know, either setting the conditions or guessing better that would cut that time significantly. But right now it is, it is pretty noisy, and, and high effort to be able to, to exploit this. But I think like, it's, it's still like, you know, you see open SSH, and you just, you kind of do that teeth suck because

And you're like, you know, that's in so many things. It's so critical. You know, it's, it's really dangerous. And so, you know, even if you're in a good position to observe it and catch it, this is one where, you know, you just, you need to take the downtime and, and just go ahead and get this patched. And I don't even think it requires reboot links is a pretty, you know, restart the service. It's pretty straightforward, but definitely something you want to handle right away.

Tom Bowyer: You

Ryan Braunstein: Yeah.

Yeah, you could easily script something like that out. Yeah.

Tom Bowyer: Absolutely. Yeah, with an Automox Worklet you know, maybe.

Jason Kikta: Yeah.

Ryan Braunstein: Yeah.

Tom Bowyer: I just feel like this one is always, like when I see open SSH nowadays, I always think back to like IoT, OT environments where it's mostly 32 bit, right? So a lot of the memory protections aren't there because they're very slimmed down on compute. And a lot of times SSH is exposed because they need to do remote management. And it's just on the internet and there's not much security in place, security monitoring

Jason Kikta: Hmm.

Tom Bowyer: because it's just a very small device. And it's these environments where I feel like these type of attacks kind of are much more impactful just because of the restrictions and stuff that you have on IoT and OT, right? And even consumer devices, are you checking if this thing is opening up SSH port on your local network? I mean, a lot of us do in this space.

because we're a little bit more paranoid than most, but like is your mom and dad or your grandparents, are they really checking what ports are open or on their own network? Right. Exactly.

Jason Kikta: They don't even know what a port is.

Ryan Braunstein: Yeah, my parents call me for help on that. They don't know what they're doing there.

Jason Kikta: Look, here's the bright side. The bright side is as spicy as this July is, August will probably be even spicier because we'll be on that post-hacker summer camp hangover. And I'm going to go ahead and lay down a prediction that we might not see more CVEs pound for pound, but we'll probably see a whole lot of POCs. And that's usually when the exploitation ramps up.

Tom Bowyer: Yeah.

Jason Kikta: It's, you know, it'll be a spicy finish like it always is.

Tom Bowyer: Always, always. I just can't believe we're almost to August already.

Jason Kikta: Time flies when you're, you know, trying to keep the internet running.

Ryan Braunstein: Easy.

Tom Bowyer: Panicking about RCEs in your Xbox.

Jason Kikta: That's right. .TIFF files gone, gone wild.

Tom Bowyer: can the attack surface get any worse?

Jason Kikta: Yeah, w -

Tom Bowyer: Well, is that any safer?

Ryan Braunstein: Maybe buy your kids a PlayStation.

At least I on the one I couldn't tell you.

Tom Bowyer: Yeah. Well, I think that's all we have for today. We appreciate everyone tuning in again and listen to us talk about this, Patch Tuesday and thanks for your continued support. There's other podcasts and videos and stuff on YouTube or your favorite podcast platform. Go ahead and check those out. We'd be, you know, we very much appreciate it. And yeah, happy July everybody. And thanks again for listening. Good luck.

Ryan Braunstein: Yeah.

Tom Bowyer: with your Patch Tuesday escapades.

Jason Kikta: Thanks.

Ryan Braunstein: Thank you.

Tom Bowyer: outro music

Ryan Braunstein: Hahaha!