The second Tuesday of each month is best known among security professionals as Patch Tuesday, the day Microsoft Corp. releases patches for security vulnerabilities across its products. This time it’s a party, as SAP SE, Adobe Systems Inc. and Google LLC all addressed security issues today as well.

Microsoft led the pack with 124 patches addressing security vulnerabilities, including a patch for a critical vulnerability in Windows Server builds. Dubbed “SigRed,” the vulnerability, believed to have existed in the system’s code for 17 years received a CVSS severity score of 10, the highest possible score. Residing in Windows DNS and described as wormable, the vulnerability can be exploited to allow an attacker to take control of an entire network.

“A wormable vulnerability like this is an attacker’s dream,” Chris Hass, former U.S. National Security Agency security analyst and current director of information security and research at patch management company Automox Inc., told SiliconANGLE. “An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the Local System account.”

As a result, he explained, “not only will the attacker have full control of the system but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya.”

To make matters worse, Hass added, Microsoft has deemed the exploitation of this vulnerability as “more likely,” so he thinks it could happen in the wild soon. “The only good news is that this is not a vulnerability in the DNS protocol but limited to Microsoft’s DNS server implementation of it,” he said. “However, this implementation is widespread, especially in larger organizations.”

SAP

SAP released a patch for the vulnerability known as RECON, short for Remotely Exploitable Code on NetWeaver. Like the Microsoft SigRed vulnerability, it also has a CVSS score of 10. The vulnerability gives an unauthenticated attacker full access to a targeted SAP system, including the ability to modify records, steal data, corrupt data, delete or modify logs and more.

The RECON vulnerability affects a default component present in every SAP applications running the SAP NetWeaver technology stack, including SCM, CRM, PI, Enterprise Portal and Solution Manager. According to security firm Onapsis Inc., 40,000 SAP customers worldwide may be affected.

“Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10,” said Jayant Shukla, chief technology officer and co-founder of web application security firm K2 Cyber Security Inc. “The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets.”

He added that the vulnerability points to the need already pointed out by National Institute of Standards and Technologies for Runtime Application Self-Protection, also known as runtime application security, to help protect web applications. “Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production,” he noted.

Adobe

Adobe issued patches for 13 vulnerabilities, four critical, across Download Manager, ColdFusion, Genuine Service, Media Encoder and the Creative Cloud Desktop Application. Vulnerabilities in ColdFusion, Genuine Service and Creative Cloud Desktop allow attackers to leverage privilege escalation to gain access to targeted systems and execute arbitrary code.

“Arbitrary code execution allows attackers to execute commands or code on a device or within a process,” eplained Justin Knapp, product marketing manager at Automox. “On its own, ACE exploits are limited in scope to the privilege of the affected process. But when combined with privilege escalation vulnerabilities, it can allow an attacker to quickly escalate a process’ privileges and execute code on the target system, giving the attacker full control over the device.”

Google

Finally, Google has released Chrome 84, an updated version of its popular web browser that addresses 38 security vulnerabilities. The most serious of the vulnerabilities, called CVE-2020-6510, is rated critical and is described as a buffer overflow vulnerability tied to Chrome’s background fetch function.

In all those cases, users and security operations teams are encouraged to run patches if they can. Chrome users should receive the updated version of the browser shortly.

Image: Linux Screenshots/Flickr