Overview Description of Critical and Important Vulnerabilities...A privilege escalation vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly

© NSFOCUS 2020 Confidentiality: PUBLIC

Microsoft's July 2020 Patches Fix 124 Security Vulnerabilities Threat Alert

Overview

Microsoft released July 2020 security updates on Tuesday that fix 124 vulnerabilities ranging from simple spoofing attacks to remote code

execution in various products, including .NET Framework, Azure DevOps, Internet Explorer, Microsoft Edge, Microsoft Graphics Component,

Microsoft JET Database Engine, Microsoft Malware Protection Engine, Microsoft Office, Microsoft Office SharePoint, Microsoft OneDrive,

Microsoft Scripting Engine, Microsoft Windows, Open Source Software, Skype for Business, Visual Studio, Windows Hyper-V, Windows IIS,

Windows Kernel, Windows Shell, Windows Subsystem for Linux, Windows Update Stack, and Windows WalletService.

Description of Critical and Important Vulnerabilities

This time, Microsoft fixes 16 critical vulnerabilities and 104 important vulnerabilities. Although the vulnerabilities disclosed this month

have not been reported to be exploited, all users are advised to install updates without delay:

Microsoft Windows DNS Server Remote Code Execution Vulnerability SigRed (CVE-2020-1350)

The severest vulnerability fixed this month is a wormable Windows DNS server vulnerability called SigRed (CVE-2020-1350).


According to Microsoft, the CVSS base score of this vulnerability is 10

(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

An unauthenticated attacker could exploit the vulnerability by sending crafted request data packets to the affected server, thus causing the

target system to execute arbitrary code.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

Hyper-V RemoteFX vGPU Remote Code Execution Vulnerabilities (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032,

CVE-2020-1036, CVE-2020-1042, CVE-2020-1043)

Remote code execution vulnerabilities exist when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an

authenticated user on a guest operating system. To exploit these vulnerabilities, an attacker could run a specially crafted application on a guest

operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to

execute arbitrary code.

The vendor has released no patch for the preceding vulnerabilities and explained why it planned to disable and remove RemoteFX instead

of fixing the vulnerabilities as follows:

In October 2019, Microsoft announced that it was stopping developing or adding features to Remote FX. For Windows 10 version 1809 and

later, and Windows Server 2019, RemoteFX vGPU is no longer supported or actively developed. Since these newly identified vulnerabilities are

architectural in nature, and the feature is already deprecated on newer versions of Windows, Microsoft has determined that disabling and

removing RemoteFX is a better course of action.

For more information, see Microsoft's security bulletins from the following links:







https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1041https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1042


Microsoft Word Remote Code Execution Vulnerabilities (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448)

Remote code execution vulnerabilities exist in Microsoft Word software when it fails to properly handle objects in memory. To exploit

these vulnerabilities, an attacker may rely on various ways to induce the user to open a specially crafted file with Microsoft Word software.

An attacker who successfully exploited the vulnerabilities could perform actions in the context of the current user.




Microsoft Excel Remote Code Execution Vulnerability (CVE-2020-1240)

A remote code execution vulnerability exists in Microsoft Excel software when it fails to properly handle objects in memory. To exploit the

vulnerability, an attacker may rely on various ways to induce the user to open a specially crafted file with an affected version of Microsoft Excel.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.


Microsoft Outlook Remote Code Execution Vulnerability (CVE-2020-1349)

A remote code execution vulnerability exists in Microsoft Outlook software. An attacker who successfully exploited the vulnerability could

use a specially crafted file to perform actions in the context of the current user. To exploit the vulnerability, an attacker may induce the user to

open a specially crafted file with an affected version of Microsoft Outlook software.

Note that the Preview Pane is an attack vector for this vulnerability.


Windows LNK Remote Code Execution Vulnerability (CVE-2020-1421)

A remote code execution vulnerability exists in Microsoft Windows. The attacker could present to the user a removable drive, or remote

share, which contains a malicious .LNK file and an associated malicious binary. When the user opens this drive (or remote share) in Windows

Explorer, or any other application that parses the .LNK file, the malicious binary will execute arbitrary code on the target system.




Remote Desktop Client Remote Code Execution Vulnerability (CVE-2020-1374)

A remote code execution vulnerability exists in the Windows Remote Desktop Client. An attacker who successfully exploited this

vulnerability could execute arbitrary code on the client computer connected to a malicious server.

To exploit this vulnerability, an attacker would have control of a malicious server and then trick the user into connecting to the server via

various ways such as social engineering and DNS poisoning.


Microsoft Office Privilege Escalation Vulnerability (CVE-2020-1025)

A privilege escalation vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth

token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.

To exploit this vulnerability, an attacker would need to modify the token.


.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability (CVE-2020-1147)

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check

the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the

process responsible for deserialization of the XML content.


Vulnerabilities: Product CVE ID CVE Title Severity


.NET Framework CVE-2020-1147

.NET Framework, SharePoint

Server, and Visual Studio Remote

Code Execution Vulnerability

Critical

Microsoft Graphics Component CVE-2020-1435 GDI+ Remote Code Execution

Vulnerability Critical

Microsoft Graphics Component CVE-2020-1436 Windows Font Library Remote

Code Execution Vulnerability Critical

Microsoft Office CVE-2020-1349 Microsoft Outlook Remote Code

Execution Vulnerability Critical

Microsoft Office CVE-2020-1439 PerformancePoint Services Remote


Microsoft Windows CVE-2020-1350 Windows DNS Server Remote


Microsoft Windows CVE-2020-1421 LNK Remote Code Execution

Vulnerability Critical


Microsoft Windows CVE-2020-1374 Remote Desktop Client Remote


Microsoft Windows CVE-2020-1410 Windows Address Book Remote


Skype for Business CVE-2020-1025 Microsoft Office Privilege

Escalation Vulnerability Critical

Windows Hyper-V CVE-2020-1032 Hyper-V RemoteFX vGPU Remote









Critical


Code Execution Vulnerability



Azure DevOps CVE-2020-1326 Azure DevOps Server Cross-site

Scripting Vulnerability Important

Microsoft Graphics Component CVE-2020-1351

Microsoft Graphics Component

Information Disclosure

Vulnerability

Important

Microsoft Graphics Component CVE-2020-1355 Windows Font Driver Host Remote

Code Execution Vulnerability Important

Microsoft Graphics Component CVE-2020-1381 Windows Graphics Component

Privilege Escalation Vulnerability

Important

Microsoft Graphics Component CVE-2020-1382 Windows Graphics Component

Privilege Escalation Vulnerability Important

Microsoft Graphics Component CVE-2020-1397 Windows Imaging Component


Important


Vulnerability

Microsoft Graphics Component CVE-2020-1408 Microsoft Graphics Remote Code

Execution Vulnerability Important

Microsoft Graphics Component CVE-2020-1409 DirectWrite Remote Code



Microsoft Graphics Components

Remote Code Execution

Vulnerability

Important


Windows GDI


Vulnerability

Important

Microsoft JET Database Engine CVE-2020-1400 Jet Database Engine Remote Code





Important


Execution Vulnerability

Microsoft Malware Protection Engine CVE-2020-1461 Microsoft Defender Privilege

Escalation Vulnerability Important

Microsoft Office CVE-2020-1442 Office Web Apps XSS

Vulnerability Important

Microsoft Office CVE-2020-1445

Microsoft Office


Vulnerability

Important

Microsoft Office CVE-2020-1446 Microsoft Word Remote Code






Microsoft Office CVE-2020-1449 Microsoft Project Remote Code



Microsoft Office CVE-2020-1458 Microsoft Office Remote Code


Microsoft Office CVE-2020-1240 Microsoft Excel Remote Code


Microsoft Office SharePoint CVE-2020-1342

Microsoft Office


Vulnerability

Important

Microsoft Office SharePoint CVE-2020-1456 Microsoft Office SharePoint XSS


Microsoft Office SharePoint CVE-2020-1443 Microsoft SharePoint Spoofing


Microsoft Office SharePoint CVE-2020-1444 Microsoft SharePoint Remote Code







Microsoft Office SharePoint CVE-2020-1454 Microsoft SharePoint Reflective

XSS Vulnerability Important

Microsoft OneDrive CVE-2020-1465 Microsoft OneDrive Privilege


Microsoft Windows CVE-2020-1418 Windows Diagnostics Hub


Microsoft Windows CVE-2020-1420

Windows Error Reporting


Vulnerability

Important

Microsoft Windows CVE-2020-1422 Windows Runtime Privilege


Microsoft Windows CVE-2020-1347 Windows Storage Services



Microsoft Windows CVE-2020-1352 Windows USO Core Worker




Microsoft Windows CVE-2020-1354 Windows UPnP Device Host


Microsoft Windows CVE-2020-1356 Windows iSCSI Target Service



Windows CNG Key Isolation

Service Privilege Escalation

Vulnerability

Important

Microsoft Windows CVE-2020-1363 Windows Picker Platform Privilege


Microsoft Windows CVE-2020-1365 Windows Event Logging Service



Microsoft Windows CVE-2020-1366 Windows Print Workflow Service




Microsoft Windows CVE-2020-1371 Windows Event Logging Service



Windows Mobile Device

Management Diagnostics Privilege

Escalation Vulnerability

Important


Windows Network Connections


Vulnerability

Important

Microsoft Windows CVE-2020-1375 Windows COM Server Privilege



Windows CNG Key Isolation


Vulnerability

Important


Microsoft Windows CVE-2020-1385 Windows Credential Picker



Connected User Experiences and

Telemetry Service


Vulnerability

Important

Microsoft Windows CVE-2020-1387 Windows Push Notification Service





Vulnerability

Important


Windows Agent Activation

Runtime Information Disclosure

Vulnerability

Important

Microsoft Windows CVE-2020-1393 Windows Diagnostics Hub


Microsoft Windows CVE-2020-1394 Windows Privilege Escalation

Important


Vulnerability

Microsoft Windows CVE-2020-1395 Windows Privilege Escalation


Microsoft Windows CVE-2020-1398 Windows Lockscreen Privilege




Microsoft Windows CVE-2020-1402 Windows ActiveX Installer Service






Management Diagnostics Privilege


Important

Microsoft Windows CVE-2020-1406 Windows Network List Service








Vulnerability

Important




Vulnerability

Important

Microsoft Windows CVE-2020-1429 Windows Error Reporting Manager


Microsoft Windows CVE-2020-1430 Windows UPnP Device Host



Windows AppX Deployment

Extensions Privilege Escalation

Vulnerability

Important

Microsoft Windows CVE-2020-1434 Windows Sync Host Service




Windows Network Location

Awareness Service Privilege


Important




Vulnerability

Important

Microsoft Windows CVE-2020-1463 Windows SharedStream Library





Local Security Authority

Subsystem

Service Denial-of-Service

Vulnerability

Important


Group Policy Services Policy

Processing Privilege Escalation

Vulnerability

Important



Windows Function Discovery


Vulnerability

Important



Management Diagnostics


Vulnerability

Important

Open Source Software CVE-2020-1469 Bond Denial-of-Service


Visual Studio CVE-2020-1416

Visual Studio and Visual Studio

Code Privilege Escalation

Vulnerability

Important

Visual Studio CVE-2020-1481

Visual Studio Code ESLint

Extention Remote Code Execution

Vulnerability

Important

Windows IIS ADV200008

Microsoft Guidance for Enabling

Request Smuggling Filter on IIS

Servers

Important


Windows Kernel CVE-2020-1336 Windows Kernel Privilege


Windows Kernel CVE-2020-1419

Windows Kernel


Vulnerability

Important

Windows Kernel CVE-2020-1357 Windows System Events Broker



Windows Resource Policy


Vulnerability

Important


Windows Kernel


Vulnerability

Important

Windows Kernel CVE-2020-1388 Windows Privilege Escalation


Windows Kernel CVE-2020-1389 Windows Kernel


Important


Vulnerability

Windows Kernel CVE-2020-1396 Windows ALPC Privilege


Windows Kernel CVE-2020-1411 Windows Kernel Privilege



Windows Kernel


Vulnerability

Important

Windows Shell CVE-2020-1360 Windows Profile Service Privilege


Windows Shell CVE-2020-1368

Windows Credential Enrollment

Manager Service Privilege


Important

Windows Shell CVE-2020-1414 Windows Runtime Privilege


Windows Shell CVE-2020-1415 Windows Runtime Privilege

Important



Windows Subsystem for Linux CVE-2020-1423 Windows Subsystem for Linux


Windows Update Stack CVE-2020-1424 Windows Update Stack Privilege


Windows Update Stack CVE-2020-1346 Windows Modules Installer


Windows Update Stack CVE-2020-1392 Windows Privilege Escalation


Windows WalletService CVE-2020-1344 Windows WalletService Privilege


Windows WalletService CVE-2020-1361

Windows WalletService


Vulnerability

Important




Windows WalletService CVE-2020-1364

Windows

WalletService Denial-of-Service

Vulnerability

Important



Internet Explorer CVE-2020-1432

Skype for Business via Internet

Explorer Information Disclosure

Vulnerability

Low

Microsoft Edge CVE-2020-1433

Microsoft Edge PDF


Vulnerability

Low

Microsoft Edge CVE-2020-1462

Skype for Business via Microsoft

Edge (EdgeHTML-based)


Vulnerability

Low

Microsoft Scripting Engine CVE-2020-1403 VBScript Remote Code Execution

Vulnerability Moderate


Recommended Mitigation Measures

Microsoft has released security updates to fix these issues. Please download and install them as soon as possible.

Appendix

ADV200008 - Microsoft Guidance for Enabling Request Smuggling Filter

on IIS Servers

CVE ID Vulnerability Description

Maximum

Severity

Rating

Vulnerability

Impact

ADV200008

MITRE

CVE Title: Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers

Description: Important Tampering

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=ADV200008



Maximum

Severity

Rating

Vulnerability

Impact

NVD

Executive Summary

Microsoft is aware of a tampering vulnerability in the way that HTTP proxies (front-end) and web

servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests

received from multiple sources. An attacker who successfully exploited the vulnerability could

combine multiple requests into the body of a single request to a web server, allowing them to modify

responses or retrieve information from another user's HTTP session.

To exploit the vulnerability against an IIS Server hosting a website, an unauthenticated attacker could

send a specially crafted request to a targeted IIS Server serviced by a front-end load balancer or proxy

that does not strictly adhere to RFC standards.

Recommended Actions

Microsoft recommends that administrators review front-end environmental configurations, and if

necessary, enable the request smuggling filter. Testing is required to determine that front-end load

balancers and proxies do not forward malformed requests; these requests will be rejected when the

filter is enabled, and may disrupt communications.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=ADV200008



Maximum

Severity

Rating

Vulnerability

Impact

Enable the request smuggling filter on your web server by using the Registry Editor

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall

your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of

Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit

the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view

the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in

Regedt32.exe.

1. Click Start, click Run, type Regedit in the Open box, and then click OK.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

3. Set DWORD type value DisableRequestSmuggling to one of the following:

o Set to 0 to disable the filter

o Set to 1 to enable the filter

4. Exit Registry Editor.

5. Restart the computer.

FAQ:

None

Mitigations:



Maximum

Severity

Rating

Vulnerability

Impact

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00

Information published.

Affected Software

The following tables list the affected software details for the vulnerability.

ADV200008

Product KB

Article Severity Impact Supersedence

CVSS Score

Set

Restart

Required

Windows 10 Version 2004 for 32-bit Systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


ADV200008

Windows Server, version 2004 (Server Core installation)

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows 10 Version 1803 for x64-based Systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows 10 Version 1803 for ARM64-based Systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A


ADV200008

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2019

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2019 (Server Core installation)

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A


ADV200008

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows 10 for 32-bit Systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


ADV200008

Windows 10 for x64-based Systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2016

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows 7 for 32-bit Systems Service Pack 1

Important Tampering

Base: N/A

Temporal:

N/A


ADV200008

Vector: N/A

Windows 7 for x64-based Systems Service Pack 1

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows 8.1 for 32-bit systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows 8.1 for x64-based systems

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows RT 8.1

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Important Tampering

Base: N/A


ADV200008

(Server Core installation) Temporal:

N/A

Vector: N/A

Windows Server 2012

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2012 R2

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A

Windows Server 2012 R2 (Server Core installation)

Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


ADV200008


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


Important Tampering

Base: N/A

Temporal:

N/A

Vector: N/A


CVE-2020-1025 - Microsoft Office Privilege Escalation Vulnerability

CVE ID Vulnerability Description Maximum

Severity Rating

Vulnerability

Impact

CVE-202

0-1025

MITRE

NVD

CVE Title: Microsoft Office Privilege Escalation Vulnerability

Description:

A privilege escalation vulnerability exists when Microsoft SharePoint Server and Skype for

Business Server improperly handle OAuth token validation. An attacker who successfully

exploited the vulnerability could bypass authentication and achieve improper access.

To exploit this vulnerability, an attacker would need to modify the token.

The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype

for Business Server validate tokens.

FAQ:

None

Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00

Critical Privilege

Escalation

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1025https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1025



Severity Rating

Vulnerability

Impact


Affected Software


CVE-2020-1025

Product KB Article Severity Impact Supersedence CVSS Score

Set

Restart

Required

Skype for Business Server 2019 CU2

4571332 Security

Update

Critical Privilege

Escalation

Base: N/A

Temporal: N/A

Vector: N/A

Maybe

Skype for Business Server 2015 CU 8

4571333 Security

Update

Critical Privilege

Escalation

Base: N/A

Temporal: N/A

Vector: N/A

Maybe

Microsoft Lync Server 2013

4571334 Security

Update

Critical Privilege

Escalation

Base: N/A

Temporal: N/A

Vector: N/A

Maybe

Microsoft SharePoint Enterprise Server 2016 4484436 Security Critical Privilege 4484402 Base: N/A Maybe

https://www.microsoft.com/downloads/details.aspx?familyid=dac7c777-fe8a-45a2-9a82-07a2e15c298fhttps://www.microsoft.com/downloads/details.aspx?familyid=dac7c777-fe8a-45a2-9a82-07a2e15c298fhttps://www.microsoft.com/downloads/details.aspx?familyid=0d08ed37-106a-456f-a5c6-61df22588bechttps://www.microsoft.com/downloads/details.aspx?familyid=0d08ed37-106a-456f-a5c6-61df22588bechttps://www.microsoft.com/downloads/details.aspx?familyid=dac7c777-fe8a-45a2-9a82-07a2e15c298fhttps://www.microsoft.com/downloads/details.aspx?familyid=dac7c777-fe8a-45a2-9a82-07a2e15c298fhttps://www.microsoft.com/downloads/details.aspx?familyid=f232400f-0b93-444c-804d-a8b87bdad0ee


CVE-2020-1025

Update

Escalation Temporal: N/A

Vector: N/A

Microsoft SharePoint Server 2019

4484453 Security

Update

Critical Privilege

Escalation 4484400

Base: N/A

Temporal: N/A

Vector: N/A

Maybe

Microsoft SharePoint Foundation 2013

Service Pack 1

4484448 Security

Update

Critical Privilege

Escalation 4484409

Base: N/A

Temporal: N/A

Vector: N/A

Maybe

CVE-2020-1032 - Hyper-V RemoteFX vGPU Remote Code Execution

Vulnerability


Maximum

Severity

Rating

Vulnerability

Impact

CVE-202

0-1032

MITRE

NVD

CVE Title: Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability

Description:

A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server

fails to properly validate input from an authenticated user on a guest operating system. To exploit

the vulnerability, an attacker could run a specially crafted application on a guest operating system,

Critical Remote Code

Execution

https://www.microsoft.com/downloads/details.aspx?familyid=f232400f-0b93-444c-804d-a8b87bdad0eehttps://www.microsoft.com/downloads/details.aspx?familyid=f19e809b-213a-4915-a441-00c66ef9678ahttps://www.microsoft.com/downloads/details.aspx?familyid=f19e809b-213a-4915-a441-00c66ef9678ahttps://www.microsoft.com/downloads/details.aspx?familyid=87b05d3b-6b80-4372-abba-e4610744ba4chttps://www.microsoft.com/downloads/details.aspx?familyid=87b05d3b-6b80-4372-abba-e4610744ba4chttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1032https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1032



Maximum

Severity

Rating

Vulnerability

Impact

attacking certain third-party video drivers running on the Hyper-V host. This could then cause the

host operating system to execute arbitrary code.

An attacker who successfully exploited the vulnerability could execute arbitrary code on the host

operating system.

There is no patch to fix this vulnerability, and the update listed will forcibly disable RemoteFX when

applied. More information can be found in the FAQ below.

The software listed in the Security Updates table indicates those operating systems for which

RemoteFX vGPU is currently available. RemoteFX vGPU has been deprecated in Windows Server

2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX

vGPU. DDA was introduced in Windows Server 2016.

FAQ:

How do I know if I'm using RemoteFX?

Please review the information here to determine if you are using RemoteFX.

How can I protect my server from this vulnerability?

If you are running Windows Server 2016 or Windows Server 2019, we recommend you

use Discrete Device Assignment (DDA) as opposed to RemoteFX vGPU to enable graphics

virtualization. If you are running windows Server 2012 R2 or older, we recommend not using

https://go.microsoft.com/fwlink/?linkid=2131976



Maximum

Severity

Rating

Vulnerability

Impact

RemoteFX vGPU. Please see Plan for GPU acceleration in Windows Server for more information.

What steps should I take if RemoteFX is required in my environment?

Customers who require RemoteFX in their environment can review the information here.

Where can I find more information about the deprecation of RemoteFX?

1. Features removed or planned for replacement starting Windows Server 2019

2. Features removed or planned for replacement starting with Windows Server, version 1803

Why is Microsoft planning to disable and remove RemoteFX instead of fixing the

vulnerability?

In October 2019, Microsoft announced that we were stopping development of Remote FX and

building new functionality. For Windows 10 version 1809 and higher, and Windows Server 2019,

RemoteFX vGPU is no longer supported or actively developed. Since these newly identified

vulnerabilities are architectural in nature, and the feature is already deprecated on newer versions

of Windows, Microsoft has determined that disabling and removing RemoteFX is a better course

of action. Microsoft has developed a different platform that is inherently much more secure. Please

see Plan for GPU acceleration in Windows Server for more information.

Mitigations:

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-for-gpu-acceleration-in-windows-server#remotefx-vgpuhttps://go.microsoft.com/fwlink/?linkid=2131976https://docs.microsoft.com/en-us/windows-server/get-started-19/removed-features-19#features-we-removed-in-this-releasehttps://docs.microsoft.com/en-us/windows-server/get-started/windows-server-1803-removed-featureshttps://docs.microsoft.com/en-us/windows-server/get-started-19/removed-features-19#features-we-removed-in-this-releasehttps://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-for-gpu-acceleration-in-windows-server#remotefx-vgpu



Maximum

Severity

Rating

Vulnerability

Impact

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Affected Software


CVE-2020-1032

Product KB

Article Severity Impact Supersedence CVSS Score Set

Restart

Required

Windows

Server 2016 Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:

CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C


CVE-2020-1032

Windows

Server 2016

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012

(Server Core

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


CVE-2020-1032

installation) CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C

Windows

Server 2012 R2 Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012 R2

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:



Vulnerability


Maximum

Severity

Rating

Vulnerability

Impact

CVE-202

0-1036

MITRE

NVD


Description:




Execution




Maximum

Severity

Rating

Vulnerability

Impact





operating system.







FAQ:






https://go.microsoft.com/fwlink/?linkid=2131976



Maximum

Severity

Rating

Vulnerability

Impact









vulnerability?











Maximum

Severity

Rating

Vulnerability

Impact

Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Affected Software


CVE-2020-1036

Product KB


Restart

Required

Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


CVE-2020-1036


Windows

Server 2016

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Base: 8

Temporal: 7.6


CVE-2020-1036

(Server Core

installation)

Execution Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012 R2

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:



Vulnerability


Maximum

Severity

Rating

Vulnerability

Impact

CVE-202

0-1040

MITRE


Description:



Execution

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1040



Maximum

Severity

Rating

Vulnerability

Impact

NVD fails to properly validate input from an authenticated user on a guest operating system. To exploit





operating system.







FAQ:





https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1040https://go.microsoft.com/fwlink/?linkid=2131976



Maximum

Severity

Rating

Vulnerability

Impact










vulnerability?











Maximum

Severity

Rating

Vulnerability

Impact

Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Affected Software


CVE-2020-1040

Product KB


Restart

Required

Windows


Remote

Code

Base: 8

Temporal: 7.6


CVE-2020-1040

Execution Vector:


Windows

Server 2016

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Critical Remote

Base: 8


CVE-2020-1040

Server 2012

(Server Core

installation)

Code

Execution

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012 R2

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:



Vulnerability


Maximum

Severity

Rating

Vulnerability

Impact

CVE-202

0-1041


Description: Critical

Remote Code

Execution



Maximum

Severity

Rating

Vulnerability

Impact

MITRE

NVD







operating system.







FAQ:




http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1041https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1041https://go.microsoft.com/fwlink/?linkid=2131976



Maximum

Severity

Rating

Vulnerability

Impact











vulnerability?







https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-for-gpu-acceleration-in-windows-server#remotefx-vgpuhttps://go.microsoft.com/fwlink/?linkid=2131976https://docs.microsoft.com/en-us/windows-server/get-started-19/removed-features-19#features-we-removed-in-this-releasehttps://docs.microsoft.com/en-us/windows-server/get-started/windows-server-1803-removed-featureshttps://docs.microsoft.com/en-us/windows-server/get-started-19/removed-features-19#features-we-removed-in-this-release



Maximum

Severity

Rating

Vulnerability

Impact


Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Affected Software


CVE-2020-1041

Product KB


Restart

Required

Windows

Critical Remote

Base: 8

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-for-gpu-acceleration-in-windows-server#remotefx-vgpu


CVE-2020-1041

Server 2016 Code

Execution

Temporal: 7.6

Vector:


Windows

Server 2016

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:



CVE-2020-1041

Windows

Server 2012

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012 R2

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:



Vulnerability


Maximum

Severity

Rating

Vulnerability

Impact

CVE-202 CVE Title: Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability Critical Remote Code



Maximum

Severity

Rating

Vulnerability

Impact

0-1042

MITRE

NVD

Description:







operating system.







FAQ:



Execution




Maximum

Severity

Rating

Vulnerability

Impact












vulnerability?









Maximum

Severity

Rating

Vulnerability

Impact



Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Affected Software


CVE-2020-1042

Product KB


Restart

Required



CVE-2020-1042

Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2016

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


CVE-2020-1042


Windows

Server 2012

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012 R2

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:



Vulnerability


Maximum

Severity

Rating

Vulnerability

Impact



Maximum

Severity

Rating

Vulnerability

Impact

CVE-202

0-1043

MITRE

NVD


Description:







operating system.







FAQ:




Execution




Maximum

Severity

Rating

Vulnerability

Impact












vulnerability?









Maximum

Severity

Rating

Vulnerability

Impact



Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Affected Software


CVE-2020-1043

Product KB


Restart

Required



CVE-2020-1043

Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2016

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2008 R2

for x64-based

Systems

Service Pack 1

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


CVE-2020-1043


Windows

Server 2012

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows


Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


Windows

Server 2012 R2

(Server Core

installation)

Critical

Remote

Code

Execution

Base: 8

Temporal: 7.6

Vector:


CVE-2020-1085 - Windows Function Discovery Service Privilege



Severity Rating

Vulnerability

Impact



Severity Rating

Vulnerability

Impact

CVE-2020

-1085

MITRE

NVD

CVE Title: Windows Function Discovery Service Privilege Escalation Vulnerability

Description:

A privilege escalation vulnerability exists in the way that the Windows Function Discovery

Service handles objects in memory. An attacker who successfully exploited the vulnerability

could execute code with elevated permissions.

To exploit the vulnerability, a locally authenticated attacker could run a specially crafted

application.

The security update addresses the vulnerability by ensuring the Windows Function Discovery

Service properly handles objects in memory.

FAQ:

None

Mitigations:

None

Workarounds:

None

Revision:

1.0 07/14/2020 07:00:00


Important Privilege

Escalation



Affected Software


CVE-2020-1085

Product KB


Restart

Required

Windows 10

Version 2004

for

ARM64-base

d Systems

4565503

Security

Update

Important Privilege

Escalation 4557957

Base: 7.8

Temporal: 7

Vector:

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Yes

Windows 10

Version 2004

for x64-based

Systems

4565503

Security

Update

Important Privilege

Escalation 4557957

Base: 7.8

Temporal: 7

Vector:


Yes

Windows

Server,

version 2004

(Server Core

installation)

4565503

Security

Update

Important Privilege

Escalation 4557957

Base: 7.8

Temporal: 7

Vector:


Yes

Windows 10

Version 1803

4565489

Security Important

Privilege

Escalation 4561621

Base: 7.8

Temporal: 7 Yes

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565503https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489


CVE-2020-1085

for 32-bit

Systems

Update

Vector:


Windows 10

Version 1803

for x64-based

Systems

4565489

Security

Update

Important Privilege

Escalation 4561621

Base: 7.8

Temporal: 7

Vector:


Yes

Windows 10

Version 1803

for

ARM64-base

d Systems

4565489

Security

Update

Important Privilege

Escalation 4561621

Base: 7.8

Temporal: 7

Vector:


Yes

Windows 10

Version 1809

for 32-bit

Systems

4558998

Security

Update

Important Privilege

Escalation 4561608

Base: 7.8

Temporal: 7

Vector:


Unknown

Windows 10

Version 1809

for x64-based

Systems

4558998

Security

Update

Important Privilege

Escalation 4561608

Base: 7.8

Temporal: 7

Vector:


Unknown

Windows 10

Version 1809

for

ARM64-base

4558998

Security

Update

Important Privilege

Escalation 4561608

Base: 7.8

Temporal: 7

Vector:


Unknown

https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4565489https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4558998


CVE-2020-1085

d Systems

Windows

Server 2019

4558998

Security

Update

Important Privilege

Escalation 4561608

Base: 7.8

Temporal: 7

Vector:


Unknown

Windows

Server 2019

(Server Core

installation)

4558998

Security

Documents

Overview Description of Critical and Important Vulnerabilities...A privilege escalation vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly