Skip to content ↓ | Skip to navigation ↓

Tripwire’s December 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Citrix, Microsoft, Django, and Adobe.

Critical Vulnerabilities:
Up first on the patch priority list this month is a critical arbitrary code execution vulnerability for the Citrix ADC application. In particular, Citrix ADC and Citrix Gateway (formerly NetScaler) can be exploited by a remote attacker to achieve arbitrary code execution on the affected appliance. Full details of the vulnerability have not been released by Citrix but independent research from Tripwire VERT has identified that a path traversal attempt on NetScaler’s virtual IP address can be used to access vulnerable Perl scripts. These vulnerable Perl scripts expose a header-based path traversal vulnerability useful for creating and inserting content into files which can then be processed through the Perl template toolkit. VERT has confirmed that in some scenarios, an attacker can use this limited code execution to achieve arbitrary code execution on the target.

More information:
https://www.tripwire.com/state-of-security/vert/citrix-netscaler-adc-cve-2019-19781/
https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/

Exploit Alert: Metasploit Exploit Framework
Up next on the patch priority list this month are vulnerabilities that have been recently add to Metasploit. Two vulnerabilities, identified by CVE-2019-1405 and CVE-2019-1322 that affect Microsoft UPnP Service and Microsoft Windows have recently been added to Metasploit. Administrators should place the patches for these vulnerabilities on the very high priority list if these patches have not already been installed.

Exploit Alert: Canvas Exploit Framework
Next on the patch priority list this month are vulnerabilities that have been recently add to Canvas. Four vulnerabilities, identified by CVE-2019-1253, CVE-2019-0841, CVE-2019-0803, and CVE-2019-0623 that affect Microsoft Windows Win32k and Windows AppX Deployment Server have recently been added to Canvas. Administrators should place the patches for these vulnerabilities on the very high priority list if these patches have not already been installed.

Exploit Alert: Exploit-DB
Up next, system administrators should focus on a Django vulnerability that has recently been added to Exploit-DB. Particularly, CVE-2019-19844 that affects Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Details describing how to exploit this vulnerability have been added to the Exploit-DB database.

Other Patch Priorities
Up next are patches for Microsoft Browser. December was a light month for the Microsoft Browser with a single CVE for VBScript that resolves a remote code execution vulnerability.

Next on the list are patches made available from Adobe via APSB19-55 for Acrobat and Reader. These patches resolve 21 vulnerabilities including fixes for privilege escalation, arbitrary code execution, and information disclosure.

Next on the list are patches for Microsoft Excel, Access, PowerPoint, and Word. These patches resolve 5 vulnerabilities including fixes for information disclosure, remote code execution, and denial of service vulnerabilities.

Up next are patches for Microsoft Windows. These patches address numerous vulnerabilities across Windows Kernel, GDI, Microsoft Graphics, Microsoft Defender, Hyper-V, Media Player, OLE, Printer Service, and Remote Desktop Protocol (RDP). These resolved vulnerabilities include elevation of privilege, information disclosure, security feature bypass, and remote code execution vulnerabilities.

Next, this month are patches for Windows Git for Visual Studio and Visual Studio Live. These patches resolve 7 vulnerabilities including fixes for remote code execution, tampering, and spoofing vulnerabilities.

Lastly this month, administrators should focus on server-side patches available for Microsoft Skype for Business Server and SQL Server. These patches resolve 2 vulnerabilities including spoofing and cross-site scripting (XSS).

 

BULLETIN
CVE
Critical Vulnerabilities
CVE-2019-19781
Exploit Alert: Metasploit
CVE-2019-1405, CVE-2019-1322
Exploit Alert: Canvas
CVE-2019-1253, CVE-2019-0841, CVE-2019-0803, CVE-2019-0623
Exploit Alert: Exploit-DB
CVE-2019-19844
Microsoft Browser
CVE-2019-1485
Microsoft SQL Server
CVE-2019-1332
APSB19-55: Adobe Reader and Acrobat
CVE-2019-16449, CVE-2019-16456, CVE-2019-16457, CVE-2019-16458, CVE-2019-16461, CVE-2019-16465, CVE-2019-16450, CVE-2019-16454, CVE-2019-16445, CVE-2019-16448, CVE-2019-16452, CVE-2019-16459, CVE-2019-16464, CVE-2019-16451, CVE-2019-16462, CVE-2019-16446, CVE-2019-16455, CVE-2019-16460, CVE-2019-16463, CVE-2019-16444, CVE-2019-16453
Microsoft Office
CVE-2019-1463, CVE-2019-1400, CVE-2019-1464, CVE-2019-1462, CVE-2019-1461
Microsoft Windows
CVE-2019-1488, CVE-2019-1458, CVE-2019-1468, CVE-2019-1469, CVE-2019-1478, CVE-2019-1483, CVE-2019-1476, CVE-2019-1467, CVE-2019-1465, CVE-2019-1466, CVE-2019-1470, CVE-2019-1471, CVE-2019-1472, CVE-2019-1474, CVE-2019-1481, CVE-2019-1480, CVE-2019-1484, CVE-2019-1477, CVE-2019-1453, CVE-2019-1487
Developer Tools
CVE-2019-1352, CVE-2019-1354, CVE-2019-1350, CVE-2019-1387, CVE-2019-1349, CVE-2019-1351, CVE-2019-1486
Skype for Business Server
CVE-2019-1490

 

To learn more about Tripwire’s Vulnerability and Exposure Research Team (VERT), including its PPI, click here.

Or, for PPI and more, you can follow VERT on Twitter: @tripwirevert.

 

The Executive's Guide to the Top 20 Critical Security Controls