Blog: Fortigate CVE-2023-27997 (XORtigate) in the eyes of the owl
October 2020 critical update for your Windows
Published on
Hello everyone,
Microsoft has published yesterday its security bulletin concerning its operating systems.
This one has in particular that two vulnerabilities are particularly critical:
- CVE-2020-16898, affecting the ICMPv6 protocol, enabled by default on all systems and rarely disabled
- CVE-2020-16952, affecting Sharepoint and published (a priori) outside this bulletin.
CVE-2020-16898 / ICMPv6 (named Bad Neighbor)
This is a buffer overflow vulnerability allowing to execute code remotely, without authentication (it's ICMP π ) on a target and to take control of it.
It is therefore particularly important to update, or at least block ICMPv6 on the local firewall or network firewalls. In cases I have tested, some firewalls with poor ICMPv6 support let these packets through, rendering them inoperable.
Microsoft's internal RedTeam has a working private PoC so I assume other teams also have working exploit code as the McAfee article is quite detailed and with the patch out, it has already been analyzed to understand its behavior.
Related articles:
- Microsoft's details: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
- Article explaining the vulnerability: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/
CVE-2020-16952 / SharePoint
This is a vulnerability affecting the SharePoint web agreement management software and allowing to take control of a server remotely but after authentication.
It is important to update because an exploit code has been published yesterday:
- Microsoft details: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- Exploit: https://srcincite.io/pocs/cve-2020-16952.py.txt
- Article explaining the vulnerability: https://attackerkb.com/topics/4yGC4tLK2x/cve-2020-16952
It should be noted that many other vulnerabilities are also quite critical like :
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16918 allowing a remote code execution on the 3D Viewer (Base3D layer) in Microsoft 365
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16929 , https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16932 , https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16931 , https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16932 and https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16930 code executions and computer takeover, upon opening a specially formatted Excelspecial file (malicious π )
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16947 code executions in Outlook at previewing the content of an email, simply π±
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16954 code executions and computer takeover, at the opening of a specially formatted Office file(no further details)
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891 escape of a virtual machine from Hyper-V allowing to take control of the hypervisor, from a virtual machine π₯π₯π₯ Good luck to all in managing your security patches and as usual, here is an example of a vulnerability management process:
Otherwise, more simply: you apply these updates everywhere in a hurry π.
