Microsoft Security Advisory Notification (Dec. 3, & 10, 2019)

[German]Another postscript from the last days. In December 2019, Microsoft published several security alerts on various vulnerabilities.


Advertising

Security Advisory Released on December 3, 2019

Microsoft Security Advisory ADV190026: Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business

– Reason for Revision: Information published.
– Originally posted: December 3, 2019
– Updated: N/A
– Version: 1.0

Microsoft is aware of a problem in Windows Hello for Business (WHfB) with public keys. This occurs after a device is removed from the Active Directory. After a user has set up Windows Hello for Business (WHfB), the public key WHfB is written to the local Active Directory. The WHfB keys are bound to a user and a device that has been added to Azure AD.

If the device is removed, the corresponding WHfB key is considered orphaned. However, these orphaned keys are not deleted even if the device on which they were created no longer exists. Any authentication to Azure AD with such an orphaned WHfB key will be rejected.

However, some of these orphaned keys may cause the following security issues in Active Directory 2016 or 2019, either in hybrid or local environments.


Advertising

An authenticated attacker could obtain orphaned keys created on TPMs affected by CVE-2017-15361 (ROCA), as described in Microsoft Security Advisory ADV170012, to calculate their private WHfB key from orphaned public keys. The attacker could then impersonate the user using the stolen private key to authenticate as a user within the domain using Public Key Cryptography for Initial Authentication (PKINIT).

This attack is also possible if firmware and software updates have been applied to TPMs affected by CVE-2017-15361 because the corresponding public keys may still be present in the Active Directory. The Microsoft Advisor provides instructions for cleaning orphaned public keys that were generated with an unpatched TPM (before firmware updates described in ADV170012 were applied).

Microsoft Security Update Releases December 10, 2019

As of December 10, 2019, Microsoft has issued another security advisory regarding the following revised CVEs:

* CVE-2018-0859
* CVE-2019-0838
* CVE-2019-0860

Revision Information:

CVE-2018-0859 | Scripting Engine Memory Corruption Vulnerability
– Version: 2.0
– Reason for Revision: Revised the Security Updates table to include supported
   editions of Windows 10 Version 1903 because it is affected by this CVE. Microsoft
   recommends that customers running Windows 10 Version 1903 install security update
   4530684 to be protected from this vulnerability.
– Originally posted: February 13, 2018
– Updated: December 10, 2019
– Aggregate CVE Severity Rating: Critical

CVE-2019-0838 | Windows Information Disclosure Vulnerability
– Version: 2.0
– Reason for Revision: Revised the Security Updates table to include supported
   editions of Windows 10 Version 1903 because it is affected by this CVE. Microsoft
   recommends that customers running Windows 10 Version 1903 install security update
   4530684 to be protected from this vulnerability.
– Originally posted: April 9, 2019
– Updated: December 10, 2019
– Aggregate CVE Severity Rating: Important

CVE-2019-0860 | Chakra Scripting Engine Memory Corruption Vulnerability
– Version: 2.0
– Reason for Revision: Revised the Security Updates table to include supported
   editions of Windows 10 Version 1903 because it is affected by this CVE. Microsoft
   recommends that customers running Windows 10 Version 1903 install security update
   4530684 to be protected from this vulnerability.
– Originally posted: April 9, 2019
– Updated: December 10, 2019
– Aggregate CVE Severity Rating: Critical

Servicing-Stack-Update ADV990001

In addition, a Servicing Stack Update (SSU) (see ADV990001) for Windows Server 2008 and Windows Server 2008 (Server Core Installation); Windows 7, Windows Server
2008 R2, and Windows Server 2008 R2 (Server Core Installation) released.

– Originally posted: November 13, 2018
– Updated: December 10, 2019
– Aggregate CVE Severity Rating: Critical


Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *