Microsoft goes "Patch! Patch! Patch!": Patch Tuesday - Week 2, March 2019

Adobe

For this week, Adobe has fixed two major RCE vulnerabilities existing in its Photoshop and Digital Editions products respectively. Both the security flaws were designated ‘Priority 3’ by Adobe, indicating that they were of high severity.

The following are the affected versions of the products.

• Photoshop CC 19.1.7 and earlier (Windows and MacOS)
• Photoshop CC 20.0.2 and earlier (Windows and MacOS)
• Digital Editions 4.5.10.185749 and earlier (Windows only).

You can find more details about the updates here.

Amazon

Amazon released three security advisories this week, which was related to vulnerabilities in its Amazon Linux AMI distribution. They are described in brief below:

• ALAS-2019-1172: This advisory highlights a flaw in the Go package. It improperly handles elliptic curves in the context of its cryptography. This can enable attackers to either conduct DoS or ECDH attacks. Users are advised to run ‘yum update golang’ command to fix the issue.
• ALAS-2019-1167: The Crypto API in Linux AMI fails to set a NULL value for certain structures leading to a use-after-free flaw. This can allow attackers to escalate system privileges and hijack the system. Users are advised to run ‘yum update kernel’ command to fix the flaw.
• ALAS-2019-1166: The mod_ssl in Apache servers incorrectly handled client renegotiations. This can allow attackers to perpetrate Dos by using malicious requests in the server. The flaw was evident only in Apache HTTP Server version 2.4.37 with OpenSSL version 1.1.1(or later). Users are advised to run ‘yum update httpd24’ command to fix the flaw.

Cisco

Cisco patched two major security bugs in its products. The first one affected its networking operating system NX-OS while the second affected the interface of Cisco APIC. Following are the short descriptions of the advisory.

• Cisco NX-OS Software Unauthorized Filesystem Access Vulnerability: This flaw arose due to insecure filesystem permissions on Cisco’s Nexus switches. As a result, attackers can bypass authentication and login in these switches.
• Cisco Application Policy Infrastructure Controller IPv6 Link-Local Address Vulnerability: Improper access control mechanisms for IPv6 link-local connectivity led to this flaw. Attackers can exploit these control mechanisms to get into firewalls and switches.

Updates can be found here.

Citrix

Citrix fixed a critical flaw which was adversely affecting its Application Delivery Management (ADM) services. Unauthenticated attackers could perform privilege escalation attacks as well as steal sensitive information once they had the network access to the agent interface.

Citrix has advised customers to update to the latest versions which can be downloaded here.

Following are the affected versions:

• Citrix Application Delivery Management Agent version 12.1 earlier than build 50.33.
• Citrix Application Delivery Management Agent Cloud version 13.0 earlier than build 33.23.

Microsoft

Microsoft released updates to fix 64 security flaws as well as published four security advisories. The products affected include Microsoft Windows, Office Services and Web Apps, Internet Explorer, Edge, Exchange Server, ChakraCore, the .NET Framework, Team Foundation Services, and NuGet package manager. Most of the flaws led to privilege escalations in these products.

This is a massive update bundled by Microsoft this month. Certain products such as Windows Server 2008 etc., also received monthly roll-up updates. For more details, you can check this page.

Ubuntu

This week sees five security vulnerabilities addressed by Ubuntu in its services. These flaws could mainly result in DoS or RCE attacks. Following are the security advisories released by Ubuntu.

• USN-3908-1: Linux kernel vulnerability: Computers running Ubuntu 14.04 LTS were afflicted with a faulty system call in the Linux kernel. Attackers could abuse this bug to run programs as an administrator.
• USN-3902-2: PHP vulnerabilities: This advisory details a corresponding update following USN-3902-1, which patched a PHP vulnerability that allowed attackers to conduct DoS attacks. This flaw exists in Ubuntu 12.04 ESM.
• USN-3907-1: WALinuxAgent vulnerability: The Windows Azure Linux Agent created swap files with incorrect permissions. Attackers could steal sensitive information from the swap files. Affected versions are Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.
• USN-3906-1: LibTIFF vulnerabilities: The LibTIFF library did not correctly handle out-of-shape images making it susceptible to crashes. Attackers simply had to deploy malicious images to conduct DoS attacks. Affected versions are Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.
• USN-3905-1: poppler vulnerability: Poppler, a PDF rendering library incorrectly handled some PDFs. This could possibly allow an attacker to conduct DoS. Affected versions are Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS.