Documentation

Expand all   Collapse all


Published: May 12, 2020

Last Update: May 12, 2020

Author: SecureAuth Product Security Incident Response Team (psirt@secureauth.com)

Issue

On May 12, 2020 Microsoft released their monthly patches for Windows Operating Systems and applications.

The SecureAuth Product Security Team has reviewed the announced critical patches and determined that none of the announced vulnerabilities should be a high risk to the SecureAuth® Identity Platform (formerly SecureAuth IdP) as long as customers follow good security practices which include, but are not limited to:

  • Only authorized administrators should be permitted access to the Identity Platform server console or remote administrative services.
  • The Identity Platform should not be used to view any documents that are not verified from trusted sources, and the SecureAuth Product Security Team does not recommend viewing any documents on the Identity Platform server.
  • General web browsing should not be performed from the Identity Platform. Only visiting known, trusted web sites, such as secureauth.com or Microsoft.com, should be allowed and those visits directly from the Identity Platform should be minimized.

Recommendation

It is the recommendation of SecureAuth that the patches do not need to be applied immediately and customers can wait until further testing and analysis of the potential impacts to the server are better known throughout the security and Microsoft Communities.

Applies To

Identity Platform Version

OS Version

9.x

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

19.07.x

  • Windows Server 2016
  • Windows Server 2019

Summary

Critical Updates

The May 2020 Microsoft Windows Patches identified 5 critical vulnerabilities and subsequent patches for all versions of Windows Server 2012 R2 and newer.

The 5 patches involved the following Windows components:

  • Microsoft Color Management
  • Microsoft Graphics Components
  • Windows Media Foundation

None of the above components are directly related to the functionality of the SecureAuth Identity Platform and typically are only exploitable when a user is tricked into opening a malicious document or visiting a malicious web site.

Due to the nature of the Identity Platform server, it should never be used to open documents, visit websites other than to download authorized support or patch files, or be used for general web surfing.

Important Updates

In addition to the Critical Updates, Microsoft released a number of Important Updates that could result in the ability for an attacker to escalate privileges, perform a denial of service attack, or bypass security controls.

Additionally, there is a .NET Important Update that may result in a denial of service attack.

The Important Updates are all part of the monthly roll-up patches for the operating systems that SecureAuth supports (Windows Server 2012R2, 2016 and 2019).

The SecureAuth Team is testing these patches and will release information surrounding recommendations for implementing the Important Updates.

Patch Information

Critical Updates

CVE Number(s)Component ImpactedImpact to Identity Platform
CVE-2020-1153Microsoft Graphics ComponentsNone if good security practices are followed
CVE-2020-1117Microsoft Color ManagementNone if good security practices are followed

CVE-2020-1028
CVE-2020-1126
CVE-2020-1136

Media FoundationNone if good security practices are followed

Important Updates

CVE Number(s)Component ImpactedImpact to Identity Platform
CVE-2020-1108.NETPotential denial of service attack
VariousVarious Windows ComponentsPotential for privilege escalation, denial of service, or bypass of security controls

References

  • No labels