The first thing that everyone’s going to talk about this month is SQL Server. More than a quarter of the CVEs assigned by Microsoft this month describe SQL Server vulnerabilities. Thankfully, none of them are critical based on their CVSS scores and they’re all listed as “Exploitation Less Likely.” Even with those saving graces, there are still a lot of CVSS 8.8 vulnerabilities that SQL Server customers will be looking to patch.
On top of that, today marks the End of Support date for SQL Server 2014, a platform that, according to Shodan, still has 110,000 instances publicly available. A lot of companies don’t update quickly, but this may leave them scrambling to update those environments to supported versions of MS-SQL.
Something that people will need to start watching for on Patch Tuesday is CVEs that indicate no customer action is required. According to a blog post from the MSRC near the end of June, Microsoft will be issuing CVEs for cloud security issues moving forward. This will ultimately result in noise that will need to be filtered. Thankfully, the API and Microsoft’s UI contain methods of filtering these vulnerabilities in order to allow customers to focus on CVEs where they need to take action. Based on a review of the API, it does not look like any of the 139 Microsoft assigned CVEs this month have this indicator, but it is another piece of information to process each month. This will likely lead to a spike in the number of CVEs assigned by Microsoft, which reminds me of the kernel.org decision that increased the number of CVEs they are assigning. At the end of the day, we have to wonder if increased CVE assignments are transparency as Microsoft states or noise that overwhelms security teams and ultimately diminishes the power of the CVE system.
The big news today will probably be the three remote code execution vulnerabilities in the Remote Desktop Licensing Service, a service that allocates Client Access Licenses (CALs) when a client connects to a remote desktop host. All three of the vulnerabilities have been assigned a CVSS score of 9.8 and indicate that a malicious packet could trigger the vulnerability. These issues should be at the top of everyone’s patch priority list this month.
Request a Fortra® Demo
From reconnaissance through achieving objectives, Fortra® interrupts attackers at every step of the attack chain.