I’m pleased to announce that, as of this afternoon, CORE Impact customers are able to assess their environments for MS12-020, a new critical vulnerability announced by Microsoft as part of this Patch Tuesday this week.

Identifying MS12-020 exposures with CORE Impact

This is currently a denial of service (DoS) Impact module so, by design, the software’s Rapid Penetration Test wizards will not automatically launch the module.  To use the module, simply drag and drop it from the Modules panel onto the target system or group of systems.

Why test for MS12-020?

All vulnerabilities follow a similar lifecycle: After a vulnerability is announced, the vulnerability scanner vendors will produce signatures for the vulnerability. Because signature generation is fairly easy, they are typically released within days (if not hours) of the vulnerability announcement. As specialized exploit writers analyze the vulnerability, they will first produce a Denial of Service (DoS) exploit for the vulnerability. For some vulnerabilities, the exploit writers will determine how to control the crash and leverage it to perform remote code execution – and then develop an exploit for the vulnerability. This exploit would then allow our patented payload to gain access to and interact with the exposed system.

Why are DoS modules important?

The patch for MS12-020 was only released late Tuesday, and Core was able to produce a DoS exploit Friday afternoon. The reality is that this is before the majority of organizations have had time to test and roll out the patch for MS12-020. Therefore, instead of relying on the patch to protect their systems, they leverage Intrusion Protection Systems (IPS) and other network-based technologies to detect and remove relevant attacks from the network. You cannot test the effectiveness of these network defenses using a vulnerability scan. You need to send traffic over the network that contains an attempt to leverage the vulnerability to crash or control the target.

Using CORE Impact DoS modules, our customers can test their network defenses against these major, public vulnerabilities so they can first have confidence in the outer layer of defenses and then take the time to properly plan for deploying the patch in their environments.

More about MS12-020

According to a Microsoft Security Response Center blog post, “This bulletin addresses one Critical-class issue and one Moderate-class issue in Remote Desktop Protocol (RDP) … The Critical-class issue applies to a fairly specific subset of systems – those running RDP – and is less problematic for those systems with Network Level Authentication (NLA) enabled. That said, we strongly recommend that customers examine and prepare to apply this bulletin as soon as possible. The Critical-class issue could allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration); if the machine does not have NLA enabled, the attacker would not require authentication for RCE access.”

Additional details about this vulnerability, including remediation info, are available on Microsoft’s Security Research and Defense Blog.

- Alex Horan, CORE IMPACT Product Manager