Microsoft has broken its long-running streak of bumper Patch Tuesday updates with a more slimline – in comparison with recent months – October 2020 release, containing fixes for 87 vulnerabilities, 11 of them rated as critical.
As ever, the October update spans a multitude of software products, including Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft JET Database Engine, Azure Functions, Open Source Software, Microsoft Exchange Server, Visual Studio, PowerShellGet, Microsoft .NET Framework, Microsoft Dynamics, Adobe Flash Player and Microsoft Windows Codecs Library.
Six of the common vulnerabilities and exposures (CVEs) listed in the October update have already been publicly disclosed, which means malicious actors, unfortunately, have a head start on weaponising them.
“Public disclosure could mean a couple of things,” said Todd Schell, senior product manager at Ivanti. “It could be that a demonstration of exploit was performed at an event or by a researcher. It could also mean proof-of-concept code has been made available. In any case, a public disclosure does mean that threat actors have advanced warning of a vulnerability and this gives them an advantage.
“The mean time to exploit a vulnerability is 22 days, according to a research study from the RAND Institute. If a threat actor gets advanced notice of a vulnerability, they could have a head start of days or even weeks, meaning an exploit may not be very far off. This is one risk indicator that can help companies prioritise what to act on first from a threat perspective.”
Five of the publicly disclosed updates affect Windows 10 and its corresponding server editions – these are CVEs 2020-16898, -16909, -16901, -16885 and -16938. The sixth, CVE-2020-16937, affects .NET Framework.
Of the six publicly disclosed vulnerabilities, threat researchers are assessing CVE-2020-16898 as the most dangerous. Dubbed “Bad Neighbour” by McAfee, it is a wormable remote code execution (RCE) vulnerability in Windows 10 and Windows Server 2019 that exists when the Windows TCP/IP stack improperly handles ICMPv6 router advertisement packets. It can be successfully exploited by sending a specially crafted packet to a remote Windows computer.
Steve Povolny, McAfee’s head of advanced threat research, said the most obvious impact would be to consumers running Windows 10 machines, but that with automated updates, this would be minimised quickly. He added that Shodan.io queries had suggested that the number of publicly exposed Windows Server 2019 machines was probably somewhere in the hundreds, probably because most are either behind firewalls or hosted by cloud service providers, and so do not show up in scans.
“Patching is always the first and most effective course of action,” wrote Povolny. “If this is not possible, the best mitigation is disabling IPv6, either on the NIC or at the perimeter of the network by dropping IPv6 traffic if it is non-essential. Additionally, ICMPv6 router advertisements can be blocked or dropped at the network perimeter. Windows Defender and Windows Firewall fail to block the proof-of-concept when enabled.”
Read more about Patch Tuesday
- Microsoft’s September update contains patches for 129 common vulnerabilities and exposures, including a high number of remote code execution issues.
- Microsoft drops another major Patch Tuesday update for August, including fixes for two zero-day exploits that are already being exploited by cyber criminals.
- The bugs start coming and they don’t stop coming; Microsoft has issued yet another bumper Patch Tuesday update for July.
Ivanti’s Schell also noted CVEs 2020-16947 and -16891 as ones to watch. The first is an RCE vulnerability in Microsoft Outlook, easily exploited by viewing a specially crafted email, and the second an RCE vulnerability in Windows Hyper-V.
Allan Liska of Recorded Future additionally highlighted CVEs 2020-16911, an RCE vulnerability that exists in how Windows Graphics Device Interface handles objects in memory, exploitable through luring the target to a compromised website with a specially crafted document, and -16909, a privilege escalation vulnerability in Windows Error Reporting that affects Windows 10 and Windows Servers 2016 and 2019.
Although lighter than it has been for many months, October’s Patch Tuesday still warrants close attention, according to Gill Langston, head security nerd at SolarWinds MSP, who said: “I recommend addressing the Windows TCP/IP vulnerabilities first, with highest priority on any internet-facing systems. Then get those RDP servers patched, since Remote Desktop seems to be one of the most popular attack vectors these days.
“Next, turn your focus towards patching your Hyper-V systems, and then patching workstations, especially those running Outlook, and finally your SharePoint servers, which by now should be a regular part of your routine, considering the volume of SharePoint vulnerabilities fixed this year.”
Justin Knapp, product marketing manager at Automox, added: “This may not be a record-breaking month in terms of overall quantity, but October poses a familiar challenge that continues to persist in the form of delayed patch deployment, unfortunately increasing risk at a time when attack frequency is going up.
“With remote work complicating matters further, we are witnessing a major shift within the IT landscape to lean on cloud-based solutions for distribution just to keep pace with the endless flow of updates across an increasingly distributed workforce.”
Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges – even eight months after Microsoft issued a fix.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s February Patch Tuesday updates – and admins in March were warned that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
However, new telemetry found that out of 433,464 internet-facing Exchange servers observed, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers are still vulnerable to the flaw.
“There are two important efforts that Exchange administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,” said Tom Sellers with Rapid7 in a Tuesday analysis.
Speaking of Exchange, we took another look at Exchange CVE-2020-0688 (any user -> SYSTEM on OWA).
It’s STILL 61% unpatched.
This is dangerous as hell and there is a reliable Metasploit module for it.
See the UPDATED information on the ORIGINAL blog:https://t.co/DclWb3T0mZ
— Tom Sellers (@TomSellers) September 29, 2020
Researchers warned in a March advisory that unpatched servers are being exploited in the wild by unnamed APT actors. Attacks first started in late February and targeted “numerous affected organizations,” researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks, post-exploitation.
Previously, in April, Rapid7 researchers found that more than 80 percent of servers were vulnerable; out of 433,464 internet-facing Exchange servers observed, at least 357,629 were open to the flaw (as of March 24). Researchers used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw.
Sellers urged admins to verify that an update has been deployed. The most reliable method to do so is by checking patch-management software, vulnerability-management tools or the hosts themselves to determine whether the appropriate update has been installed, he said.
“The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled,” he said. “This will typically be servers with the Client Access Server (CAS) role, which is where your users would access the Outlook Web App (OWA).”
With the ongoing activity, admins should also determine whether anyone has attempted to exploit the vulnerability in their environment. The exploit code that Sellers tested left log artifacts in the Windows Event Log and the IIS logs (which contain HTTP server API kernel-mode cache hits) on both patched and unpatched servers: “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate,” he said.
Admins can also review their IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), Sellers said, These should contain the string __VIEWSTATE and __VIEWSTATEGENERATOR – and will have a long string in the middle of the request that is a portion of the exploit payload.
“You will see the username of the compromised account name at the end of the log entry,” he said. “A quick review of the log entries just prior to the exploit attempt should show successful requests (HTTP code 200) to web pages under /owa and then under /ecp.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.
The Endpoint Analysis (EPA) plugin fails on NetScaler Gateway virtual server, when using Internet Explorer 11 (IE 11) with Microsoft hotfix KB3025390 installed.
After installation of the Microsoft hotfix, you will be directed to a page where you can either “Download” the plugin or “Skip Check” in some builds. The EPA plugin does not run as expected.
In some instances, hotfixes might be superseded or replaced. This happens only when a subsequent hotfix includes all fixes from the earlier hotfixes, as explained in the following section.
Note: The information in this document applies primarily to the XenApp and the XenDesktop products, but might be extended to other Citrix products as well.
Access to Hotfixes
Hotfixes are available for download from the Citrix Knowledge Center. The access provided to these hotfixes is based on expected customer impact, as mentioned in the following table:
Expected Customer Impact
Affects a wide customer base
Affects a smaller number of customers
Hotfix Replacement and Supersedence
Any hotfix that includes all fixes from an earlier hotfix either supersedes or replaces the original hotfix, as mentioned in the following table:
Original Hotfix Type
Subsequent Hotfix Type
Status of Original Hotfix
Superseded hotfix is no longer available
All customers can access the subsequent hotfix
Superseded hotfix is no longer available
Customers with access to the original hotfix can also access the subsequent hotfix
Superseded hotfix is no longer available
All customers can access the subsequent hotfix
Replaced, but remains available for download from the Citrix Knowledge Center
Original hotfix remains available for customers who cannot access the Limited Release hotfix
Note: The terms superseded and replaced, as used in this article and on the Citrix Knowledge Center, are used to illustrate the difference between release types. They are not used in the same manner as Microsoft, Windows Installer, however Citrix hotfix readmes use the same terms.
The following table provides an examples of original hotfixes and their status:
|Original Hotfix||Subsequent Hotfix||Status||Rationale|
|Limited Release Hotfix A is available for download to customers with Subscription Advantage and a My Citrix account||General Release Hotfix B is released. It contains all fixes from Hotfix A, plus new fixes||Hotfix B supersedes Hotfix A||Hotfix A is no longer available for download because Hotfix B is available to all customers|
|General Release Hotfix C is available for download from the Knowledge Center to all customers||Limited Release Hotfix D is released. It contains all fixes from Hotfix C, plus new fixes||Hotfix D replaces Hotfix C||Both remain available for download because Hotfix D is available only to customers with Subscription Advantage and a My Citrix account|
|Limited Release Hotfix E is available for download to customers with Subscription Advantage and a My Citrix account||Limited Release Hotfix F is released. It contains fixes, but does not contain all fixes from Hotfix E||The status of Hotfix E is unchanged; Hotfix F is offered as a separate, additional hotfix||Both are available for download because Hotfix F does not contain all of the fixes from Hotfix E|
Package name: xms_10.11.0.10302.bin
For: XenMobile Server 10.11.0
Deployment type: On-premises only
Replaces: xms_10.11.0.10102.bin and xms_10.11.0.10202.bin
Date: December, 2019
Languages supported: English (US)
Readme version: 1.00
Readme Revision History
|1.00||December, 2019||Initial release|
Important Notes about This Update
As a best practice, Citrix recommends that you install this and other updates only if you are affected by the specific issues they resolve.
Where to Find Documentation
This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, see XenMobile Server 10.11 on the Citrix Product Documentation site.
For information about XenMobile Server 10.11.0 Rolling Patch 1 release, see XenMobile Server 10.11.0 Rolling Patch 1.
For information about XenMobile Server 10.11.0 Rolling Patch 2 release, see XenMobile Server 10.11.0 Rolling Patch 2.
Known Issue(s) in this Release
There are no known issues in this release.
New Fixes in This Update
On devices running Android Q in Device Administrator mode, you are unable to connect to Secure Hub. You get the following error: Secure Hub could not connect.
XenMobile Server experiences a communications error with Apple Deployment Programs (formerly DEP). For more information, see https://support.citrix.com/article/CTX267079.
Fixes From Replaced Releases
On iOS devices, administrators may lose the ability to send an “unlock device” command to passcode protected devices after the device is upgraded to iOS 13.1.x. To resolve this issue, see https://support.citrix.com/article/CTX262076.
Some third-party VPP apps fail to auto-update. This occurred due to blocked hostnames. For more information, see https://support.apple.com/en-us/HT201999.
After enrolling a new device or re-enrolling an old device, an error message intermittently displays on the Manage tab.
MAM devices wipe apps and app data because of a failure to get user domain details causing the device to assume the user is deleted.
Unable to get the VPP for app version B2B when the platform parameter is incorrectly set in MDM API contentMetadataLookup
If the SMTP error “Couldn’t upload report” occurs, Secure Hub for iOS doesn’t send the log information to XenMobile Server.
For iOS, location tracking doesn’t work if you do the following: Configure and deploy a location policy, enable tracking from device Security Actions, and then delete the deployed location policy and create a new one.
On the XenMobile Server console, when you select the VPP app Standout, you get the following error: “500 Server Internal Error.”
Installing This Update
Note: If your system is configured in cluster mode, follow the steps below to update each node, one after the other.
Important: Before installing this update, take a snapshot of the current settings and create a backup of the database.
- Log on to your account on the Citrix website and download the XenMobile Server update (.bin) file to an appropriate location.
- In the XenMobile Server Console of a node click Settings > Release Management. The Release Management page appears, which displays the currently installed software version, as well as a list of any updates, patches, and upgrades you have already uploaded.
- Under Release Management, click Update. The Update dialog box appears.
- Click Browse to upload the update (.bin) file you have downloaded from support.citrix.com.
- Click Update and then if prompted, restart the XenMobile Server node using command line.
To verify the patch deployment
After installing this patch, log on to the XenMobile Server Console as an administrator, then navigate to Settings > Release Management > Updates. Information about the most recent successful patch installation appears in this section.
Who Should Install This Hotfix?
This is a hotfix for customers running Citrix Hypervisor 8.1.
Note: Ensure that you use XenCenter 8.1.2 or later to install this hotfix. The latest version of XenCenter is available from the Citrix Hypervisor Download site.
Information About this Hotfix
|Post-update tasks*||Restart Host|
|Content live patchable**||Yes|
|Baselines for Live Patch||Citrix Hypervisor 8.1|
Published on Feb 13, 2020
|** Available to Enterprise Customers.|
Issues Resolved In This Hotfix
This hotfix resolves the following issues:
- When running Reclaim Space on a thinly provisioned LUN with more than 2 TB of free space, the operation fails with an ioctl not supported error.
Installing the Hotfix
Customers should use either XenCenter or the Citrix Hypervisor Command Line Interface (CLI) to apply this hotfix. As with any software update, back up your data before applying this update. Citrix recommends updating all hosts within a pool sequentially. Upgrading of hosts should be scheduled to minimize the amount of time the pool runs in a “mixed state” where some hosts are upgraded and some are not. Running a mixed pool of updated and non-updated hosts for general operation is not supported.
Note: The attachment to this article is a zip file. It contains the hotfix update package only. Click the following link to download the source code for any modified open source components XS81E001-sources.iso. The source code is not necessary for hotfix installation: it is provided to fulfill licensing obligations.
Installing the Hotfix by using XenCenter
Choose an Installation Mechanism
There are three mechanisms to install a hotfix:
- Automated Updates
- Download update from Citrix
- Select update or Supplemental pack from disk
The Automated Updates feature is available for Citrix Hypervisor Premium Edition customers, or to those who have access to XenServer through their Citrix Virtual Apps and Desktops entitlement. For information about installing a hotfix using the Automated Updates feature, see the Applying Automated Updates in the Citrix Hypervisor documentation.
For information about installing a hotfix using the Download update from Citrix option, see Applying an Update to a Pool in the Citrix Hypervisor documentation.
The following section contains instructions on option (3) installing a hotfix that you have downloaded to disk:
- Download the hotfix to a known location on a computer that has XenCenter installed.
- Unzip the hotfix zip file and extract the .iso file
- In XenCenter, on the Tools menu, select Install Update. This displays the Install Update wizard.
- Read the information displayed on the Before You Start page and click Next to start the wizard.
- Click Browse to locate the iso file, select XS81E001.iso and then click Open.
- Click Next.
- Select the pool or hosts you wish to apply the hotfix to, and then click Next.
- The Install Update wizard performs a number of update prechecks, including the space available on the hosts, to ensure that the pool is in a valid configuration state. The wizard also checks whether the hosts need to be rebooted after the update is applied and displays the result.
- Choose the Update Mode. Review the information displayed on the screen and select an appropriate mode.
- Click Install update to proceed with the installation. The Install Update wizard shows the progress of the update, displaying the major operations that XenCenter performs while updating each host in the pool.
- When the update is applied, click Finish to close the wizard.
- If you chose to carry out the post-update tasks, do so now.
Follow the on-screen recommendations to resolve any update prechecks that have failed. If you want XenCenter to automatically resolve all failed prechecks, click Resolve All. When the prechecks have been resolved, click Next.
Note: If you click Cancel at this stage, the Install Update wizard reverts the changes and removes the update file from the host.
Installing the Hotfix by using the xe Command Line Interface
- Download the hotfix file to a known location.
- Extract the .iso file from the zip.
- Upload the .iso file to the Pool Master by entering the following commands:
(Where -s is the Pool Master’s IP address or DNS name.)
xe -s <server> -u <username> -pw <password> update-upload file-name=<filename>XS81E001.iso
Citrix Hypervisor assigns the update file a UUID which this command prints. Note the UUID.
- Apply the update to all hosts in the pool, specifying the UUID of the update:
xe update-pool-apply uuid=04ffe352-3f45-4a2d-bc79-e3f2f13b6d79
Alternatively, if you need to update and restart hosts in a rolling manner, you can apply the update file to an individual host by running the following:
xe update-apply host=<host> uuid=04ffe352-3f45-4a2d-bc79-e3f2f13b6d79
- Verify that the update was applied by using the update-list command.
xe update-list -s <server> -u root -pw <password> name-label=XS81E001
If the update is successful, the hosts field contains the UUIDs of the hosts to which this update was successfully applied. This should be a complete list of all hosts in the pool.
- If the hotfix is applied successfully, restart each host in the pool, starting with the master.
- Use the update-pool-clean command to remove the update files from all hosts in the pool. This command frees up space on shared storage and does not uninstall the update.
xe update-pool-clean uuid=04ffe352-3f45-4a2d-bc79-e3f2f13b6d79
|Hotfix File sha256||9f1eca3c219c03fd002ebd61ea982e8d826c7e903b07761506f1eac13694188d|
|Hotfix Source Filename||XS81E001-sources.iso|
|Hotfix Source File sha256||70b055290c0009f069a7eb7329fe084da1958e8e1e56d624cf36fbb7f82cfffa|
|Hotfix Zip Filename||XS81E001.zip|
|Hotfix Zip File sha256||db7280bd8f791c91d0d2839e1d04f50f2887e2c26f48eb1cbedeb66b930c718f|
|Size of the Zip file||31.51 MB|
For more information, see Citrix Hypervisor Documentation.
If you experience any difficulties, contact Citrix Technical Support.