Skip to content

Instantly share code, notes, and snippets.

@SwitHak

SwitHak/20200716_TLP-WHITE_July-Patch-Priorities.md

Last active September 29, 2020 02:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save SwitHak/1f82fbc165817b8f94d2bb3498324e7a to your computer and use it in GitHub Desktop.
Save SwitHak/1f82fbc165817b8f94d2bb3498324e7a to your computer and use it in GitHub Desktop.
Download ZIP
BlueTeam CheatSheet * July Patch Priorities * TW2LWIML | Last updated: 2020-07-31 0013 UTC
Raw
20200716_TLP-WHITE_July-Patch-Priorities.md

July Patch Priorities

Patching priority:

P1

  • SHITRIX-II (Critical, Exploited)
  • F5 BigIP (Critical, Exploited)
  • SAPRecon (Critical, Exploited)
  • ASA & FTD CVE-2020-3452 (High, Exploited)
  • SIGRed CVE-2020-1350 (Critical, Exploit available (DoS))

P2

  • PAN OS (Critical, Not Exploited AFAIK)
  • Sophos XG (Critical, Details on the exploitation are available)
  • Microsoft SharePoint - CVE-2020-1147 (Critical, Details on the exploitation are available)
  • Oracle (Critical for some vulns, Not Expoited AFAIK but beware Oracle WebLogic / SD-WAN ones)
  • Juniper Networks (Critical, Not Expoited AFAIK)
  • Cisco (Critical for some vulns)
  • CVE-2020-10713 AKA BootHole(High, Post-Exploitation)

P3

  • Apache Tomcat DoS x2 (High)
  • Adobe (Medium)
  • Apple (Medium)
  • Intel (low to Medium)

Notes

General

  • First there's no universal solution, the previous sections are only my views on this subject.
  • Patching without understanding your risks are useless, doing that first.

Patching

  • Attackers will try to gain access 90% of time through two vectors:
    • Exposed services / devices on the internet
    • Email

Exposed services

  • Know which devices you are exposing on the internet
  • Know the more details you can on how the vulns can be exploited:
    • Need an account or unauthentified ?
    • Standard deployment or personalized settings ?
    • Exploitation is simple or complicate or need numerous attempts to succeed ?
    • Exploit is publicly available ?
    • Is it another try to patch a known vulnerability (Sometimes, a software company don't patch the vuln but mitigate it by adding in software requests parser detection of known exploit strings / parameters, they don't patch the root of the vuln)
  • Know the value of the asset, prioritize high valuable assets
  • Deny access to non necessary ports
  • Know which accounts are used on them, watched their utilization carefully
  • Know which software are used and follow their updates
  • Know also the dependencies on which these software are built with (Sometimes, a vuln is identified in OSS packages, big software players used this package but patched the vulnerability long times after)

I'm sure there's other good advices, but right now I'm not thinking about it. Patch your devices! S.H.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment