Patch Tuesday – December 2020

Patch Tuesday - December 2020

We close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it’s a higher count than our typical December months (high thirties), it’s still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft.

In terms of actionables, standard procedures can be followed here in terms of how to prioritize which sets of patches to apply first with two exceptions.

Microsoft Office vulnerabilities

A fair amount of remote code executions targeting Microsoft Excel are being patched up today and while none of them have the Preview Pane set as an attack vector, the volume of remote code execution vulnerabilities pertaining to Microsoft Office this month may suggest a slight re-jig of priorities. That’s our first (minor) exception.

The next exception is likely the most notable piece behind this December 2020 Patch Tuesday: Microsoft Exchange Server.

Microsoft Exchange Server vulnerabilities

While there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 (CVE-2020-17132, CVE-2020-17142) and one is noted by Microsoft has having a higher chance of exploitability (CVE-2020-17144).  These three warrant an additional examination and may be grounds for prioritizing patching.

There is currently suspicion that CVE-2020-17132 helps address the patch bypass of CVE-2020-16875 (CVSS 8.4) from September 2020. As well, both CVE-2020-17132 and CVE-2020-17142 are remote code execution vulnerabilities occurring due to improper validation of cmdlet arguments that affect all supported (as of writing) versions of Microsoft Exchange. One important note to consider is while these vulnerabilities have received a CVSS score of 9.1 and do not require additional user interaction, an attacker must be in an authenticated role in order to exploit this vulnerability.

In contrast, CVE-2020-17144 which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute. This is extra interesting as Microsoft Exchange Server 2010 passed end of life back on October 22, 2020.  The introduction of this post-EOL patch for Microsoft Exchange Server 2010 coupled with Microsoft noting this vulnerability to be more likely exploitable does suggest prioritizing this patch a bit earlier.

New Summary Tables

In an attempt to provide a bit more summarizing tables, here are this month’s patched vulnerabilities split by the product family.

Azure Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability False False 7.4 True
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability False False 7.4 False

Browser Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability False False 4.3 True
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability False False 4.2 False

Developer Tools Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability False False 7.8 False
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability False False 7.8 False
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability False False 7.4 False
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability False False 6.4 False
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability False False 5.4 False

ESU Windows Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17140 Windows SMB Information Disclosure Vulnerability False False 8.1 True
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability False False 5.5 True

Exchange Server Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability False False 9.1 True
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability False False 9.1 True
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability False False 8.8 True
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability False False 8.4 True
CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability False False 8.4 True
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability False False 6.6 False

Microsoft Dynamics Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability False False 8.8 True
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability False False 8.8 True
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability False False 8.7 True
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure False False 6.5 True

Microsoft Office Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability False False 8.8 True
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability False False 8.1 False
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability False False 8 True
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability False False 7.8 True
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability False False 7.1 False
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability False False 6.5 True
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability False False 6.5 True
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability False False 5.5 True
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability False False 5.3 True

Windows Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 has_faq
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability False False 8.5 True
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability False False 7.8 False
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability False False 7.8 False
CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability False False 7.5 True
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability False False 7 False
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability False False 6.8 True
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability False False 6.5 True
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability False False 5.5 True
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability False False 5.5 True
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability False False 3.3 False

Summary Graphs

Patch Tuesday - December 2020
Patch Tuesday - December 2020
Patch Tuesday - December 2020
Patch Tuesday - December 2020

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Patreon

Original Source