Patch Tuesday - December 2020

2020-12-08T21:36:27
ID RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080
Type rapid7blog
Reporter Richard Tsang
Modified 2020-12-08T21:36:27

Description

Patch Tuesday - December 2020

We close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it's a higher count than our typical December months (high thirties), it's still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft.

In terms of actionables, standard procedures can be followed here in terms of how to prioritize which sets of patches to apply first with two exceptions.

Microsoft Office vulnerabilities

A fair amount of remote code executions targeting Microsoft Excel are being patched up today and while none of them have the Preview Pane set as an attack vector, the volume of remote code execution vulnerabilities pertaining to Microsoft Office this month may suggest a slight re-jig of priorities. That's our first (minor) exception.

The next exception is likely the most notable piece behind this December 2020 Patch Tuesday: Microsoft Exchange Server.

Microsoft Exchange Server vulnerabilities

While there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 (CVE-2020-17132, CVE-2020-17142) and one is noted by Microsoft has having a higher chance of exploitability (CVE-2020-17144). These three warrant an additional examination and may be grounds for prioritizing patching.

There is currently suspicion that CVE-2020-17132 helps address the patch bypass of CVE-2020-16875 (CVSS 8.4) from September 2020. As well, both CVE-2020-17132 and CVE-2020-17142 are remote code execution vulnerabilities occurring due to improper validation of cmdlet arguments that affect all supported (as of writing) versions of Microsoft Exchange. One important note to consider is while these vulnerabilities have received a CVSS score of 9.1 and do not require additional user interaction, an attacker must be in an authenticated role in order to exploit this vulnerability.

In contrast, CVE-2020-17144 which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute. This is extra interesting as Microsoft Exchange Server 2010 passed end of life back on October 22, 2020. The introduction of this post-EOL patch for Microsoft Exchange Server 2010 coupled with Microsoft noting this vulnerability to be more likely exploitable does suggest prioritizing this patch a bit earlier.

New Summary Tables

In an attempt to provide a bit more summarizing tables, here are this month's patched vulnerabilities split by the product family.

Azure Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17160 | Azure Sphere Security Feature Bypass Vulnerability | False | False | 7.4 | True
CVE-2020-16971 | Azure SDK for Java Security Feature Bypass Vulnerability | False | False | 7.4 | False

Browser Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17153 | Microsoft Edge for Android Spoofing Vulnerability | False | False | 4.3 | True
CVE-2020-17131 | Chakra Scripting Engine Memory Corruption Vulnerability | False | False | 4.2 | False

Developer Tools Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17148 | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17150 | Visual Studio Code Remote Code Execution Vulnerability | False | False | 7.8 | False
CVE-2020-17156 | Visual Studio Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17159 | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | False | False | 7.8 | False
CVE-2020-17002 | Azure SDK for C Security Feature Bypass Vulnerability | False | False | 7.4 | False
CVE-2020-17135 | Azure DevOps Server Spoofing Vulnerability | False | False | 6.4 | False
CVE-2020-17145 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | False | False | 5.4 | False

ESU Windows Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17140 | Windows SMB Information Disclosure Vulnerability | False | False | 8.1 | True
CVE-2020-16958 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-16959 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-16960 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-16961 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-16962 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-16963 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-16964 | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-17098 | Windows GDI+ Information Disclosure Vulnerability | False | False | 5.5 | True

Exchange Server Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17132 | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True
CVE-2020-17142 | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True
CVE-2020-17143 | Microsoft Exchange Information Disclosure Vulnerability | False | False | 8.8 | True
CVE-2020-17141 | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True
CVE-2020-17144 | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True
CVE-2020-17117 | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 6.6 | False

Microsoft Dynamics Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17152 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True
CVE-2020-17158 | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True
CVE-2020-17147 | Dynamics CRM Webclient Cross-site Scripting Vulnerability | False | False | 8.7 | True
CVE-2020-17133 | Microsoft Dynamics Business Central/NAV Information Disclosure | False | False | 6.5 | True

Microsoft Office Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17121 | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.8 | True
CVE-2020-17118 | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.1 | False
CVE-2020-17115 | Microsoft SharePoint Spoofing Vulnerability | False | False | 8 | True
CVE-2020-17122 | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17123 | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17124 | Microsoft PowerPoint Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17125 | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17127 | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17128 | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17129 | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True
CVE-2020-17089 | Microsoft SharePoint Elevation of Privilege Vulnerability | False | False | 7.1 | False
CVE-2020-17119 | Microsoft Outlook Information Disclosure Vulnerability | False | False | 6.5 | True
CVE-2020-17130 | Microsoft Excel Security Feature Bypass Vulnerability | False | False | 6.5 | True
CVE-2020-17126 | Microsoft Excel Information Disclosure Vulnerability | False | False | 5.5 | True
CVE-2020-17120 | Microsoft SharePoint Information Disclosure Vulnerability | False | False | 5.3 | True

Windows Vulnerabilities

CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq
---|---|---|---|---|---
CVE-2020-17095 | Hyper-V Remote Code Execution Vulnerability | False | False | 8.5 | True
CVE-2020-17092 | Windows Network Connections Service Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-17134 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-17136 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-17137 | DirectX Graphics Kernel Elevation of Privilege Vulnerability | False | False | 7.8 | False
CVE-2020-17139 | Windows Overlay Filter Security Feature Bypass Vulnerability | False | False | 7.8 | False
CVE-2020-17096 | Windows NTFS Remote Code Execution Vulnerability | False | False | 7.5 | True
CVE-2020-17103 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7 | False
CVE-2020-17099 | Windows Lock Screen Security Feature Bypass Vulnerability | False | False | 6.8 | True
CVE-2020-16996 | Kerberos Security Feature Bypass Vulnerability | False | False | 6.5 | True
CVE-2020-17094 | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True
CVE-2020-17138 | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True
CVE-2020-17097 | Windows Digital Media Receiver Elevation of Privilege Vulnerability | False | False | 3.3 | False

Summary Graphs

Patch Tuesday - December 2020Patch Tuesday - December 2020Patch Tuesday - December 2020Patch Tuesday - December 2020