This is the final Patch Tuesday of 2020, a year full of 100+ vulnerabilities fixed in almost every month. As with many things in December, it is a little quieter. There were roughly half as many vulnerabilities this month, and none that have active attacks or require emergency patching; I am sure that comes as a relief to many of you as things start to wind down for the holidays.
All in all, there were only 58 total vulnerabilities listed as fixed in released updates, with 9 of them “Critical” and 46 as “Important”. As always, we will look at the “Critical” vulnerabilities and a few that are labeled as “Important” that may warrant some attention. There is only one each in the Operating Systems and Browser categories, and a few each in the usual suspects of Exchange and SharePoint, and two in Dynamics.
The only “Critical” in Operating Systems this month is CVE-2020-17095. It is a Hyper-V Remote Code Execution Vulnerability that we sometimes refer to as Hyper-V escape vulnerabilities. According to Microsoft, an attacker could run an application on the guest operating system that would allow them to execute code on the host system. No user interaction is required. This type of attack could allow an attacker to move laterally throughout an environment once they got access to a guest VM on a host. This has a CVSS score of 8.5 but is listed as “Exploitation Less Likely” by Microsoft, and as of this writing there was only unproven exploit code.
The lone browser “Critical” is a Chakra Scripting Engine Memory Corruption Vulnerability, CVE-2020-17131. This vulnerability would require a user to interact with a malicious website. The vulnerability would grant the attacker full access to the target system. Microsoft lists this vulnerability as “Exploitation Less Likely”. It affects the “Edge-HTML” version of Microsoft Edge on all supported versions of Windows 10 including Server versions.
There are two “Critical” vulnerabilities in SharePoint this month, both with the title Microsoft SharePoint Remote Code Execution Vulnerability. They have slightly different descriptions but are similar in nature. CVE-2020-17118 is listed as “Exploitation More Likely” with a Low attack complexity, but with user interaction required to execute. According to Microsoft, there are no active attacks, but there is confirmed proof-of-concept code. CVE-2020-17121 is similar but requires no user interaction to execute. This vulnerability is only listed as “Unproven Proof-of-Concept” but is still listed as Exploitation More Likely. These vulnerabilities affect SharePoint Foundation 2010 and 2013, SharePoint Enterprise Server 2016, and SharePoint Server 2019.
There are three vulnerabilities in Exchange this month, all with the title Microsoft Exchange Remote Code Execution Vulnerability. They are all listed as “Exploitation Less Likely”. The first one, CVE-2020-17117 requires no user interaction, and is listed as a network vulnerability. The next two have one of the highest CVSS score this month, both at 9.1. CVE-2020-17132 and CVE-2020-17142 both would allow a remote attacker to run a specially crafted cmdlet to execute code on the Exchange server. The affected versions are Microsoft Exchange 2013, 2016, and 2019. This is especially concerning since on-premises Exchange servers are required to be visible on the network, meaning an attacker that could execute code on the Exchange server would likely have access to the rest of the target network. Even though it is listed as “Exploitation Less Likely”, I would give your on-premises Exchange server extra attention this month to ensure it is updated as soon as possible. For those running Microsoft 365, no worries, since Microsoft updates the environment themselves.
MICROSOFT DYNAMICS 365
There are two vulnerabilities with the title Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability this month, with the same description and details. CVE-2020-17152 and CVE-2020-17158 are remote code execution vulnerabilities that Microsoft has labeled “Exploitation More Likely”. In the description, they state that the attacker must be authenticated to exploit this vulnerability.
Important but needs attention
There are often times that the vulnerabilities listed as “Important” can be the ones that are first exploited by bad actors, so my recommendation is to always treat the “Important” vulnerabilities with the same concern you treat the “Critical” ones. While we will not review every one here, there is one that stands out that deserves some attention. CVE-2020-17096 is a Windows NTFS Remote Code Execution Vulnerability that Microsoft lists as “Exploitation More Likely” and it is assigned a CVSS score of 7.5. This is a vulnerability in SMBv2 that would allow a remote attacker to gain access to the system and execute code. SMB related vulnerabilities are usually given special attention by bad actors because in many cases they can allow attackers to spread from system to system, so I would not be surprised if we see some attacks using this vulnerability soon.
The other vulnerabilities that need attention this month are mainly elevation of privilege vulnerabilities in operating systems, and several information disclosure vulnerabilities in Excel, PowerPoint, and Office products. There are also notable updates for Azure DevOps server and Visual Studio, for those that run developer tools.
From a priority standpoint, I recommend focusing on the on-premises Exchange servers under your management, then turn towards your SharePoint installations. Then give special attention to any Internet-facing systems for the SMBv2 vulnerability, and then get those Hyper-V servers patched. Desktops and Office products can be patched on their regular patch schedule.
As a side note, we are approaching the end of the first year of the Extended Security Updates (ESU) program for Windows 7 and Windows Server 2008 R2. This month there was only one ESU update, but this year there have been numerous fixes for these operating systems you will only get if you have an ESU agreement. There are two years left on the ESU support schedule, but the new year is a great time to look at those older operating systems and investigate moving to a supported operating system that gets updates without additional support agreements required.
As I mentioned before, this year has been one of the highest vulnerability counts I have seen since I started reviewing the patch releases some years ago. This is likely due to the additional attention vulnerabilities have been getting from the increasing amount of research teams that participate in vulnerability research programs like Microsoft’s. This is a good thing, as discovering and patching them early greatly reduces the risk to environments that maintain a good patch schedule. And with the increasing complexity and volume of attacks we have seen this year, defenders need all the help they can get.
To all of you who focus on keeping your customers and end-users safe, I wish you a happy holiday season! I hope to see you again in the new year, and stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd