Microsoft December Patch Tuesday: fix 58 security vulnerabilities

by ·

On December 8, 2020, Microsoft officially released a risk notice for the December security update. This security update patches for 58 vulnerabilities, mainly covering the following components as Windows operating system, IE/Edge browser, ChakraCore, Office office suite, Exchange Server, Azure, Microsoft Dynamics, Visual Studio. These include 9 serious vulnerabilities and 46 high-risk vulnerabilities.
September Patch Tuesday

Vulnerability Detail

CVE-2020-17132 – Microsoft Exchange Remote Code Execution Vulnerability
This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

CVE-2020-17121 – Microsoft SharePoint Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.

CVE-2020-17095 – Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release. However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9.

CVE-2020-16996 – Kerberos Security Feature Bypass Vulnerability
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. We do know this impacts Kerberos Resource-Based Constrained Delegation (RBCD), as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article. This likely helps to protect against RBCD attacks such as the one detailed here. This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers. This will be enforced in a future update in February. 

Solution

In this regard, we recommend that users upgrade the Windows operating system and related components to the latest version in time.

Tags: