Microsoft today released its final Patch Tuesday fixes of the year, addressing 58 CVEs and one advisory. December's rollout brings the company to more than 1,200 CVEs patched in 2020.
The last Patch Tuesday of the year is typically lighter, and this month is no exception. With the exception of January, February, and October, Microsoft patched at least 110 vulnerabilities per month in 2020. While December is smaller, it's worth taking a close look at some of these bugs.
Nine of the 58 vulnerabilities are classified as critical; most are remote code execution (RCE) flaws with one memory corruption vulnerability. Forty-six are considered important, and three are moderate in severity. None are publicly known or are under attack at the time of writing.
The critical RCE vulnerabilities in SharePoint (CVE-2020-17121 and CVE-2020-17118) both require low attack complexity to exploit, Microsoft reports. The former requires an attacker to have low privileges but no user interaction, while the latter requires no privileges but requires user interaction for an attacker to succeed. Both are considered "exploitation more likely."
"This meant Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability," says Jerry Gamblin, head of research at Kenna Security. "Moreover, Microsoft is aware of past instances of this type of vulnerability that may have been exploited," meaning security teams should give these two high priority.
CVE-2020-17121, if exploited, could allow an authenticated attacker to execute malicious .NET code on an affected server in the context of the SharePoint Web application service account, explains Dustin Childs, who handles communications for Trend Micro's Zero Day Initiative (ZDI), in a blog post. In its default configuration, he adds, authenticated SharePoint users can create sites that provide all permissions needed to launch an attack.
The intruder would need valid user credentials for the target SharePoint site, notes Andrew Brandt, a principal researcher with SophosLabs Offensive Security, in a write-up on today's patches.
"Gaining useful credentials is an impediment to casual attackers and prevents them from leveraging the bug without taking additional steps," he points out. Brandt notes this is a "logic" bug, which requires less effort to find and exploit compared with other types of flaws, such as memory corruption vulnerabilities.
Microsoft patched three critical RCE vulnerabilities in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142). Exchange is commonly used in both enterprise environments and small to midsize businesses, and it can hold vast amounts of sensitive and valuable information.
CVE-2020-17132 requires high user privileges but no user interaction and low complexity for an attacker to exploit it, Microsoft reports. Childs points out this vulnerability is credited to multiple researchers, implying the flaw was "somewhat easy to find" and, as a result, others are also likely to find the root cause. If successful, an attacker could do some significant damage.
"Microsoft doesn't provide an attack scenario here but does note that the attacker needs be authenticated," Childs says. "This indicates that if you take over someone's mailbox, you can take over the entire Exchange server." Admins should prioritize Exchange test and deployment, he adds.
CVE-2020-17117 requires high attack complexity and high privileges but no user interaction. CVE-2020-17142 requires low complexity, high privileges, and no user interaction to exploit.
Another vulnerability worth noting is CVE-2020-17095, a critical RCE flaw in Hyper-V. To exploit this, an attacker could run a custom application on a Hyper-V guest and escalate privileges to the Hyper-V host when it fails to validate vSMB packet data. The attack is complex, Microsoft says, but requires low user privileges and no user interaction to exploit this vulnerability.