Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/8/2020
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Fixes 58 CVEs for December Patch Tuesday

The last Patch Tuesday of 2020 brings fixes for Critical vulnerabilities in Microsoft SharePoint and Exchange.

Microsoft today released its final Patch Tuesday fixes of the year, addressing 58 CVEs and one advisory. December's rollout brings the company to more than 1,200 CVEs patched in 2020.

Related Content:

Attackers Know Microsoft 365 Better Than You Do

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The last Patch Tuesday of the year is typically lighter, and this month is no exception. With the exception of January, February, and October, Microsoft patched at least 110 vulnerabilities per month in 2020. While December is smaller, it's worth taking a close look at some of these bugs.

Nine of the 58 vulnerabilities are classified as critical; most are remote code execution (RCE) flaws with one memory corruption vulnerability. Forty-six are considered important, and three are moderate in severity. None are publicly known or are under attack at the time of writing.

The critical RCE vulnerabilities in SharePoint (CVE-2020-17121 and CVE-2020-17118) both require low attack complexity to exploit, Microsoft reports. The former requires an attacker to have low privileges but no user interaction, while the latter requires no privileges but requires user interaction for an attacker to succeed. Both are considered "exploitation more likely." 

"This meant Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability," says Jerry Gamblin, head of research at Kenna Security. "Moreover, Microsoft is aware of past instances of this type of vulnerability that may have been exploited," meaning security teams should give these two high priority.

CVE-2020-17121, if exploited, could allow an authenticated attacker to execute malicious .NET code on an affected server in the context of the SharePoint Web application service account, explains Dustin Childs, who handles communications for Trend Micro's Zero Day Initiative (ZDI), in a blog post. In its default configuration, he adds, authenticated SharePoint users can create sites that provide all permissions needed to launch an attack. 

The intruder would need valid user credentials for the target SharePoint site, notes Andrew Brandt, a principal researcher with SophosLabs Offensive Security, in a write-up on today's patches. 

"Gaining useful credentials is an impediment to casual attackers and prevents them from leveraging the bug without taking additional steps," he points out. Brandt notes this is a "logic" bug, which requires less effort to find and exploit compared with other types of flaws, such as memory corruption vulnerabilities.

Microsoft patched three critical RCE vulnerabilities in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142). Exchange is commonly used in both enterprise environments and small to midsize businesses, and it can hold vast amounts of sensitive and valuable information. 

CVE-2020-17132 requires high user privileges but no user interaction and low complexity for an attacker to exploit it, Microsoft reports. Childs points out this vulnerability is credited to multiple researchers, implying the flaw was "somewhat easy to find" and, as a result, others are also likely to find the root cause. If successful, an attacker could do some significant damage. 

"Microsoft doesn't provide an attack scenario here but does note that the attacker needs be authenticated," Childs says. "This indicates that if you take over someone's mailbox, you can take over the entire Exchange server." Admins should prioritize Exchange test and deployment, he adds.

CVE-2020-17117 requires high attack complexity and high privileges but no user interaction. CVE-2020-17142 requires low complexity, high privileges, and no user interaction to exploit.

Another vulnerability worth noting is CVE-2020-17095, a critical RCE flaw in Hyper-V. To exploit this, an attacker could run a custom application on a Hyper-V guest and escalate privileges to the Hyper-V host when it fails to validate vSMB packet data. The attack is complex, Microsoft says, but requires low user privileges and no user interaction to exploit this vulnerability.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21554
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and, Dell Precision 7920 Rack Workstation BIOS contain a stack-based buffer overflow vulnerability in systems with Intel Optane DC Persistent Memory installed. A local malicious user with high privileges may potentially exploit t...
CVE-2021-21555
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a heap-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, a...
CVE-2021-21556
PUBLISHED: 2021-06-14
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, ...
CVE-2021-21557
PUBLISHED: 2021-06-14
Dell PowerEdge Server BIOS and select Dell Precision Rack BIOS contain an out-of-bounds array access vulnerability. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of service, arbitrary code execution, or information disclosure in System Ma...
CVE-2021-32682
PUBLISHED: 2021-06-14
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration...