Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:45 PM
Connect Directly

Microsoft Fixes 58 CVEs for December Patch Tuesday

The last Patch Tuesday of 2020 brings fixes for Critical vulnerabilities in Microsoft SharePoint and Exchange.

Microsoft today released its final Patch Tuesday fixes of the year, addressing 58 CVEs and one advisory. December's rollout brings the company to more than 1,200 CVEs patched in 2020.

Related Content:

Attackers Know Microsoft 365 Better Than You Do

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The last Patch Tuesday of the year is typically lighter, and this month is no exception. With the exception of January, February, and October, Microsoft patched at least 110 vulnerabilities per month in 2020. While December is smaller, it's worth taking a close look at some of these bugs.

Nine of the 58 vulnerabilities are classified as critical; most are remote code execution (RCE) flaws with one memory corruption vulnerability. Forty-six are considered important, and three are moderate in severity. None are publicly known or are under attack at the time of writing.

The critical RCE vulnerabilities in SharePoint (CVE-2020-17121 and CVE-2020-17118) both require low attack complexity to exploit, Microsoft reports. The former requires an attacker to have low privileges but no user interaction, while the latter requires no privileges but requires user interaction for an attacker to succeed. Both are considered "exploitation more likely." 

"This meant Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability," says Jerry Gamblin, head of research at Kenna Security. "Moreover, Microsoft is aware of past instances of this type of vulnerability that may have been exploited," meaning security teams should give these two high priority.

CVE-2020-17121, if exploited, could allow an authenticated attacker to execute malicious .NET code on an affected server in the context of the SharePoint Web application service account, explains Dustin Childs, who handles communications for Trend Micro's Zero Day Initiative (ZDI), in a blog post. In its default configuration, he adds, authenticated SharePoint users can create sites that provide all permissions needed to launch an attack. 

The intruder would need valid user credentials for the target SharePoint site, notes Andrew Brandt, a principal researcher with SophosLabs Offensive Security, in a write-up on today's patches. 

"Gaining useful credentials is an impediment to casual attackers and prevents them from leveraging the bug without taking additional steps," he points out. Brandt notes this is a "logic" bug, which requires less effort to find and exploit compared with other types of flaws, such as memory corruption vulnerabilities.

Microsoft patched three critical RCE vulnerabilities in Microsoft Exchange (CVE-2020-17117, CVE-2020-17132, and CVE-2020-17142). Exchange is commonly used in both enterprise environments and small to midsize businesses, and it can hold vast amounts of sensitive and valuable information. 

CVE-2020-17132 requires high user privileges but no user interaction and low complexity for an attacker to exploit it, Microsoft reports. Childs points out this vulnerability is credited to multiple researchers, implying the flaw was "somewhat easy to find" and, as a result, others are also likely to find the root cause. If successful, an attacker could do some significant damage. 

"Microsoft doesn't provide an attack scenario here but does note that the attacker needs be authenticated," Childs says. "This indicates that if you take over someone's mailbox, you can take over the entire Exchange server." Admins should prioritize Exchange test and deployment, he adds.

CVE-2020-17117 requires high attack complexity and high privileges but no user interaction. CVE-2020-17142 requires low complexity, high privileges, and no user interaction to exploit.

Another vulnerability worth noting is CVE-2020-17095, a critical RCE flaw in Hyper-V. To exploit this, an attacker could run a custom application on a Hyper-V guest and escalate privileges to the Hyper-V host when it fails to validate vSMB packet data. The attack is complex, Microsoft says, but requires low user privileges and no user interaction to exploit this vulnerability.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.