M$ Patch Tuesday Nov 2020

November 2020 seems to be a pretty standard month any more for Microsoft patches coming in at 112 fixed vulnerabilities, with a number of RCEs. Additionally November does contain one zero day that is currently being actively exploited in the wild.

Among the worst this month are:

NFS CVE-2020-17051: Critical vulnerability in Windows Network File System (NFS) which affects ALL versions of Windows OS, does not require authentication or user interaction and comes in with a CVSS (Common Vulnerability Scoring System) of 9.8. In a blog post released by McAfee (https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-17051-remote-kernel-heap-overflow-in-nfsv3-windows-server/) researchers state that the vulnerability could potentially be wormable if NFS has been set up to allow for anonymous write access. Do not wait to patch this vuln

Windows Kernel CVE-2020-17087: only listed as important and not critical due to the attacker already needing low level user access on the system, this vulnerability would then allow privilege escalation to root level access. Don’t let the low CVSS hold you back from patching this Windows Kernel vuln though as it is a zero day being actively exploited, so that low permissions user becomes a key phishing target as the entry point in this attack, or paired with another unpatched vulnerability this CVE becomes very dangerous.

Exchange CVE-2020-17083 and CVE-2020-17084: Vulnerabilities in exchange that could be exploited by an end user opening a specially crafted email. Where MS categorizes this vulnerability as less likely to be exploited there is no reason to hold off on this patch, exploitation involves an end user click which is all too easy to acquire.

SharePoint CVE-2020-17061: To exploit this vulnerability the attacker would already need low level privilege. MS has routinely released RCE patches for SharePoint over the last few months so make sure to fine tune your SP patching process and use it often.

Teams CVE-2020-17091: This “One click RCE” was originally discovered and reported to MS back in September 2018 by Matt Austin. Due to MS lack of response in fixing this flaw Matt released a Proof of Concept in November 2019. It is believed that CVE-2020-17091 is finally the patch for this exploit.

Excel CVE-2020-17019, CVE-2020-17064, CVE-2020-17065, CVE-2020-17066: As with many MS Office vulnerabilities these CVEs do require end user interaction to exploit. Potentially embedded in Macros? Yeah why not. What was old is new again and Phishing end users with malicious Office docs continues to be a preferred attack vector because it works.

Print Spooler CVE-2020-17042: Coming in with a lack of details from MS on what exactly is involved in this vulnerability, but with a CVSS of 8.8 this CVE should be prioritized high to patch. Print spooler vulns have drawn a fair amount of interest from researchers recently so I expect to see exploit proof of concepts released soon.

Microsoft has also reworked how they will be displaying monthly patch information to more closely align with the CVSS. Initial look and I’m not a fan of this new strategy as it limits how much information is shared directly from MS in regards to each patch.

Take Away: Patch Em if you Got Em – Don’t wait

Krebs: https://krebsonsecurity.com/2020/11/patch-tuesday-november-2020-edition/
ZDNet: https://www.zdnet.com/article/microsoft-november-2020-patch-tuesday-arrives-with-fix-for-windows-zero-day/
Tenable: https://www.tenable.com/blog/microsoft-s-november-2020-patch-tuesday-addresses-112-cves-including-cve-2020-17087?mkt_tok=eyJpIjoiTkRWa1pUY3lNREV5T0RVeCIsInQiOiJ4cGhQb096UEh5QllBMVdvTEVQc1RhVXU1UVJWczhIVzAxU3g1VWduYWtkd1hGRXVGOHF2QXQwTFFraVYzQjJGaHhZQ3ZMelZsV3dkMFwveHZ3ZVR3cCtHSUdBUFR6SVBab0FCMFYyODg2V3hIYWJXdU82Q1lpT01pemFqU1Z2TFEifQ%3D%3D

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: