Microsoft released the last patch cycle for 2020 and initial looks appear to be a light month overall by shear volume, not severity. M$ released 58 fixes in December, this is well below what we’ve been used to seeing coming out of Redmond each month. Even with the low number overall, 22 of the 58 are RCEs (Remote Code Execution) vulnerabilities.
As mentioned last month unfortunately MS has removed much of the detail of what each vulnerability is exactly, so we’ve hit the highlights below of each.
In my professional opinion I rate Exchange as the highest risk with Sharepoint as a close second due to the need for availability outside of network walls. Those patch breakdowns are as follows:
CVE 2020 17143 – “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.” Attack Complexity: low, Privilege required: low, + no user interaction = patch immediately. Proof of concept is available for this CVE.
CVE 2020 17144- “The vulnerability occurs due to improper validation of cmdlet arguments.” Attack complexity: low, User interaction to exploit is required. Whereas this is not being publicly exploited right now, there is a proof of concept for this CVE so time is of the essence to to patch, don’t wait.
CVE 2020 17141- “the attacker must be authenticated.” So prior successful harvesting of credentials or acquisition of an active session is a prerequisite to exploitation. Proof of concept is available.
CVE 2020 17117- Not many details available for this one at all, Proof of concept available, no user interaction required however attack complexity is high.
CVE 2020 17132– “The vulnerability occurs due to improper validation of cmdlet arguments.” User authentication is required to exploit, however once acquired Attach complexity is low and no user interaction required.
CVE 2020 17142- different CVE but a repeat of the details above for CVE-2020-17132.
Overall summary – Patch Exchange now
CVE 2020 17118- MS rates this one as exploitation likely even though it is not currently being seen in the wild. A proof of concept is available, Complexity of attack is rated as low however there is some sort of user interaction that is required. Its Sharepoint, its an RCE, patch ASAP.
CVE-2020-17121– “In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel. The user would need to have privileges.” Attack complexity rated as low, privileges required is low and no user interaction makes this CVE concerning.
Other Patches to Note:
CVE 2020 17096– “A local attacker could run a specially crafted application that would elevate the attacker’s privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.” This CVE is not currently being exploited in the wild but exploitation is likely even though a proof of concept does not exist.
Lastly don’t forget Adobe Flash EOL is coming 12/31/2020, if not already removed from all aspects of your network there should be a plan in place ready to execute.