Patch Tuesday – 12.2020
Commentary on the December 2020 Patch Tuesday release:
December 2020 sees Microsoft address 58 CVE, again a severe drop from the previous month, but on trend for low volumes in Decembers. As noted in November 2020, Microsoft drastically changed the format and data background on vulnerabilities treated on the monthly release. This featured the removal of executive summaries on vulnerabilities impairs consumers abilities to understand the underlying context:
-
- 9 of the 58 patches are rated as Critical with 46 rated Important
- None of the vulnerabilities were publicly released
- None of the vulnerabilities were observed in attacks in the wild
- Vulnerabilities of interest:
-
- CVE-2020-17132Â – Microsoft Exchange – RCE / (CVSS:9.1):
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C – Microsoft no longer provides contextual details on vulnerabilities reported on Patch Tuesday, but has indicated that authenticated access to the sever is needed in order to exploit this vulnerability. The safeguarding of administrator accounts is (and should always be) a focus for organisations when looking at susceptibility to this attack.
- CVE-2020-17132Â – Microsoft Exchange – RCE / (CVSS:9.1):
-
- CVE-2020-17095Â – Hyper-V – RCE / (CVSS:8.5):
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C – A vulnerability exists in Microsofts HyperVisor that allows an attacker to execute code within a guest OS that enables an escape and code to be escalated on the host environment. It appears no heightened privileges are required within the guest OS to exploit this vulnerability. As Microsoft has removed the proven exploitation requirements, it appears that execution in a Hyper-V guest is achieved by passing invalid vSMB packet data, with no special permissions required.
- CVE-2020-17095Â – Hyper-V – RCE / (CVSS:8.5):
-
- CVE-2020-16996Â – Kerberos – SFB / (CVSS:6.5):
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C – This patch corrects a security feature bypass (SFB) bug in Kerberos. It’s unknown exactly what specific features are bypassed. It has been disclose that this vulnerability impacts Kerberos’ Resource-Based Constrained Delegation (RBCD) – as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article.
NOTE: This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers – a mitigation from the Zerologon vulnerability reported in August 2020. This will be enforced during Patch Tuesday February 2021
- CVE-2020-16996Â – Kerberos – SFB / (CVSS:6.5):
Â
- Other notable points:
- Adobe and Microsoft end support for Adobe Flash Player in December 2020.
- Adobe’s guidance on this can be found here – Microsoft ends support for Adobe Flash Player
- Microsoft reminds the community that several products have reached End of Support:
- Windows Server version 1903
- Windows 10 1903
- Adobe and Microsoft end support for Adobe Flash Player in December 2020.
- Other Software Vendors aligning releases to coincide with Microsoft’s Patch Tuesday: