Patch Tuesday – 12.2020

 In Guidance

Commentary on the December 2020 Patch Tuesday release:

December 2020 sees Microsoft address 58 CVE, again a severe drop from the previous month, but on trend for low volumes in Decembers. As noted in November 2020, Microsoft drastically changed the format and data background on vulnerabilities treated on the monthly release. This featured the removal of executive summaries on vulnerabilities impairs consumers abilities to understand the underlying context:

    • 9 of the 58 patches are rated as Critical with 46 rated Important
    • None of the vulnerabilities were publicly released
    • None of the vulnerabilities were observed in attacks in the wild

 

  • Vulnerabilities of interest:
    • CVE-2020-17132 – Microsoft Exchange – RCE / (CVSS:9.1):
      CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C – Microsoft no longer provides contextual details on vulnerabilities reported on Patch Tuesday, but has indicated that authenticated access to the sever is needed in order to exploit this vulnerability. The safeguarding of administrator accounts is (and should always be) a focus for organisations when looking at susceptibility to this attack.
    • CVE-2020-17095 – Hyper-V – RCE / (CVSS:8.5):
      CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C – A vulnerability exists in Microsofts HyperVisor that allows an attacker to execute code within a guest OS that enables an escape and code to be escalated on the host environment. It appears no heightened privileges are required within the guest OS to exploit this vulnerability. As Microsoft has removed the proven exploitation requirements, it appears that execution in a Hyper-V guest is achieved by passing invalid vSMB packet data, with no special permissions  required.
    • CVE-2020-16996 – Kerberos – SFB / (CVSS:6.5):
      CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C – This patch corrects a security feature bypass (SFB) bug in Kerberos. It’s unknown exactly what specific features are bypassed. It has been disclose that this vulnerability impacts Kerberos’ Resource-Based Constrained Delegation (RBCD) – as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article.
      NOTE: This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers – a mitigation from the Zerologon vulnerability reported in August 2020. This will be enforced during Patch Tuesday February 2021

 

  • Other notable points:
    • Adobe and Microsoft end support for Adobe Flash Player in December 2020.
    • Microsoft reminds the community that several products have reached End of Support:
      • Windows Server version 1903
      • Windows 10 1903

 

  • Other Software Vendors aligning releases to coincide with Microsoft’s Patch Tuesday:
    • Adobe’s security updates are detailed here.
    • SAP security updates – here.
    • Intel security updates – here.
    • VMWare security updates – here.
    • Chrome 87 security updates – here.
    • Android security updates – here.

 

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt