The December 2020 Security Update Review

December 08, 2020 | Dustin Childs

December is upon us and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for December 2020

Adobe kicked off their December patch release with four CVEs fixed with updates for Adobe Prelude, Experience Manager, and Lightroom. The patch for Prelude fixes a Critical-rated uncontrolled search path vulnerability that could lead to remote code execution. The Experience Manager patch addresses a cross-site scripting (XSS) bug and an information disclosure bug caused by a blind server-side request forgery. The update for Lightroom addresses a Critical-rated uncontrolled search path element vulnerability that could lead to arbitrary code execution. None of these bugs are listed as publicly known or under active attack at the time of release.

Interestingly, Adobe also noted they will be releasing an update for Acrobat and Reader at some point this week. This blog will be updated once they do.

Update: The update for Acrobat and Reader was released on December 9, 2020. I fixes a single CVE that could lead to information disclosure.

Microsoft Patches for December 2020

For December, Microsoft released patches to correct 58 CVEs and one new advisory in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere. December is historically a light month of patches from Microsoft and this remains true for 2020. It also brings their CVE total to 1,250 for the year. It will be interesting to see if these trends continue in 2021.

Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug found by multiple researchers:

-       CVE-2020-17132 - Microsoft Exchange Remote Code Execution Vulnerability
This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

-       CVE-2020-17121 - Microsoft SharePoint Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.

-       CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release. However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9. 

-       CVE-2020-16996 - Kerberos Security Feature Bypass Vulnerability
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. We do know this impacts Kerberos Resource-Based Constrained Delegation (RBCD), as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article. This likely helps to protect against RBCD attacks such as the one detailed here. This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers. This will be enforced in a future update in February. 

Here’s the full list of CVEs released by Microsoft for December 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability Important No No Spoof
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure Important No No Info
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability Important No No Info
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability Important No No Info
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability Important No No Info
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17140 Windows SMB Information Disclosure Vulnerability Important No No Info
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability Moderate No No SFB
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability Moderate No No Spoof
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability Moderate No No Spoof

Looking at the remaining Critical-rated updates, only one (surprisingly) impacts the browser. That patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season. There are two patches for Dynamics 365 for Finance and Operations (on-premises), but both are listed as post-authentication. There’s another SharePoint patch, and multiple additional Exchange patches. Interestingly, there are two Important-rated Exchanges patches that are documented as being identical to the Critical rated ones. They have the same CVSS score, same FAQs, and affected products. Be on the safe side and count those as Critical-rated bugs, too.

Moving on to the Important-rated updates, we find 10 Office bugs impacting Outlook, PowerPoint, and Excel. Most are Excel open-and-own types of bugs, although there is also an Excel SFB that requires a group policy to be set. While these types of bugs aren’t typically all that exciting, there are currently no updates for Office 2019 for Mac. If you’re using that edition, be extra vigilant about clicking links until the update arrives.

There are a surprising number of security feature bypass (SFB) bugs getting patched this month. In addition to those previously mentioned, the Azure SDK for both C and Java receive patches. Azure Sphere also gets an SFB fixed, although this should have been automatically applied to IoT devices running Sphere. You only need to take action on that one if your devices are isolated from the update service. There’s an SFB-related patch for the Windows Overlay Filter. There’s no information about it from Microsoft but given the researcher who found it, we’ll likely see some details soon. Perhaps the most interesting SFB this month is in the Windows lock screen. An attacker with physical access could bypass the lock screen of someone who had logged in and locked their session. I’m sure this bug will be a favorite for on-site red teams for years to come.

There are a handful of information disclosure bugs getting patched this month. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, there is a bug in the Windows Error Reporting service that could allow an attacker to read from the file system. The info disclosure bug in SharePoint could allow an attacker to view SQL table columns that are normally hidden. There’s a mysterious info disclosure bug being patched in Exchange. Microsoft simply states the information disclosed is “sensitive information.” With no further information to work with, assume a successful attacker could expose any email on the server.

The December release also contains a fair number of Elevation of Privilege (EoP) fixes. The majority of these are found in the Windows Backup Engine and the Cloud Files Mini Filter Driver. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a handful of spoofing bugs receiving fixes this month, but without a description, it’s difficult to guess what these might be. The release is rounded out by a Cross-Site Scripting (XSS) bug in Dynamics CRM Webclient.

Looking at the new advisory for December, ADV200013 provides guidance on a spoofing vulnerability in the DNS Resolver. While they provide no information on whether this is being exploited in the wild, they recommend limiting the UDP buffer size to 1221. Implementing this will cause larger DNS queries to switch to TCP, so it seems a relatively safe change to make. The other advisory for this month is the monthly revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The first Patch Tuesday for 2021 falls on January 12, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!