The December 2020 Security Update Review

December is upon us and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for December 2020

Adobe kicked off their December patch release with four CVEs fixed with updates for Adobe Prelude, Experience Manager, and Lightroom. The patch for Prelude fixes a Critical-rated uncontrolled search path vulnerability that could lead to remote code execution. The Experience Manager patch addresses a cross-site scripting (XSS) bug and an information disclosure bug caused by a blind server-side request forgery. The update for Lightroom addresses a Critical-rated uncontrolled search path element vulnerability that could lead to arbitrary code execution. None of these bugs are listed as publicly known or under active attack at the time of release.

Interestingly, Adobe also noted they will be releasing an update for Acrobat and Reader at some point this week. This blog will be updated once they do.

Update: The update for Acrobat and Reader was released on December 9, 2020. I fixes a single CVE that could lead to information disclosure.

Microsoft Patches for December 2020

For December, Microsoft released patches to correct 58 CVEs and one new advisory in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere. December is historically a light month of patches from Microsoft and this remains true for 2020. It also brings their CVE total to 1,250 for the year. It will be interesting to see if these trends continue in 2021.

Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug found by multiple researchers:

-       CVE-2020-17132 - Microsoft Exchange Remote Code Execution Vulnerability
This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

-       CVE-2020-17121 - Microsoft SharePoint Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.

-       CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release. However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9. 

-       CVE-2020-16996 - Kerberos Security Feature Bypass Vulnerability
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. We do know this impacts Kerberos Resource-Based Constrained Delegation (RBCD), as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article. This likely helps to protect against RBCD attacks such as the one detailed here. This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers. This will be enforced in a future update in February. 

Here’s the full list of CVEs released by Microsoft for December 2020. 

Looking at the remaining Critical-rated updates, only one (surprisingly) impacts the browser. That patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season. There are two patches for Dynamics 365 for Finance and Operations (on-premises), but both are listed as post-authentication. There’s another SharePoint patch, and multiple additional Exchange patches. Interestingly, there are two Important-rated Exchanges patches that are documented as being identical to the Critical rated ones. They have the same CVSS score, same FAQs, and affected products. Be on the safe side and count those as Critical-rated bugs, too.

Moving on to the Important-rated updates, we find 10 Office bugs impacting Outlook, PowerPoint, and Excel. Most are Excel open-and-own types of bugs, although there is also an Excel SFB that requires a group policy to be set. While these types of bugs aren’t typically all that exciting, there are currently no updates for Office 2019 for Mac. If you’re using that edition, be extra vigilant about clicking links until the update arrives.

There are a surprising number of security feature bypass (SFB) bugs getting patched this month. In addition to those previously mentioned, the Azure SDK for both C and Java receive patches. Azure Sphere also gets an SFB fixed, although this should have been automatically applied to IoT devices running Sphere. You only need to take action on that one if your devices are isolated from the update service. There’s an SFB-related patch for the Windows Overlay Filter. There’s no information about it from Microsoft but given the researcher who found it, we’ll likely see some details soon. Perhaps the most interesting SFB this month is in the Windows lock screen. An attacker with physical access could bypass the lock screen of someone who had logged in and locked their session. I’m sure this bug will be a favorite for on-site red teams for years to come.

There are a handful of information disclosure bugs getting patched this month. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, there is a bug in the Windows Error Reporting service that could allow an attacker to read from the file system. The info disclosure bug in SharePoint could allow an attacker to view SQL table columns that are normally hidden. There’s a mysterious info disclosure bug being patched in Exchange. Microsoft simply states the information disclosed is “sensitive information.” With no further information to work with, assume a successful attacker could expose any email on the server.

The December release also contains a fair number of Elevation of Privilege (EoP) fixes. The majority of these are found in the Windows Backup Engine and the Cloud Files Mini Filter Driver. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a handful of spoofing bugs receiving fixes this month, but without a description, it’s difficult to guess what these might be. The release is rounded out by a Cross-Site Scripting (XSS) bug in Dynamics CRM Webclient.

Looking at the new advisory for December, ADV200013 provides guidance on a spoofing vulnerability in the DNS Resolver. While they provide no information on whether this is being exploited in the wild, they recommend limiting the UDP buffer size to 1221. Implementing this will cause larger DNS queries to switch to TCP, so it seems a relatively safe change to make. The other advisory for this month is the monthly revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The first Patch Tuesday for 2021 falls on January 12, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!