Microsoft December Patch Tuesday

Patch Tuesday Series
It is the last month of the year 2020 and was a tough one for everyone due to new norm. So let's look at the one last Patch Tuesday for the year 2020 and break them down to prioritize patching.

December is the second lowest number of CVEs by Microsoft for this year as they have released 58 CVEs in total. Which is a big relief for IT and Security professionals due to amount of overhead required such as identifying vulnerable assets, identifying critical assets impacted, patch testing, downtime, dependencies, regression testing and list goes on.

Another big relief is that none of the vulnerabilities have PoC in public or exploited in the wild - for now!

Microsoft has done something really strange by removing vulnerability details from Patch Tuesday bulletin. Hope this will be fixed. Happy Patching!
So let's break them down, (Image courtesy - Rapid7, Tenable)
So from an adversary perspective, remote code execution takes priority and let's patch them first. Among those RCEs, let's give more priority for the ones which are public facing.

  1. Microsoft Exchange Remote Code Execution Vulnerabilities - CVE-2020-17144, CVE-2020-17141, CVE-2020-17117, CVE-2020-17132 and CVE-2020-17142
  2. Microsoft SharePoint Remote Code Execution Vulnerabilities - CVE 2020 17118, CVE-2020-17121
One important point here is that most of the vulns above were reported by external researchers and some of them have a track record of disclosing the write-up or releasing PoC after sometime. Also, Microsoft has indicated most of the above will be exploited as per their exploitability assessment.

Up next, we have DNS spoofing vulnerability dubbed as SAD DNS (SAD - side channel attacked :)

Interestingly, this one doesn't have a CVE by Microsoft and released Security Advisory (ADV200013) instead. Researchers have published proof-of-concept YouTube video demonstrating exploitation.
Microsoft has not released a patch for this and documented a workaround below

In case if you are wondering, this is applicable for DNS servers, not DNS clients. So, don't worry too much on the workaround. But make sure to test it.

Finally, we have one more thing to prioritize which is NTFS RCE vulnerability - CVE-2020-17096. This once has a CVSS score of 7.5 and as per Microsoft, a remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network and execute code on the target system or a local attacker could run a specially crafted application that would elevate the attacker's privileges.

One more important vulnerability to track this month is Apache Struts 2 vulnerability, yeah the one caused all the Equifax hype back in 2017. So far, no records of exploitation but better to track and patch it since it is also RCE.

And that's it for this month, Happy Patching and Happy holidays!