Exploits & Vulnerabilities
December Patch Tuesday Fixes Exchange, SMB
The last set of updates for the year includes 58 patches for the Microsoft Office suite.
Updated on 12/9/2020 02:37PM PST to include Trend Micro Deep Security and Vulnerability Protection rules.
The last set of updates for the year includes 58 patches for the Microsoft Office suite. Of the total number, nine have been rated Critical and 46 as Important. A significant number of updates fixes gaps in MS Exchange vulnerable to remote code execution (RCE) and information disclosure, as well as a server message block (SMB) gap also noted for the latter vulnerability. No zero days have been observed, though several vulnerabilities have been deemed as likely for abuse. Six of the total number of vulnerabilities fixed were reported by the Zero Day Initiative (ZDI). Considering the number of updates released this year, this month’s set of patches is considered one of the lightest since February.
Exchange server gaps A total of six patches — three rated as Critical and three as Important — are designated as fixes for gaps in MS Exchange. CVE-2020-17117, CVE-2020-17132, CVE-2020-17142, CVE-2020-17141, and CVE-2020-17144 can be abused for RCE in the server due to the improper validation of cmdlet arguments, allowing the attacker to run arbitrary code in the system in the context of the authenticated user.
Meanwhile, CVE-2020-17143 can be abused for information disclosure in how it validates tokens as it handles specific messages exchanged. If successfully exploited, an attacker can use this to gather sensitive information via specially crafted messages.
SMB information disclosureCVE-2020-17140 is a Windows SMB information disclosure vulnerability wherein an authenticated attacker could open a specific file with captured oplock lease and perform specific modifications to that file. If successful in a network-based attack, the attacker could read and collect the contents of the Kernel memory from a user-mode process.
Vulnerabilities likely for abuseSeveral vulnerabilities are being observed to be likely exploited by attackers for RCE, including CVE-2020-17144. Other critical gaps under observation are CVE-2020-17118 and CVE-2020-17121 found in Sharepoint, as well as CVE-2020-17152 and CVE-2020-17158, found in Dynamics 365 for Finance and Operations on-premises, wherein an authenticated attacker posing as a user can abuse the said gaps. CVE-2020-17096 is an NTFS vulnerability that allows an attacker to send customized requests via SMBv2 access to an unpatched system over a network and execute code to the system. The attacker could then run a specially crafted application to elevate the attacker’s privileges.
And while not applicable for remote workers during this period, employees should patch CVE-2020-17099 before going back to the office. This is a Lock Screen Feature Bypass security gap wherein an attacker with physical access to a system where the logged-in authenticated user has locked their active session. The attacker can perform actions that allow them to execute code from the lock screen using the active user session.
Trend Micro solutionsIt is common for Microsoft to have a lighter load of patches released every December. This release may be a welcome breather for system administrators and patch management teams; the sheer volume of patches in 2020 have likely placed a significant amount of pressure on teams and users to ensure all systems are maintained. A look at the year’s data shows that this month’s release is one of the few with less than a hundred updates. These teams have had to implement the necessary updates for in-office assets, as well as for those remotely working from the safety of their homes with company and non-company-owned equipment. Despite the seeming non-urgency due to the absence of zero-day exploits, users are advised to download the updates as soon as possible to protect their machines from attacks via vulnerabilities.
Trend Micro™ Deep Security™ and Vulnerability Protection* protect users from exploits that target these vulnerabilities via the following rules:
- 1010649 - Microsoft Windows Exchange Memory Corruption Vulnerability (CVE-2020-17144)
- 1010655 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121)
- 1010652 - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)*
- 1010653 - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)*
- 1010656 - Microsoft Dynamics 365 Commerce Remote Code Execution Vulnerabilities (CVE-2020-17152 and CVE-2020-17158)
*Vulnerability Protection available
Trend MicroTM TIppingPointTM protects customers through the following rules:
- 38547: HTTP: Microsoft Exchange Memory Corruption Vulnerability (CVE-2020-17144)
- 38557: SMB: Windows SMB NTLMSSP Buffer Overflow Vulnerability (CVE-2020-17096)
- 38566: HTTP: Microsoft SharePoint importWeb Content Migration Package (CMP) Request (CVE-2020-17121)
- 38568: HTTP: Dynamics365 Finance ServiceDataWrapper Insecure Deserialization Vulnerability (CVE-2020-17152)
- 38564: SMB: SMB2 Stream File Rename Usage (CVE-2020-17140)