It is the final Patch Tuesday of 2020! We made it, everyone. It appears that Microsoft will continue its decision to limit the amount of information they release, so we will once again be giving broad strokes. The good news, there are only 58 CVE’s getting patched this month, with nine being listed as critical. Those are incredibly low numbers. based on this year. It is about on par with previous years. Major systems getting patched this go around seem to be Exchange and SharePoint.
Some highlights (or lowlights)
CVE-2020-17121: The Highest CVSS score impacts SharePoint. This is a remote code execution bug. It allows an authenticated execute arbitrary code. It can run if an account has minimal privileges. If there are any of these that get a name, this is a safe bet to be the one. With the new lockdown on information, will we still get named bugs? I suppose we will find out over time.
CVE-2020-17143: This is a highly rated exploit that impacts Microsoft Exchange. This one is a remote execution. It differs from an attacker being able to execute harmful code; instead, they can take sensitive information. At the same time, this does not put your environment at the same risk as one that allows executed code. However, try telling your HR and Marketing people that personal data getting released is a lesser concern; I bet they disagree with you on it.
CVE-2020-17095: This one lets an attacker escalate privileges by executing code in a Hyper-V guest. It honestly seems like the only reason this one is not rated as the highest risk in this update cycle is the high complexity required to pull it off. It appears that the attack vector is the network, specifically vSMB.
In review
On the surface, this looks like a banner patch cycle. The low number of overall exploits, nothing rated over a nine on CVSS, and a deficient number is considered critical. None of these are even preciously known or actively being exploited! However, a few of these seem like they could be at risk of having the CVSS number spike. Many remote execution vulnerabilities do not require user interaction but just the bare minimum permission. I recommend you get this tested on your lab and patched as soon as possible to be safe.