A light December 2020 Patch Tuesday for a no-stress end of the year

On this December 2020 Patch Tuesday:

• Microsoft has plugged 58 CVEs
• Adobe has delivered security updates for Lightroom, Experience Manager, and Prelude, and has announced that updates for Acrobat and Reader will be released sometimes this week
• SAP has released and updated 13 security notes

Microsoft’s updates

As expected, Microsoft fixed a smaller-than-usual number of CVEs on this December 2020 Patch Tuesday: 58 in total.

Nine of these are “critical,” 46 “important,” and three are of “moderate” severity, and none are actively exploited or publicly known at this moment.

Among the critical flaws are three affecting Microsoft Exchange, including CVE-2020-17132, which requires the attacker to be authenticated (i.e., to have the credentials to an email account), but then offers a path to taking over control of the Exchange mail server.

Satnam Narang, staff research engineer at Tenable, pointed out that CVE-2020-17132 addresses a patch bypass for CVE-2020-16875, which was reported and patched in September’s Patch Tuesday release. “However, Steven Seeley, the researcher who is credited with disclosing the vulnerability, was able to bypass that patch,” he added.

Trend Micro Zero Day Initiative’s Dustin Childs also pointed out that there are two Important-rated Exchange patches that are documented as being identical to the Critical rated ones. “They have the same CVSS score, same FAQs, and affected products. Be on the safe side and count those as Critical-rated bugs, too,” he said.

Two critical SharePoint RCE vulnerabilities have been fixed this month (as well as two important and two moderate ones), so those updates should also be prioritized.

“Sharepoint can be used like a watering hole inside large organizations by an attacker. All it takes is for a few weaponized documents to be placed for malicious code to spread across an organization,” noted Kevin Breen, Director of Cyber Threat Research at Immersive Labs.

Childs singled out CVE-2020-17095, a Hyper-V RCE flaw and CVE-2020-16996, a Kerberos security feature bypass vulnerability, as worthy of note (and patching), and noticed that “there are a surprising number of security feature bypass bugs getting patched this month” – in Azure SDK for C, Azure SDK for Java, Azure Sphere, Microsoft Excel, Windows Overlay Filter, and Windows Lock Screen.

Finally, it’s also worth mentioning CVE-2020-17123, an Excel flaw that could be triggered by a victim opening a malicious document (but not viewing it via the Preview Pane). Marcin ‘Icewall’ Noga of Cisco Talos and Hieu Bui Quang have been credited with its discovery, and Cisco has published more details about it.

Adobe’s updates

Adobe has pushed out security updates for Lightroom, Experience Manager, and Prelude, and a “prenotification” security advisory for Adobe Acrobat and Reader.

“Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS  the week of  December 07, 2020,” the company said, so be on the lookout.     

The Adobe Lightroom update fixes a single, critical code execution flaw. The Adobe Experience Manager updates (and updates for the AEM Forms add-on package) plug two security holes, one of which is critical as it allows arbitrary JavaScript execution in the browser. The Adobe Prelude update fixes a flaw that could lead to arbitrary code execution.

None of vulnerabilities are under active attack.

SAP’s updates

For December 2020 Patch Tuesday, SAP released 11 security notes and updated two previously released ones.

The most critical patch is for a missing authentication check vulnerability in SAP NetWeaver AS JAVA (P2P Cluster Communication) that has a “perfect” CVSS score of 10.

“The Onapsis Research Labs has recently detected a series of different vulnerabilities in the Cluster Manager component of SAP NetWeaver AS JAVA. These vulnerabilities allow an unauthenticated attacker who is able to connect to the respective TCP ports to perform different privileged actions, such as installing new trusted SSO providers, changing database connection parameters, and gaining access to configuration information. Abusing some of these actions, an attacker may be able to gain full privileged access to the affected SAP system or perform a Denial-of-Service attack rendering the SAP system unusable,” Onapsis security researcher Thomas Fritsch has shared.

“SAP Security Note #2974774, tagged with a CVSS score of 10, patches the aforementioned vulnerabilities. The patch is not provided for all support package levels (…) The good news is that the note also provides a manual workaround that will prevent potential attackers from connecting to the P2P Server Socket port and from spying the communication between the cluster elements. This workaround can also be applied by customers running SAP NetWeaver AS JAVA on a support package level for which no patch is provided.”