Patch Tuesday Update - November 2020

November 11, 2020 | 4 min read | Security Posture

Patch Tuesday Advisory (November 2020): Can we say Remote Code Execution?

After a light October, it’s back to business as usual with 112 vulnerabilities patched, up from a paltry 87 last month. The big story for November however is on the urgent end of the spectrum: there are 17 critical and 24 Remote Code Execution (RCE) bugs, including one being actively exploited in the wild.

The actively exploited vulnerability we speak of is CVE-2020-17087, a Windows Kernel Local Elevation of Privilege vulnerability that exists on all currently supported Windows versions. Last week, the bug was reported by Google Project Zero, which discovered that the flaw was being exploited in the wild alongside a Google Chrome zero-day (CVE-2020-15999) – which had been patched on October 20. Attackers would use the Chrome zero-day to run malicious code inside Chrome and then chain together the Windows zero-day to escape the Chrome security sandbox and elevate privileges to attack Windows.

This vulnerability does require an attacker to have physical access to the unpatched machines in order to exploit the vulnerability, so Microsoft has rated this vulnerability as “important”.

Next up (and arguably just as important), we have CVE-2020-17051, which is a RCE vulnerability found in the Windows Network File System (NFS), and the first known vulnerability for NFSv3. With a CVSS score of 9.8, it’s about as critical as it can get. This vulnerability can be exploited to cause an immediate BSOD (Blue Screen of Death) within the nfssvr.sys driver. Microsoft notes this vulnerability has low attack complexity and requires no user interaction in order to be exploited.

Among the other high-profile RCE’s are a vulnerability in Microsoft Exchange Server (CVE-2020-17084) and a feature bypass flaw in Windows Hyper-V (CVE-2020-17040). Other RCE flaws exist in Excel, Sharepoint, GDI+, Teams, and Window Print Spooler (yes, the print spooler again!) Microsoft also patched a number of other critical OS and software vulnerabilities, notably in the Chakra scripting engine, Internet Explorer, and Azure Sphere.

All affected software this month:

  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Internet Explorer
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Edge (Chromium-based)
  • ChakraCore
  • Microsoft Exchange Server
  • Microsoft Dynamics
  • Microsoft Windows Codecs Library
  • Azure Sphere
  • Windows Defender
  • Microsoft Teams
  • Azure SDK
  • Azure DevOps
  • Visual Studio

For more information or to access the security updates, see
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Nov

To view the list of affected assets for a specific CVE in your Balbix dashboard:

Enter the CVE in the Search field and hit Enter. Balbix automatically prioritizes the search results for remediation. You can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.

If you have additional questions, please contact support@balbix.com.

Related Posts

Patching vulns
Blog
25 CVEs That NSA Wants You to Patch Right Now
Blog
Patch Tuesday Update – October 2020
Blog
Making Infosec Jobs Easier: Keeping Systems Patched