Tuesday, December 8, 2020

Microsoft Patch Tuesday (Dec. 2020) — Snort rules and notable vulnerabilities

By Jon Munshaw, with contributions from Bill Largent. 

Microsoft released its monthly security update Tuesday, disclosing 58 vulnerabilities across its suite of products, the lowest number of vulnerabilities in any Patch Tuesday since January. 

There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

The security updates cover several different products and services, including the SharePoint file-sharing service, the Windows Backup Engine and the Exchange mail server. 

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here

One of the most serious vulnerabilities exists in SharePoint. CVE-2020-17118 is a vulnerability that could allow an adversary to execute remote code on the targeted machine. This bug has a CVSS score of 8.1 out of a possible 10, according to Microsoft. 

There is also a remote code execution vulnerability (CVE-2020-17096) in Windows NTFS. An adversary could exploit this if they have SMBv2 access to the target system. Then, they would need to send specially crafted requests over the network and gain the ability to execute code on the target system. An attacker could also run a specially crafted application that could elevate their privileges on the target machine. 

Microsoft Exchange also contains a critical vulnerability that could allow an adversary to remotely execute code. CVE-2020-17117 can be exploited without any user interaction, though Microsoft says it’s “less likely” to be exploited in the wild. 

Talos researchers also discovered a remote code execution bug in Excel that affects versions of the spreadsheet software back to 2010. For more on TALOS-2020-1153, check out our full Vulnerability Spotlight.

For a complete list of all the vulnerabilities Microsoft disclosed this month, check out its update page

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 56554, 56557, 56558, 56560 - 56562 and 56564. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.