[English]Microsoft hat zum 8. Dezember und nochmals zum 10. Dezember 2020 einige Hinweise zu Sicherheitupdates und Revisionen veröffentlicht. Ich trage diese unkommentiert hier im Blog nach.
Anzeige
Hier die Security Update Releases zum 8. Dezember 2020.
**************************************************************************************
Title: Microsoft Security Update Releases
Issued: December 8, 2020
**************************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
Anzeige
* CVE-2020-1325
* CVE-2020-1596
* CVE-2020-17049
Revision Information:
=====================
* CVE-2020-1325
– CVE-2020-1325 | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability
– Version 2.0
– Reason for Revision: Microsoft is announcing the availability of the security update
for Azure DevOps Server 2019 Update 1.1 to address this vulnerability. Customers
running Azure DevOps Server 2019 Update 1.1 should install the update to be protected
from this vulnerability.
– Originally posted: November 10, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-1596
– CVE-2020-1596 | TLS Information Disclosure Vulnerability
– Version 3.0
– Reason for Revision: To address a known issue customers running Windows Server 2008
experienced after installing the September 2020 security updates, Microsoft has
released the December 2020 Monthly Rollup and Security Only updates for all affected
versions of Windows Server 2008. Microsoft strongly recommends that customers
enrolled in the Extended Security Update (ESU) program install the updates to
correct this known issue.
– Originally posted: September 8, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-17049
– CVE-2020-17049 | Kerberos KDC Security Feature Bypass Vulnerability
– Version 3.0
– Reason for Revision: To comprehensively address CVE-2020-17049, Microsoft has
released the following: December 2020 Security Updates for all affected Windows 10
servers, Windows Server 2012 R2, and Windows Server 2012; December 2020 Monthly
Rollup updates and Security Only updates for all affected versions of Windows
Server 2008 R2 and Windows Server 2008. These updates include fixes for all known
issues originally introduced by the November 10, 2020 security updates for
CVE-2020-17049. Microsoft strongly recommends that customers running any of these
versions of Windows Server install the updates and then follow the steps outlined
in https://support.microsoft.com/help/4598347 to enable full protection on domain
controller servers.
– Originally posted: November 10, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
Das Thema hatte ich im Blog-Beitrag Microsoft patcht Windows Kerberos-Schwachstelle CVE-2020-16996 mit Dez. 2020-Updates angesprochen.
***************************************************************
Title: Microsoft Security Update Releases
Issued: December 10, 2020
***************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
* CVE-2020-17002
* CVE-2020-17049
* CVE-2020-17160
Revision Information:
=====================
* CVE-2020-17002
– CVE-2020-17002 | Azure SDK for C Security Feature Bypass Vulnerability
– Version 2.0
– Reason for Revision: In the Security Updates table, added the following:
azure-c-shared-utility Release LTS_07_2020 and LTS_02_2020; C SDK for Azure
IoT Release LTS_07_2020 and LTS_02_2020; all supported releases of the following
protocol submodules: azure-uamqp-c, azure-umqtt-c, azure-uhttp-c, and azure-utpm-c.
These releases all contain a security fix, addressed by CVE-2020-17002, affecting
applications using c-utility in conjunction with OpenSSL or WolfSSL.
– Originally posted: December 8, 2020
– Updated: December 10, 2020
– Aggregate CVE Severity Rating: Important
* CVE-2020-17049
– CVE-2020-17049 | Kerberos KDC Security Feature Bypass Vulnerability
– Version 4.0
– Reason for Revision: In the Security Updates table, corrected the Download and
Article links for all affected Windows 10 servers, Windows Server 2012 R2, and
Windows Server 2012 R2. Note that the December 2020 Security Updates supercede
the security updates released on November 10, 2020 and the updates released
between November 17, 2020 and November 19, 2020 to address this vulnerability.
– Originally posted: November 10, 2020
– Updated: December 8, 2020
– Aggregate CVE Severity Rating: Important
Das Thema hatte ich im Blog-Beitrag Microsoft patcht Windows Kerberos-Schwachstelle CVE-2020-16996 mit Dez. 2020-Updates angesprochen.
Hier die Sicherheitshinweise zum 8. Dezember, wobei die letzten SSUs und der Edge bereits in separaten Beiträgen behandelt wurden.
*************************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 8, 2020
*************************************************************************
Security Advisories Released or Updated on December 8, 2020
=========================================================================
*ADV200013
– ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver
– Reason for Revision: Information published.
– Originally posted: December 8, 2020
– Updated: N/A
– Version: 1.0
* ADV990001
– ADV990001 | Latest Servicing Stack Updates
– Reason for Revision: Advisory updated to announce new versions of Servicing Stack
Updates are available. Please see the FAQ for details.
– Originally posted: November 13, 2018
– Updated: December 8, 2020
– Version: 29.0
* ADV200002
– ADV200002 | Chromium Security Updates for Microsoft Edge (Chromium-Based)
– Reason for Revision: Updated advisory to announce a new version of Microsoft
Edge (Chromium-based). Please see the table for more information.
– Originally posted: January 28, 2020
– Updated: December 8, 2020
– Version: 30.0
* CVE-2020-17160
– CVE-2020-17160 | RETRACTED – Version 2.0
– Reason for Revision: This CVE was published in error and has been retracted.
For the correct CVE information see
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17002.
– Originally posted: December 8, 2020
– Updated: December 9, 2020
– Aggregate CVE Severity Rating: N/A
Die CVE zur Azure SDK for C Security Feature Bypass Vulnerability wurde fälschlich herausgegeben
Anzeige
Das ADV200013 sollte sich jeder anschauen, der einen Windows-Server als DNS betreibt, insbesondere wenn der öffentlich erreichbar ist. Es geht da um "SAD DNS", was vor 1 Monat schon unter Linux ein Thema war.
Weitere Links, die mehr verraten, as das kurz gehaltene MS ADV:
https://www.bleepingcomputer.com/news/security/microsoft-issues-guidance-for-dns-cache-poisoning-vulnerability/
https://de.tenable.com/blog/microsoft-s-december-2020-patch-tuesday-addresses-58-cves-including-cve-2020-25705-sad-dns
https://dirteam.com/sander/2020/12/10/dns-spoofing-vulnerability-sad-dns-important-cve-2020-25705-adv200013/
Ich zitiere mal aus dem letzten Link, denn der wird besonders deutlich:
"About the vulnerability
The addressing spoofing vulnerability, tracked as CVE-2020-25705 and nicknamed SAD DNS (Side-channel AttackeD DNS), exists in the Windows DNS resolver component that comes bundled with the Windows Transmission Control Protocol/Internet Protocol (TCP/IP) stack:
Microsoft is aware of a vulnerability involving DNS cache poisoning caused by IP fragmentation that affects Windows DNS Resolver.
An attacker who successfully exploited this vulnerability could spoof the DNS packet which can be cached by the DNS Forwarder or the DNS Resolver.
Successfully exploiting the vulnerability could allow attackers to use modified DNS records to redirect a target to a malicious website under their control as part of DNS spoofing (also known as DNS cache poisoning) attacks.
Affected Operating Systems
The security advisory is applicable for the following Microsoft Operating Systems:
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server, version 1903
Windows Server, version 1909
Windows Server, version 2004
Windows Server, version 20H2
"
Der Angriffsvektor lässt sich durch einen Reg-Key und anschließenden Neustart des DNS-Dienstes schließen. Dabei wird der UDP-Puffer des DNS-Dienstes auf 1221 Bytes Länge begrenzt.