Contáctanos al

1510

NOTIFICAR UN INCIDENTE

¿Cómo y cuándo reportar?
Ministerior del Interior
11 mayo, 2021

9VSA21-00443-01 CSIRT alerta por vulnerabilidades compartidas por Microsoft

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática, CSIRT de Gobierno, comparte vulnerabilidades que afectan a distintos productos de Microsoft, correspondientes a su alerta de seguridad mensual (Update Tuesday).

Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.

Vulnerabilidades

CVE-2021-26419

CVE-2020-24588

CVE-2020-24587

CVE-2021-31204

CVE-2021-26422

CVE-2021-26421

CVE-2021-31936

CVE-2021-31214

CVE-2021-31213

CVE-2021-31211

CVE-2021-31209

CVE-2021-31200

CVE-2021-31208

CVE-2021-31207

CVE-2021-31205

CVE-2021-28465

CVE-2021-31198

CVE-2021-31195

CVE-2021-31194

CVE-2021-31193

CVE-2021-31192

CVE-2021-31191

CVE-2021-31190

CVE-2021-31188

CVE-2021-31187

CVE-2021-31186

CVE-2021-31185

CVE-2021-31184

CVE-2021-31182

CVE-2021-31181

CVE-2021-31180

CVE-2021-31179

CVE-2021-31178

CVE-2021-31177

CVE-2021-31176

CVE-2021-31175

CVE-2021-31174

CVE-2021-31173

CVE-2021-31172

CVE-2021-31171

CVE-2021-31170

CVE-2021-31169

CVE-2021-31168

CVE-2021-31167

CVE-2021-31166

CVE-2021-31165

CVE-2021-26418

CVE-2021-28479

CVE-2021-28478

CVE-2021-28476

CVE-2021-28474

CVE-2021-28461

CVE-2021-28455

CVE-2020-26144

CVE-2021-27068

Impactos

Microsoft considera como críticas las siguientes cuatro vulnerabilidades: CVE-2021-26419, CVE-2021-31194, CVE-2021-31166 y CVE-2021-28476.

CVE-2021-31194: Esta vulnerabilidad de ejecución remota de código en OLE Automation permite a un usuario con bajos privilegios comprometer un sistema resultando en una pérdida completa de integridad y disponibilidad del sistema y de la confidencialidad de los datos contenidos en él.

CVE-2021-31166: Esta vulnerabilidad relacionada con el protocolo HTTP permite a un atacante no autenticado a ejecutar código remoto, lo que podría ser aprovechado con un gusano.

CVE-2021-26419: Esta vulnerabilidad en Internet Explorer permite a un usuario remoto ejecutar código arbitrario en el sistema objetivo. Tiene lugar debido a un error de límites de la memoria. Su explotación exitosa puede acabar en el compromiso total del sistema.

CVE-2021-28476: Esta vulnerabilidad de ejecución remota de código en Hyper-V permite a un usuario con bajos privilegios comprometer un sistema resultando en una pérdida completa de integridad y disponibilidad del sistema y de la confidencialidad de los datos contenidos en él.

Como de severidad importante se listan las siguientes vulnerabilidades:

CVE-2020-24588

CVE-2020-24587

CVE-2021-31204

CVE-2021-26422

CVE-2021-26421

CVE-2021-31936

CVE-2021-31214

CVE-2021-31213

CVE-2021-31211

CVE-2021-31209

CVE-2021-31200

CVE-2021-31208

CVE-2021-31205

CVE-2021-28465

CVE-2021-31198

CVE-2021-31195

CVE-2021-31193

CVE-2021-31192

CVE-2021-31191

CVE-2021-31190

CVE-2021-31188

CVE-2021-31187

CVE-2021-31186

CVE-2021-31185

CVE-2021-31184

CVE-2021-31182

CVE-2021-31181

CVE-2021-31180

CVE-2021-31179

CVE-2021-31178

CVE-2021-31177

CVE-2021-31176

CVE-2021-31175

CVE-2021-31174

CVE-2021-31173

CVE-2021-31172

CVE-2021-31171

CVE-2021-31170

CVE-2021-31169

CVE-2021-31168

CVE-2021-31167

CVE-2021-31165

CVE-2021-26418

CVE-2021-28479

CVE-2021-28478

CVE-2021-28474

CVE-2021-28461

CVE-2021-28455

CVE-2020-26144

CVE-2021-27068

Productos Afectados 

.NET 5.0

.NET Core 3.1

common_utils.py

Dynamics 365 for Finance and Operations

Internet Explorer 11

Internet Explorer 9

Microsoft 365 Apps for Enterprise for 32-bit Systems

Microsoft 365 Apps for Enterprise for 64-bit Systems

Microsoft Accessibility Insights for Web

Microsoft Excel 2013 RT Service Pack 1

Microsoft Excel 2013 Service Pack 1 (32-bit editions)

Microsoft Excel 2013 Service Pack 1 (64-bit editions)

Microsoft Excel 2016 (32-bit edition)

Microsoft Excel 2016 (64-bit edition)

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 19

Microsoft Exchange Server 2016 Cumulative Update 20

Microsoft Exchange Server 2019 Cumulative Update 8

Microsoft Exchange Server 2019 Cumulative Update 9

Microsoft Lync Server 2013 CU10

Microsoft Office 2013 RT Service Pack 1

Microsoft Office 2013 Service Pack 1 (32-bit editions)

Microsoft Office 2013 Service Pack 1 (64-bit editions)

Microsoft Office 2016 (32-bit edition)

Microsoft Office 2016 (64-bit edition)

Microsoft Office 2019 for 32-bit editions

Microsoft Office 2019 for 64-bit editions

Microsoft Office 2019 for Mac

Microsoft Office Online Server

Microsoft Office Web Apps Server 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft SharePoint Server 2019

Microsoft Visual Studio 2019 version 16.4 (includes 16.0 – 16.3)

Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)

Microsoft Visual Studio 2019 version 16.9 (includes 16.0 – 16.8)

Microsoft Word 2013 RT Service Pack 1

Microsoft Word 2013 Service Pack 1 (32-bit editions)

Microsoft Word 2013 Service Pack 1 (64-bit editions)

Microsoft Word 2016 (32-bit edition)

Microsoft Word 2016 (64-bit edition)

Skype for Business Server 2015 CU11

Skype for Business Server 2019 CU5

Visual Studio 2019 for Mac version 8.9

Visual Studio Code

Visual Studio Code  Remote – Containers Extension

Web Media Extensions

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1803 for 32-bit Systems

Windows 10 Version 1803 for ARM64-based Systems

Windows 10 Version 1803 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for x64-based Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows 8.1 for 32-bit systems

Windows 8.1 for x64-based systems

Windows RT 8.1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016  (Server Core installation)

Windows Server 2019

Windows Server 2019  (Server Core installation)

Windows Server, version 1909 (Server Core installation)

Windows Server, version 2004 (Server Core installation)

Windows Server, version 20H2 (Server Core Installation)

Mitigación

Instalar las respectivas actualizaciones desde el sitio web del proveedor.

Enlaces

https://msrc.microsoft.com/update-guide

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26419

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31194

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26419

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24587

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24588

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26144

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26418

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26421

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26422

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27068

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28455

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28461

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28465

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28474

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28476

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28478

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28479

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31165

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31166

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31167

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31168

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31169

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31170

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31171

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31172

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31173

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31174

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31175

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31176

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31177

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31178

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31179

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31180

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31181

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31182

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31184

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31185

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31186

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31187

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31188

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31190

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31191

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31192

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31193

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31194

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31195

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31198

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31200

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31204

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31205

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31207

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31208

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31209

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31211

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31213

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31214

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31936

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA21-00443-01.

9VSA21-00443-01 CSIRT alerta por vulnerabilidades compartidas por Microsoft
Ministerior del Interior

Teatinos 92 piso 6.

Santiago, Chile

csirt.gob.cl

Síguenos en nuestras redes sociales

Infórmate sobre nuestras actividades y escríbenos directamente