9VSA21-00466-01 CSIRT alerta de cientos de vulnerabilidades anunciadas por Microsoft

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática del Gobierno de Chile, CSIRT de Gobierno, comparte información sobre vulnerabilidades que afectan a diversos productos de Microsoft, parte de su Update Tuesday mensual.

Este informe incluye las medidas de mitigación, consistentes en instalar la última actualización de los productos afectados.

Vulnerabilidades

CVE-2021-31183

CVE-2021-31196

CVE-2021-31206

CVE-2021-31947

CVE-2021-31961

CVE-2021-31979

CVE-2021-31984

CVE-2021-33740

CVE-2021-33743

CVE-2021-33744

CVE-2021-33745

CVE-2021-33746

CVE-2021-33749

CVE-2021-33750

CVE-2021-33751

CVE-2021-33752

CVE-2021-33753

CVE-2021-33754

CVE-2021-33755

CVE-2021-33756

CVE-2021-33757

CVE-2021-33758

CVE-2021-33759

CVE-2021-33760

CVE-2021-33761

CVE-2021-33763

CVE-2021-33764

CVE-2021-33765

CVE-2021-33766

CVE-2021-33767

CVE-2021-33768

CVE-2021-33771

CVE-2021-33772

CVE-2021-33773

CVE-2021-33774

CVE-2021-33775

CVE-2021-33776

CVE-2021-33777

CVE-2021-33778

CVE-2021-33779

CVE-2021-33780

CVE-2021-33781

CVE-2021-33782

CVE-2021-33783

CVE-2021-33784

CVE-2021-33785

CVE-2021-33786

CVE-2021-33788

CVE-2021-34438

CVE-2021-34439

CVE-2021-34440

CVE-2021-34441

CVE-2021-34442

CVE-2021-34444

CVE-2021-34445

CVE-2021-34446

CVE-2021-34447

CVE-2021-34448

CVE-2021-34449

CVE-2021-34450

CVE-2021-34451

CVE-2021-34452

CVE-2021-34454

CVE-2021-34455

CVE-2021-34456

CVE-2021-34457

CVE-2021-34458

CVE-2021-34459

CVE-2021-34460

CVE-2021-34461

CVE-2021-34462

CVE-2021-34464

CVE-2021-34466

CVE-2021-34467

CVE-2021-34468

CVE-2021-34469

CVE-2021-34470

CVE-2021-34473

CVE-2021-34474

CVE-2021-34476

CVE-2021-34477

CVE-2021-34479

CVE-2021-34488

CVE-2021-34489

CVE-2021-34490

CVE-2021-34491

CVE-2021-34492

CVE-2021-34493

CVE-2021-34494

CVE-2021-34496

CVE-2021-34497

CVE-2021-34498

CVE-2021-34499

CVE-2021-34500

CVE-2021-34501

CVE-2021-34503

CVE-2021-34504

CVE-2021-34507

CVE-2021-34508

CVE-2021-34509

CVE-2021-34510

CVE-2021-34511

CVE-2021-34512

CVE-2021-34513

CVE-2021-34514

CVE-2021-34516

CVE-2021-34517

CVE-2021-34518

CVE-2021-34519

CVE-2021-34520

CVE-2021-34521

CVE-2021-34522

CVE-2021-34523

CVE-2021-34525

CVE-2021-34528

CVE-2021-34529

Impactos

Microsoft considera como vulnerabilidades críticas las siguientes:

CVE-2021-33740

CVE-2021-34439

CVE-2021-34448

CVE-2021-34450

CVE-2021-34458

CVE-2021-34464

CVE-2021-34473

CVE-2021-34474

CVE-2021-34494

CVE-2021-34497

CVE-2021-34503

CVE-2021-34522

Algunas vulnerabilidades críticas destacables son:

CVE-2021-34448. Esta vulnerabilidad es de ejecución remota de código y afecta al scripting engine presente en cada versión de Windows aún con soporte.

CVE-2021-33771 y CVE-2021-31979 son vulnerabilidades de elevación de privilegios en el kernel de Windows, y están siendo explotadas.

CVE-2021-34458 es un error de ejecución remota de código en las áreas más profundas del sistema operativo.

CVE-2021-34494 es una vulnerabilidad en Windows DNS Server que alcanzó una clasificación CVSS de severidad de 9,8 de 10.

Junto a las nuevas vulnerabilidades, Microsoft también lanzó parches a vulnerabilidades ya reconocidas, incluyendo un parche actualizado a CVE-2021-34527, error popularmente conocido como PrintNightmare.

Productos Afectados

.NET Education Bundle SDK Install Tool

.NET Install Tool for Extension Authors

HEVC Video Extensions

Microsoft 365 Apps for Enterprise

Microsoft Bing Search for Android

Microsoft Dynamics 365 Business Central 2020

Microsoft Dynamics 365 Business Central 2021

Microsoft Excel 2013, 2013 RT, 2015

Microsoft Excel 2016 (32-bit edition)

Microsoft Excel 2016 (64-bit edition)

Microsoft Exchange Server 2013, 2016, 2019

Microsoft Malware Protection Engine

Microsoft Office 2013, 2013 RT, 2016, 2019

Microsoft Office Online Server

Microsoft Office Web Apps Server 2013

Microsoft SharePoint Enterprise Server 2013

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Foundation 2013

Microsoft SharePoint Server 2019

Microsoft Word 2016

Open Enclave SDK

Power BI Report Server

Visual Studio Code

Windows 10

Windows 7

Windows 8.1

Windows RT 8.1

Windows Server 2004, 2008, 2012, 2012 R2, 2016, 2019, 20H2

Mitigación

Instalar las respectivas actualizaciones desde el sitio web del proveedor.

Enlaces

https://msrc.microsoft.com/update-guide

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31954

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34521

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34458

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31183

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31196

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31206

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31947

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31961

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31979

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31984

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33740

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33743

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33744

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33745

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33746

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33749

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33750

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33751

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33752

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33753

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33754

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33755

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33756

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33757

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33758

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33759

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33760

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33763

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33764

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33765

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33766

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33767

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33768

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33771

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33772

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33773

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33774

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33775

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33776

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33777

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33778

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33779

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33780

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33781

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33783

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33784

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33785

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33786

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33788

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34438

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34439

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34440

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34441

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34442

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34444

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34445

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34446

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34447

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34448

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34449

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34450

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34451

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34452

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34454

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34455

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34456

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34457

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34458

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34459

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34460

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34461

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34462

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34464

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34466

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34467

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34468

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34469

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34470

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34474

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34476

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34477

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34479

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34488

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34489

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34490

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34491

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34492

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34493

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34494

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34496

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34497

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34498

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34499

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34500

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34501

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34503

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34504

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34507

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34508

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34509

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34510

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34511

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34512

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34513

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34514

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34516

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34517

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34518

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34519

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34520

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34521

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34522

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34525

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34528

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34529

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA21-00466-01.

9VSA21-00466-01 CSIRT alerta de cientos de vulnerabilidades anunciadas por Microsoft