14 junio, 2022

9VSA22-00656-01 CSIRT comparte vulnerabilidades del Update Tuesday de Microsoft Junio 2022

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática, CSIRT de Gobierno, comparte información sobre nuevas vulnerabilidades que afectan a productos de Microsoft, según comunicado por la empresa como parte de su tradicional “Update Tuesday”, en este caso el correspondiente a junio de 2022.

Vulnerabilidades

CVE-2022-21123

CVE-2022-21125

CVE-2022-21127

CVE-2022-21166

CVE-2022-22018

CVE-2022-29111

CVE-2022-29119

CVE-2022-29143

CVE-2022-29149

CVE-2022-30131

CVE-2022-30132

CVE-2022-30135

CVE-2022-30136

CVE-2022-30137

CVE-2022-30139

CVE-2022-30140

CVE-2022-30141

CVE-2022-30142

CVE-2022-30143

CVE-2022-30145

CVE-2022-30146

CVE-2022-30147

CVE-2022-30148

CVE-2022-30149

CVE-2022-30150

CVE-2022-30151

CVE-2022-30152

CVE-2022-30153

CVE-2022-30154

CVE-2022-30155

CVE-2022-30157

CVE-2022-30158

CVE-2022-30159

CVE-2022-30160

CVE-2022-30161

CVE-2022-30162

CVE-2022-30163

CVE-2022-30164

CVE-2022-30165

CVE-2022-30166

CVE-2022-30167

CVE-2022-30168

CVE-2022-30171

CVE-2022-30172

CVE-2022-30173

CVE-2022-30174

CVE-2022-30177

CVE-2022-30178

CVE-2022-30179

CVE-2022-30180

CVE-2022-30184

CVE-2022-30188

CVE-2022-30189

CVE-2022-30193

CVE-2022-32230

Impacto

Vulnerabilidades de riesgo crítico:

CVE-2022-30163: Vulnerabilidad de ejecución remota de código en Windows Hyper-V (escape de huésped a host).

CVE-2022-30136: Vulnerabilidad de ejecución remota de código en Windows Network File System (NFS) que podría ser detonada a través de internet con una solicitud especialmente diseñada por un atacante no autenticado.

CVE-2022-30139: Vulnerabilidad de ejecución remota de código en Windows LDAP.

Productos afectados

.NET 6.0

.NET Core 3.1

AV1 Video Extension

Azure Automation State Configuration, DSC Extension

Azure Automation Update Management

Azure Diagnostics (LAD)

Azure Open Management Infrastructure

Azure Real Time Operating System

Azure Real Time Operating System GUIX

Azure Security Center

Azure Sentinel

Azure Service Fabric

Azure Stack Hub

Container Monitoring Solution

HEVC Video Extension

HEVC Video Extensions

Log Analytics Agent

Microsoft 365 Apps for Enterprise for 32-bit Systems

Microsoft 365 Apps for Enterprise for 64-bit Systems

Microsoft Excel 2013 RT Service Pack 1

Microsoft Excel 2013 Service Pack 1 (32-bit editions)

Microsoft Excel 2013 Service Pack 1 (64-bit editions)

Microsoft Excel 2016 (32-bit edition)

Microsoft Excel 2016 (64-bit edition)

Microsoft Office LTSC 2021 for 32-bit editions

Microsoft Office LTSC 2021 for 64-bit editions

Microsoft Office Online Server

Microsoft Office Web Apps Server 2013 Service Pack 1

Microsoft Photos

Microsoft SharePoint Enterprise Server 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft SharePoint Server 2013 Service Pack 1

Microsoft SharePoint Server 2019

Microsoft SharePoint Server Subscription Edition

Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)

Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)

Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)

Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU 17)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)

Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connectivity Pack

Microsoft SQL Server 2017 for x64-based Systems (CU 29)

Microsoft SQL Server 2017 for x64-based Systems (GDR)

Microsoft SQL Server 2019 for x64-based Systems (CU 16)

Microsoft SQL Server 2019 for x64-based Systems (GDR)

Microsoft Visual Studio 2019 version 16.11 (includes 16.0 – 16.10)

Microsoft Visual Studio 2019 version 16.9 (includes 16.0 – 16.8)

Microsoft Visual Studio 2022 version 17.0

Microsoft Visual Studio 2022 version 17.2

NuGet.exe

System Center Operations Manager (SCOM) 2016

System Center Operations Manager (SCOM) 2019

System Center Operations Manager (SCOM) 2022

Visual Studio 2019 for Mac version 8.10

Visual Studio 2022 for Mac version 17.0

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for x64-based Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 21H2 for 32-bit Systems

Windows 10 Version 21H2 for ARM64-based Systems

Windows 10 Version 21H2 for x64-based Systems

Windows 11 for ARM64-based Systems

Windows 11 for x64-based Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows 8.1 for 32-bit systems

Windows 8.1 for x64-based systems

Windows RT 8.1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016

Windows Server 2016  (Server Core installation)

Windows Server 2019

Windows Server 2019  (Server Core installation)

Windows Server 2022

Windows Server 2022 (Server Core installation)

Windows Server 2022 Azure Edition Core Hotpatch

Windows Server, version 20H2 (Server Core Installation)

 

Mitigación

Instalar las respectivas actualizaciones entregadas por el proveedor.

 

Enlaces

https://msrc.microsoft.com/update-guide/releaseNote/2022-Jun

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21127

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29111

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29119

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29149

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30131

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30132

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30135

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30136

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30137

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30139

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30140

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30141

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30142

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30143

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30145

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30146

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30147

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30148

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30149

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30150

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30151

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30152

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30153

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30154

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30155

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30155

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30158

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30159

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30160

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30161

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30162

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30163

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30164

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30165

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30166

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30167

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30168

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30171

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30172

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30173

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30174

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30177

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30178

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30179

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30180

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30184

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30188

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30189

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30193

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32230

Informe

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 9VSA22-00656-01.

9VSA22-00656-01 CSIRT comparte vulnerabilidades del Update Tuesday de Microsoft Junio 2022