【漏洞通告】 关于微软2020年12月多个产品爆出安全漏洞的通告
2020.12.16
摘要
近日,微软官方发布了多个安全漏洞的公告,包括多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。
近日,微软官方发布了多个安全漏洞的公告,包括MicrosoftExchange Server安全漏洞(CNNVD-202012-615、CVE-2020-17117)、MicrosoftSharePoint 安全漏洞(CNNVD-202012-620、CVE-2020-17118)、Microsoft Excel 安全漏洞(CNNVD-202012-616、CVE-2020-17122)等多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。
一、漏洞介绍
2020年12月9日,微软发布了2020年12月份安全更新,共58个漏洞的补丁程序,CNNVD对这些漏洞进行了收录,本月微软月度更新修复的漏洞中,严重程度为关键(Critical)的漏洞有9个,重要(Important)漏洞有47个,2个 中危(Moderate)级别漏洞。请相关用户及时更新补丁进行防护,详细漏洞列表请参考附录。本次更新主要涵盖了 Windows操作系统、ChakraCore、Office办公套件、Exchange Server、Azure、Visual Studio等多个Windows平台下应用软件和组件。微软多个产品和系统版本受漏洞影响,具体影响范围可访问https://portal.msrc.microsoft.com/zh-cn/security-guidance查询,其中部分重要漏洞详情如下:
1、Microsoft Exchange Server 安全漏洞(CNNVD-202012-615、CVE-2020-17132)(CNNVD-202012-615、CVE-2020-17117)(CNNVD-202012-606、CVE-2020-17142)
漏洞简介:由于Exchange对cmdlet参数的验证不正确,会触发一个Microsoft Exchange服务器中的远程代码执行漏洞。成功利用此漏洞的攻击者可以在系统用户的上下文中运行任意代码。
2、Microsoft SharePoint 安全漏洞(CNNVD-202012-620、CVE-2020-17118)(CNNVD-202012-617、CVE-2020-17121)
漏洞简介:SharePoint中存在一个安全漏洞。经过身份验证的攻击者通过发送特制请求包,可在SharePoint Web应用中执行任意.NET代码。3、Microsoft Excel 安全漏洞(CNNVD-202012-616、CVE-2020-17122)(CNNVD-202012-584、CVE-2020-17127)(CNNVD-202012-586、CVE-2020-17129)
漏洞简介:Microsoft Excel中存在安全漏洞。当 Microsoft Excel 软件无法正确处理内存中的对象时,该软件中存在远程代码执行漏洞。成功利用此漏洞的攻击者可以在当前用户的上下文中运行任意代码。4、Microsoft PowerPoint 安全漏洞(CNNVD-202012-592、CVE-2020-17124)
漏洞简介:由于Microsoft SharePoint对用户输入验证不足,攻击者可以输入一些精心构造的数据,造成内存破坏,从而导致远程代码执行。5、Microsoft Windows Hyper-V 安全漏洞(CNNVD-202012-687、CVE-2020-17095)
漏洞简介:Microsoft Windows Hyper-V中存在安全漏洞。当主机服务器上的Windows Hyper-V 无法正确验证来宾操作系统上经身份验证的用户的输入时,存在远程代码执行漏洞。成功利用此漏洞的攻击者可以在主机操作系统上执行任意代码。6、Microsoft Edge 安全漏洞(CNNVD-202012-583、CVE-2020-17131)
漏洞简介:Microsoft Edge存在一个安全漏洞,攻击者可利用该漏洞可以远程执行恶意代码。由于此次更新,微软并没有透露太多漏洞详情,请用户自行到官方网站查询,官方地址:
https://msrc.microsoft.com/update-guide/en-us二、影响范围
| 漏洞编号 | 受影响产品版本 |
| CVE-2020-17095 | Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows Server, version 1903 (Server Core installation) Windows 10 Version 1903 for x64-based Systems Windows Server, version 1909 (Server Core installation) Windows 10 Version 1909 for x64-based Systems Windows Server 2019 (Server Core installation) |
| CVE-2020-17096 | Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Windows 10 Version 1803 for ARM64-based Systems Windows 10 Version 1803 for x64-based Systems Windows 10 Version 1803 for 32-bit Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems |
| CVE-2020-17121 | Microsoft SharePoint Enterprise Server 2016 Microsoft SharePoint Server 2019 Microsoft SharePoint Foundation 2010 Service Pack 2 Microsoft SharePoint Foundation 2013 Service Pack 1 |
| CVE-2020-17132 | Microsoft Exchange Server 2016 Cumulative Update 18 Microsoft Exchange Server 2019 Cumulative Update 7 Microsoft Exchange Server 2016 Cumulative Update 17 Microsoft Exchange Server 2019 Cumulative Update 6 Microsoft Exchange Server 2013 Cumulative Update 23 |
| CVE-2020-17144 | Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31 |
| CVE-2020-16996 | Windows Server, version 20H2 (Server Core Installation) Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows Server, version 2004 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) |
| 影响产品 | CVE 编号 | 漏洞标题 | 严重程度 |
| Windows | CVE-2020-17095 | Hyper-V 远程代码执行漏洞 | Critical |
| Exchange Server | CVE-2020-17117 | Microsoft Exchange 远程代码执行漏洞 | Critical |
| Microsoft Office | CVE-2020-17118 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
| Exchange Server | CVE-2020-17132 | Microsoft Exchange 远程代码执行漏洞 | Critical |
| Exchange Server | CVE-2020-17142 | Microsoft Exchange 远程代码执行漏洞 | Critical |
| Microsoft Dynamics | CVE-2020-17152 | Microsoft Dynamics 365 for Finance and Operations (on-premises) 远程代码执行漏洞 | Critical |
| Microsoft Dynamics | CVE-2020-17158 | Microsoft Dynamics 365 for Finance and Operations (on-premises) 远程代码执行漏洞 | Critical |
| Microsoft Office | CVE-2020-17121 | Microsoft SharePoint 远程代码执行漏洞 | Critical |
| ChakraCore,Microsoft Edge | CVE-2020-17131 | Chakra Scripting Engine 内存泄露漏洞 | Critical |
| Microsoft Office | CVE-2020-17089 | Microsoft SharePoint 权限提升漏洞 | Important |
| Windows | CVE-2020-17092 | Windows Network Connections Service 权限提升漏洞 | Important |
| Windows | CVE-2020-17094 | Windows Error Reporting 信息披露漏洞 | Important |
| Windows | CVE-2020-17096 | Windows NTFS 远程代码执行漏洞 | Important |
| Windows | CVE-2020-17097 | Windows Digital Media Receiver 权限提升漏洞 | Important |
| Windows | CVE-2020-17098 | Windows GDI+ 信息披露漏洞 | Important |
| Windows | CVE-2020-17099 | Windows Lock Screen Security 功能绕过漏洞 | Important |
| Windows | CVE-2020-17103 | Windows Cloud Files Mini Filter Driver 权限提升漏洞 | Important |
| Microsoft Office | CVE-2020-17119 | Microsoft Outlook 信息披露漏洞 | Important |
| Windows | CVE-2020-17134 | Windows Cloud Files Mini Filter Driver 权限提升漏洞 | Important |
| Azure DevOps Server | CVE-2020-17135 | Azure DevOps Server 欺骗漏洞 | Important |
| Windows | CVE-2020-17136 | Windows Cloud Files Mini Filter Driver 权限提升漏洞 | Important |
| Windows | CVE-2020-17137 | DirectX Graphics Kernel 权限提升漏洞 | Important |
| Windows | CVE-2020-17138 | Windows Error Reporting 信息披露漏洞 | Important |
| Windows | CVE-2020-17139 | Windows Overlay Filter Security 功能绕过漏洞 | Important |
| Exchange Server | CVE-2020-17141 | Microsoft Exchange 远程代码执行漏洞 | Important |
| Exchange Server | CVE-2020-17143 | Microsoft Exchange 信息披露漏洞 | Important |
| Exchange Server | CVE-2020-17144 | Microsoft Exchange 远程代码执行漏洞 | Important |
| Microsoft Dynamics | CVE-2020-17147 | Dynamics CRM Webclient 跨站脚本漏洞 | Important |
| Visual Studio Code Remote – SSH Extension | CVE-2020-17148 | Visual Studio Code Remote Development Extension 远程代码执行漏洞 | Important |
| Visual Studio Code TS-Lint Extension | CVE-2020-17150 | Visual Studio Code 远程代码执行漏洞 | Important |
| Microsoft Visual Studio | CVE-2020-17156 | Visual Studio 远程代码执行漏洞 | Important |
| Visual Studio Code Language Support for Java Extension | CVE-2020-17159 | Visual Studio Code Java Extension Pack 远程代码执行漏洞 | Important |
| Azure | CVE-2020-17160 | Azure Sphere Security 功能绕过漏洞 | Important |
| Windows | ADV200013 | Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver | Important |
| Windows | CVE-2020-16958 | Windows Backup Engine 权限提升漏洞 | Important |
| Windows | CVE-2020-16959 | Windows Backup Engine 权限提升漏洞 | Important |
| Windows | CVE-2020-16960 | Windows Backup Engine 权限提升漏洞 | Important |
| Windows | CVE-2020-16961 | Windows Backup Engine 权限提升漏洞 | Important |
| Windows | CVE-2020-16962 | Windows Backup Engine 权限提升漏洞 | Important |
| Windows | CVE-2020-16963 | Windows Backup Engine 权限提升漏洞 | Important |
| Windows | CVE-2020-16964 | Windows Backup Engine 权限提升漏洞 | Important |
| Azure | CVE-2020-16971 | Azure SDK for Java Security 功能绕过漏洞 | Important |
| Windows | CVE-2020-16996 | Kerberos Security 功能绕过漏洞 | Important |
| C SDK for Azure IoT | CVE-2020-17002 | Azure SDK for C Security 功能绕过漏洞 | Important |
| Microsoft Office | CVE-2020-17120 | Microsoft SharePoint 信息披露漏洞 | Important |
| Microsoft Office | CVE-2020-17122 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17123 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17124 | Microsoft PowerPoint 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17125 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17126 | Microsoft Excel 信息披露漏洞 | Important |
| Microsoft Office | CVE-2020-17127 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17128 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17129 | Microsoft Excel 远程代码执行漏洞 | Important |
| Microsoft Office | CVE-2020-17130 | Microsoft Excel Security 功能绕过漏洞 | Important |
| Microsoft Dynamics | CVE-2020-17133 | Microsoft Dynamics Business Central/NAV Information Disclosure | Important |
| Windows | CVE-2020-17140 | Windows SMB 信息披露漏洞 | Important |
| Azure DevOps Server,Team Foundation Server | CVE-2020-17145 | Azure DevOps Server and Team Foundation Services 欺骗漏洞 | Important |
| Microsoft Office | CVE-2020-17115 | Microsoft SharePoint 欺骗漏洞 | Moderate |
| Microsoft Edge for Android | CVE-2020-17153 | Microsoft Edge for Android 欺骗漏洞 | Moderate |
三、修复建议
目前,微软官方已经发布补丁修复了上述漏洞,建议用户及时确认漏洞影响,尽快采取修补措施。微软官方补丁下载地址:https://msrc.microsoft.com/update-guide/en-us/releaseNote/2020-Dec
注:由于网络问题、计算机环境问题等原因,Windows Update的补丁更新可能出现失败。用户在安装补丁后,应及时检查补丁是否成功更新。右键点击Windows图标,选择“设置(N)”,选择“更新和安全”-“Windows更新”,查看该页面上的提示信息,也可点击“查看更新历史记录”查看历史更新情况。针对未成功安装的更新,可点击更新名称跳转到微软官方下载页面,建议用户点击该页面上的链接,转到“Microsoft更新目录”网站下载独立程序包并安装。
沪公网安备31011502401057号