CERTFR-2020-AVI-808

Vulnerability from certfr_avis - Published: 2020-12-09 - Updated: 2020-12-09

De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer un contournement de la fonctionnalité de sécurité, une exécution de code à distance, une usurpation d'identité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None
Impacted products
Vendor Product Description
Microsoft N/A Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft N/A ChakraCore
Microsoft N/A Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft N/A Team Foundation Server 2018 Update 3.2
Microsoft Azure Azure DevOps Server 2019.0.1
Microsoft N/A Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft Azure Azure DevOps Server 2020
Microsoft N/A Visual Studio Code TS-Lint Extension
Microsoft N/A Dynamics 365 pour Finance and Operations
Microsoft N/A Microsoft Exchange Server 2016 Cumulative Update 18
Microsoft N/A Microsoft Dynamics NAV 2015
Microsoft N/A Visual Studio Code Language Support pour Java Extension
Microsoft N/A Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft N/A Team Foundation Server 2017 Update 3.1
Microsoft N/A Microsoft Visual Studio 2019 version 16.0
Microsoft N/A Microsoft 365 Apps pour Enterprise pour systèmes 32 bits
Microsoft N/A Microsoft 365 Apps pour Enterprise pour 64 bits Systems
Microsoft N/A Microsoft Visual Studio 2019 version 16.8
Microsoft N/A Visual Studio Code Remote - SSH Extension
Microsoft N/A Microsoft Exchange Server 2019 Cumulative Update 6
Microsoft N/A Team Foundation Server 2018 Update 1.2
Microsoft Azure Azure Sphere
Microsoft N/A Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Azure Azure SDK pour Java
Microsoft N/A Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft N/A Microsoft Exchange Server 2019 Cumulative Update 7
Microsoft Azure Azure DevOps Server 2019 Update 1.1
Microsoft N/A Microsoft Exchange Server 2016 Cumulative Update 17
Microsoft N/A Team Foundation Server 2015 Update 4.2
Microsoft Azure C SDK pour Azure IoT
Microsoft N/A Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Exchange Server 2013 Cumulative Update 23",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "ChakraCore",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2018 Update 3.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure DevOps Server 2019.0.1",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure DevOps Server 2020",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code TS-Lint Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Dynamics 365 pour Finance and Operations",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2016 Cumulative Update 18",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics NAV 2015",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code Language Support pour Java Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2017 Update 3.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio 2019 version 16.8",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Visual Studio Code Remote - SSH Extension",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2019 Cumulative Update 6",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2018 Update 1.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure Sphere",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 9.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure SDK pour Java",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Dynamics 365 (on-premises) version 8.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2019 Cumulative Update 7",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Azure DevOps Server 2019 Update 1.1",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2016 Cumulative Update 17",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Team Foundation Server 2015 Update 4.2",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "C SDK pour Azure IoT",
      "product": {
        "name": "Azure",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-17130",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17130"
    },
    {
      "name": "CVE-2020-17148",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17148"
    },
    {
      "name": "CVE-2020-17135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17135"
    },
    {
      "name": "CVE-2020-17133",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17133"
    },
    {
      "name": "CVE-2020-17119",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17119"
    },
    {
      "name": "CVE-2020-17144",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17144"
    },
    {
      "name": "CVE-2020-17129",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17129"
    },
    {
      "name": "CVE-2020-17147",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17147"
    },
    {
      "name": "CVE-2020-17143",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17143"
    },
    {
      "name": "CVE-2020-17131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17131"
    },
    {
      "name": "CVE-2020-17126",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17126"
    },
    {
      "name": "CVE-2020-16971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-16971"
    },
    {
      "name": "CVE-2020-17117",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17117"
    },
    {
      "name": "CVE-2020-17002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17002"
    },
    {
      "name": "CVE-2020-17141",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17141"
    },
    {
      "name": "CVE-2020-17145",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17145"
    },
    {
      "name": "CVE-2020-17159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17159"
    },
    {
      "name": "CVE-2020-17132",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17132"
    },
    {
      "name": "CVE-2020-17152",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17152"
    },
    {
      "name": "CVE-2020-17150",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17150"
    },
    {
      "name": "CVE-2020-17156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17156"
    },
    {
      "name": "CVE-2020-17125",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17125"
    },
    {
      "name": "CVE-2020-17128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17128"
    },
    {
      "name": "CVE-2020-17123",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17123"
    },
    {
      "name": "CVE-2020-17158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17158"
    },
    {
      "name": "CVE-2020-17160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17160"
    },
    {
      "name": "CVE-2020-17142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17142"
    },
    {
      "name": "CVE-2020-17124",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-17124"
    }
  ],
  "initial_release_date": "2020-12-09T00:00:00",
  "last_revision_date": "2020-12-09T00:00:00",
  "links": [],
  "reference": "CERTFR-2020-AVI-808",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-12-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Usurpation d\u0027identit\u00e9"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer un contournement de la fonctionnalit\u00e9 de\ns\u00e9curit\u00e9, une ex\u00e9cution de code \u00e0 distance, une usurpation d\u0027identit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 08 d\u00e9cembre 2020",
      "url": "https://portal.msrc.microsoft.com/fr-FR/security-guidance"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.