CERTFR-2020-ALE-011
Vulnerability from certfr_alerte - Published: - Updated:
Le 21 avril 2020, Microsoft a publié un avis de sécurité annonçant la sortie d'un correctif pour multiples vulnérabilités affectant ses produits qui utilisent la bibliothèque Autodesk FBX.
Ces vulnérabilités permettent à un attaquant d'exécuter du code arbitraire à distance si un utilisateur ouvre un fichier spécialement conçu comprenant du contenu 3D.
Le CERT-FR recommande l'application des correctifs dans les plus brefs délais.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Contournement provisoire
Microsoft annonce qu'il n'existe pas de mesure de contournement pour ces vulnérabilités.
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Office | Office 365 ProPlus pour systèmes 32 bits | ||
| Microsoft | Office | Microsoft Office 2019 pour éditions 32 bits | ||
| Microsoft | Office | Office 365 ProPlus pour systèmes 64 bits | ||
| Microsoft | Office | Microsoft Office 2019 pour éditions 64 bits | ||
| Microsoft | N/A | Paint 3D | ||
| Microsoft | Office | Microsoft Office 2016 Click-to-Run (C2R) pour éditions 64 bits | ||
| Microsoft | Office | Microsoft Office 2016 Click-to-Run (C2R) pour éditions 32 bits |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Office 365 ProPlus pour syst\u00e8mes 32 bits",
"product": {
"name": "Office",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Office 2019 pour \u00e9ditions 32 bits",
"product": {
"name": "Office",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Office 365 ProPlus pour syst\u00e8mes 64 bits",
"product": {
"name": "Office",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Office 2019 pour \u00e9ditions 64 bits",
"product": {
"name": "Office",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Paint 3D",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Office 2016 Click-to-Run (C2R) pour \u00e9ditions 64 bits",
"product": {
"name": "Office",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Office 2016 Click-to-Run (C2R) pour \u00e9ditions 32 bits",
"product": {
"name": "Office",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"closed_at": "2020-06-23",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n\n## Contournement provisoire\n\nMicrosoft annonce qu\u0027il n\u0027existe pas de mesure de contournement pour ces\nvuln\u00e9rabilit\u00e9s.\n",
"cves": [
{
"name": "CVE-2020-7085",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7085"
},
{
"name": "CVE-2020-7082",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7082"
},
{
"name": "CVE-2020-7081",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7081"
},
{
"name": "CVE-2020-7083",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7083"
},
{
"name": "CVE-2020-7080",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7080"
},
{
"name": "CVE-2020-7084",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7084"
}
],
"links": [],
"reference": "CERTFR-2020-ALE-011",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-04-22T00:00:00.000000"
},
{
"description": "Correction de la date du bulletin de s\u00e9curit\u00e9 Autodesk",
"revision_date": "2020-04-23T00:00:00.000000"
},
{
"description": "Cl\u00f4ture de l\u0027alerte. La cl\u00f4ture d\u0027une alerte ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
"revision_date": "2020-06-23T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "Le 21 avril 2020, Microsoft a publi\u00e9 un avis de s\u00e9curit\u00e9 annon\u00e7ant la\nsortie d\u0027un correctif pour multiples vuln\u00e9rabilit\u00e9s affectant ses\nproduits qui utilisent la biblioth\u00e8que Autodesk FBX.\n\nCes vuln\u00e9rabilit\u00e9s permettent \u00e0 un attaquant d\u0027ex\u00e9cuter du code\narbitraire \u00e0 distance si un utilisateur ouvre un fichier\u00a0sp\u00e9cialement\ncon\u00e7u comprenant du contenu\u00a03D.\n\nLe CERT-FR recommande l\u0027application des correctifs dans les plus brefs\nd\u00e9lais.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft qui utilisent la biblioth\u00e8que Autodesk FBX",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Autodesk adsk-sa-2020-0002 du 15 avril 2020",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft ADV200004 du 21 avril 2020",
"url": "https://portal.msrc.microsoft.com/fr-fr/security-guidance/advisory/ADV200004"
},
{
"published_at": null,
"title": "Avis CERT-FR CERTFR-2020-AVI-236 du 22 avril 2020",
"url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2020-AVI-236/"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…