近日,微软官方发布了多个安全漏洞的公告,其中微软产品本身漏洞77个,影响到微软产品的其他厂商漏洞9个。包括Microsoft Windows Remote Procedure Call 安全漏洞(CNNVD-202303-1051、CVE-2023-21708)、Microsoft Windows HTTP Protocol Stack 安全漏洞(CNNVD-202303-1026、CVE-2023-23392)等多个漏洞。成功利用上述漏洞的攻击者可以在目标系统上执行任意代码、获取用户数据,提升权限等。微软多个产品和系统受漏洞影响。目前,微软官方已经发布了漏洞修复补丁,建议用户及时确认是否受到漏洞影响,尽快采取修补措施。
一、 漏洞介绍
2023年3月14日,微软发布了2023年3月份安全更新,共86个漏洞的补丁程序,CNNVD对这些漏洞进行了收录。本次更新主要涵盖了Microsoft Windows 和 Windows 组件、Microsoft PostScript Printer Driver、Microsoft Windows HTTP Protocol Stack、Microsoft Graphics Component、Microsoft Windows Hyper-V、Microsoft Windows Point-to-Point Tunneling Protocol等。CNNVD对其危害等级进行了评价,其中超危漏洞4个,高危漏洞48个,中危漏洞32个,低危漏洞1个。微软多个产品和系统版本受漏洞影响,具体影响范围可访问微软官方网站查询:https://portal.msrc.microsoft.com/zh-cn/security-guidance
二、漏洞详情
此次更新共包括74个新增漏洞的补丁程序,其中超危漏洞4个,高危漏洞42个,中危漏洞27个,低危漏洞1个。
序号 | 漏洞名称 | CNNVD编号 | CVE编号 | 危害等级 | 官方链接 |
1 | Microsoft Windows Remote Procedure Call 安全漏洞 | CNNVD-202303-1051 | CVE-2023-21708 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708 |
2 | Microsoft Windows HTTP Protocol Stack 安全漏洞 | CNNVD-202303-1026 | CVE-2023-23392 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392 |
3 | Microsoft Outlook 安全漏洞 | CNNVD-202303-1036 | CVE-2023-23397 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 |
4 | Microsoft Internet Control Message Protocol 安全漏洞 | CNNVD-202303-1075 | CVE-2023-23415 | 超危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415 |
5 | Microsoft Service Fabric 安全漏洞 | CNNVD-202303-1016 | CVE-2023-23383 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23383 |
6 | Microsoft Windows Point-to-Point Protocol over Ethernet 安全漏洞 | CNNVD-202303-1017 | CVE-2023-23385 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23385 |
7 | Microsoft Bluetooth Driver 安全漏洞 | CNNVD-202303-1019 | CVE-2023-23388 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23388 |
8 | Microsoft Windows BrokerInfrastructure 安全漏洞 | CNNVD-202303-1032 | CVE-2023-23393 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23393 |
9 | Microsoft Excel 安全漏洞 | CNNVD-202303-1038 | CVE-2023-23398 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23398 |
10 | Microsoft Excel 安全漏洞 | CNNVD-202303-1039 | CVE-2023-23399 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23399 |
11 | Microsoft DNS Server 安全漏洞 | CNNVD-202303-1054 | CVE-2023-23400 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23400 |
12 | Microsoft Windows Codecs Library 安全漏洞 | CNNVD-202303-1056 | CVE-2023-23401 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23401 |
13 | Microsoft Windows Codecs Library 安全漏洞 | CNNVD-202303-1057 | CVE-2023-23402 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23402 |
14 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1040 | CVE-2023-23403 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23403 |
15 | Microsoft Windows Point-to-Point Tunneling Protocol 安全漏洞 | CNNVD-202303-1058 | CVE-2023-23404 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23404 |
16 | Microsoft Windows Remote Procedure Call Runtime 安全漏洞 | CNNVD-202303-1060 | CVE-2023-23405 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23405 |
17 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1062 | CVE-2023-23406 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23406 |
18 | Microsoft Windows Point-to-Point Protocol over Ethernet 安全漏洞 | CNNVD-202303-1064 | CVE-2023-23407 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23407 |
19 | Microsoft HTTP.sys 安全漏洞 | CNNVD-202303-1072 | CVE-2023-23410 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23410 |
20 | Microsoft Windows Accounts Control 安全漏洞 | CNNVD-202303-1087 | CVE-2023-23412 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23412 |
21 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1076 | CVE-2023-23413 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23413 |
22 | Microsoft Windows Point-to-Point Protocol over Ethernet 安全漏洞 | CNNVD-202303-1077 | CVE-2023-23414 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23414 |
23 | Microsoft Windows Cryptographic Services 安全漏洞 | CNNVD-202303-1079 | CVE-2023-23416 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23416 |
24 | Microsoft Windows Partition Management Driver 安全漏洞 | CNNVD-202303-1073 | CVE-2023-23417 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23417 |
25 | Microsoft Windows Resilient File System (ReFS) 安全漏洞 | CNNVD-202303-1070 | CVE-2023-23418 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23418 |
26 | Microsoft Windows Resilient File System (ReFS) 安全漏洞 | CNNVD-202303-1068 | CVE-2023-23419 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23419 |
27 | Microsoft Windows Kernel 安全漏洞 | CNNVD-202303-1065 | CVE-2023-23420 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23420 |
28 | Microsoft Windows Kernel 安全漏洞 | CNNVD-202303-1063 | CVE-2023-23421 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23421 |
29 | Microsoft Windows Kernel 安全漏洞 | CNNVD-202303-1061 | CVE-2023-23422 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23422 |
30 | Microsoft Windows Kernel 安全漏洞 | CNNVD-202303-1059 | CVE-2023-23423 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23423 |
31 | Microsoft Windows Internet Key Exchange (IKE) Protocol 安全漏洞 | CNNVD-202303-1071 | CVE-2023-24859 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24859 |
32 | Microsoft Windows Win32K 安全漏洞 | CNNVD-202303-1052 | CVE-2023-24861 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24861 |
33 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1066 | CVE-2023-24864 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24864 |
34 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1046 | CVE-2023-24867 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24867 |
35 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1045 | CVE-2023-24868 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24868 |
36 | Microsoft Windows Remote Procedure Call Runtime 安全漏洞 | CNNVD-202303-1042 | CVE-2023-24869 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24869 |
37 | Microsoft Windows Bluetooth Service 安全漏洞 | CNNVD-202303-1041 | CVE-2023-24871 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24871 |
38 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1037 | CVE-2023-24872 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24872 |
39 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1035 | CVE-2023-24876 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24876 |
40 | Microsoft Edge 安全漏洞 | CNNVD-202303-1024 | CVE-2023-24892 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24892 |
41 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1018 | CVE-2023-24907 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24907 |
42 | Microsoft Windows Remote Procedure Call Runtime 安全漏洞 | CNNVD-202303-1015 | CVE-2023-24908 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24908 |
43 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1013 | CVE-2023-24909 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24909 |
44 | Microsoft Graphics Component 安全漏洞 | CNNVD-202303-1014 | CVE-2023-24910 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24910 |
45 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1010 | CVE-2023-24913 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24913 |
46 | Microsoft OneDrive 安全漏洞 | CNNVD-202303-1001 | CVE-2023-24930 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24930 |
47 | Microsoft Defender 安全漏洞 | CNNVD-202303-1021 | CVE-2023-23389 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23389 |
48 | Microsoft Office for Android 安全漏洞 | CNNVD-202303-1023 | CVE-2023-23391 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23391 |
49 | Microsoft Client Server Run-time Subsystem (CSRSS) 安全漏洞 | CNNVD-202303-1029 | CVE-2023-23394 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23394 |
50 | Microsoft Excel 安全漏洞 | CNNVD-202303-1033 | CVE-2023-23396 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23396 |
51 | Microsoft Azure Apache Ambari 安全漏洞 | CNNVD-202303-1067 | CVE-2023-23408 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23408 |
52 | Microsoft Client Server Run-time Subsystem (CSRSS) 安全漏洞 | CNNVD-202303-1069 | CVE-2023-23409 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23409 |
53 | Microsoft Windows Hyper-V 安全漏洞 | CNNVD-202303-1074 | CVE-2023-23411 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23411 |
54 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1044 | CVE-2023-24856 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24856 |
55 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1055 | CVE-2023-24857 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24857 |
56 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1053 | CVE-2023-24858 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24858 |
57 | Microsoft Windows Secure Channel 安全漏洞 | CNNVD-202303-1050 | CVE-2023-24862 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24862 |
58 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1049 | CVE-2023-24863 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24863 |
59 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1048 | CVE-2023-24865 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24865 |
60 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1047 | CVE-2023-24866 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24866 |
61 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1043 | CVE-2023-24870 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24870 |
62 | Microsoft Dynamics 安全漏洞 | CNNVD-202303-1031 | CVE-2023-24879 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24879 |
63 | Microsoft Defender SmartScreen 安全漏洞 | CNNVD-202303-1034 | CVE-2023-24880 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880 |
64 | Microsoft OneDrive 安全漏洞 | CNNVD-202303-1028 | CVE-2023-24882 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24882 |
65 | Microsoft OneDrive 安全漏洞 | CNNVD-202303-1027 | CVE-2023-24890 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24890 |
66 | Microsoft Dynamics 安全漏洞 | CNNVD-202303-1025 | CVE-2023-24891 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24891 |
67 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1020 | CVE-2023-24906 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24906 |
68 | Microsoft PostScript Printer Driver 安全漏洞 | CNNVD-202303-1011 | CVE-2023-24911 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24911 |
69 | Microsoft Dynamics 安全漏洞 | CNNVD-202303-1008 | CVE-2023-24919 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24919 |
70 | Microsoft Dynamics 安全漏洞 | CNNVD-202303-1007 | CVE-2023-24920 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24920 |
71 | Microsoft Dynamics 安全漏洞 | CNNVD-202303-1006 | CVE-2023-24921 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24921 |
72 | Microsoft Dynamics 安全漏洞 | CNNVD-202303-1005 | CVE-2023-24922 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24922 |
73 | Microsoft OneDrive 安全漏洞 | CNNVD-202303-1004 | CVE-2023-24923 | 中危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24923 |
74 | Microsoft SharePoint 安全漏洞 | CNNVD-202303-1030 | CVE-2023-23395 | 低危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23395 |
此次更新共包括3个更新漏洞的补丁程序,其中高危漏洞2个,中危漏洞1个。
序号 | 漏洞名称 | CNNVD编号 | CVE编号 | 危害等级 | 官方链接 |
1 | Microsoft Hyper-V安全漏洞 | CNNVD-202204-3177 | CVE-2022-23257 | 高危 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23257 |
2 | Microsoft Dynamics 安全漏洞 | CNNVD-202212-3159 | CVE-2022-41127 | 高危 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41127 |
3 | Windows DCOM Server 安全特征问题漏洞 | CNNVD-202106-546 | CVE-2021-26414 | 中危 | https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26414 |
此次更新共包括9个影响微软产品的其他厂商漏洞的补丁程序,其中高危漏洞4个,中危漏洞4个,低危漏洞1个。
序号 | 漏洞名称 | CNNVD编号 | CVE编号 | 危害等级 | 厂商 | 官方链接 |
1 | TCG TPM 缓冲区错误漏洞 | CNNVD-202302-2422 | CVE-2023-1017 | 高危 | TCG | https://trustedcomputinggroup.org/resource/errata-for-tpm-library-specification-2-0/ |
2 | Git 代码问题漏洞 | CNNVD-202302-1069 | CVE-2023-22743 | 高危 | Git | https://github.com/git-for-windows/git/security/advisories/GHSA-p2x9-prp4-8gvq |
3 | Git 代码问题漏洞 | CNNVD-202302-1071 | CVE-2023-23618 | 高危 | Git | https://github.com/git-for-windows/git/commit/49a8ec9dac3cec6602f05fed1b3f80a549c8c05c |
4 | Git 路径遍历漏洞 | CNNVD-202302-1164 | CVE-2023-23946 | 高危 | Git | https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd |
5 | 多款AMD处理器安全漏洞 | CNNVD-202207-891 | CVE-2022-23825 | 中危 | AMD | https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 |
6 | curl 资源管理错误漏洞 | CNNVD-202212-3687 | CVE-2022-43552 | 中危 | 个人开发者 | https://curl.se/docs/CVE-2022-43552.html |
7 | TCG TPM 缓冲区错误漏洞 | CNNVD-202302-2314 | CVE-2023-1018 | 中危 | TCG | https://trustedcomputinggroup.org/resource/errata-for-tpm-library-specification-2-0/ |
8 | Git 后置链接漏洞 | CNNVD-202302-1136 | CVE-2023-22490 | 中危 | 个人开发者 | https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd |
9 | AMD CPU 安全漏洞 | CNNVD-202207-892 | CVE-2022-23816 | 低危 | AMD | https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 |
三、修复建议
目前,微软官方已经发布补丁修复了上述漏洞,建议用户及时确认漏洞影响,尽快采取修补措施。微软官方补丁下载地:
https://msrc.microsoft.com/update-guide/en-us
CNNVD将继续跟踪上述漏洞的相关情况,及时发布相关信息。如有需要,可与CNNVD联系。联系方式:
cnnvdvul@itsec.gov.cn