{"$ref":"https://www.cert.ssi.gouv.fr/openapi.json","affected_systems":[{"description":"Windows Server 2022","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Office LTSC 2021 pour \u00e9ditions 64 bits","product":{"name":"Office","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1809 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2019 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2019","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012 R2","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2022 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1607 pour syst\u00e8mes 32 bits","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 21H2 pour syst\u00e8mes ARM64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Office LTSC 2021 pour \u00e9ditions 32 bits","product":{"name":"Office","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 pour syst\u00e8mes x64 Service Pack 2","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1809 pour syst\u00e8mes ARM64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1809 pour syst\u00e8mes 32 bits","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 11 version 21H2 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Word 2016 (\u00e9dition 64 bits)","product":{"name":"N/A","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Office 2019 pour \u00e9ditions 32 bits","product":{"name":"Office","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2016 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Word 2013 Service Pack 1 (\u00e9ditions 64 bits)","product":{"name":"N/A","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Office 2019 pour \u00e9ditions 64 bits","product":{"name":"Office","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 22H2 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 11 version 21H2 pour syst\u00e8mes ARM64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 pour syst\u00e8mes x64 Service Pack 2 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 pour syst\u00e8mes 32 bits Service Pack 2 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 1607 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 21H2 pour syst\u00e8mes 32 bits","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 21H2 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 pour syst\u00e8mes 32 bits Service Pack 2","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 R2 pour syst\u00e8mes x64 Service Pack 1","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 22H2 pour syst\u00e8mes 32 bits","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 11 Version 22H2 pour syst\u00e8mes ARM64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2016","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Word 2013 Service Pack 1 (\u00e9ditions 32 bits)","product":{"name":"N/A","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2008 R2 pour syst\u00e8mes x64 Service Pack 1 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows Server 2012 R2 (Server Core installation)","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 pour syst\u00e8mes 32 bits","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Microsoft Word 2016 (\u00e9dition 32 bits)","product":{"name":"N/A","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 10 Version 22H2 pour syst\u00e8mes ARM64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}},{"description":"Windows 11 Version 22H2 pour syst\u00e8mes x64","product":{"name":"Windows","vendor":{"name":"Microsoft","scada":false}}}],"affected_systems_content":"","closed_at":"2023-12-12","content":"## Contournement provisoire\n\nL'\u00e9diteur fournit un ensemble de mesures d\u2019att\u00e9nuation visant \u00e0 limiter\nson exploitation. \\[1\\] \\[3\\]\n\n## Solution\n\nLes mises \u00e0 jour publi\u00e9es par l'\u00e9diteur en ao\u00fbt 2023 corrigent cette\nvuln\u00e9rabilit\u00e9 \\[1\\].\n","cves":[{"name":"CVE-2023-36884","url":"https://www.cve.org/CVERecord?id=CVE-2023-36884"}],"links":[{"title":"[13]","url":"https://www.bankinfosecurity.com/cuba-ransomware-gang-takes-credit-for-attacking-montenegro-a-19938"},{"title":"[7]","url":"https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"},{"title":"[9]","url":"https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine"},{"title":"[2]","url":"https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"},{"title":"[8]","url":"https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"},{"title":"[10]","url":"https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit"},{"title":"[12]","url":"https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"},{"title":"[4]","url":"https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"},{"title":"[11]","url":"https://cert.gov.ua/article/5077168"},{"title":"[6]","url":"https://cert.gov.ua/article/2394117"},{"title":"[1]","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884"},{"title":"[5]","url":"https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/"},{"title":"[3]","url":"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-all-office-applications-from-creating-child-processes"}],"reference":"CERTFR-2023-ALE-006","revisions":[{"description":"Version initiale","revision_date":"2023-07-12T00:00:00.000000"},{"description":"Correction de la rubrique SOLUTION","revision_date":"2023-12-12T00:00:00.000000"}],"risks":[{"description":"Ex\u00e9cution de code arbitraire \u00e0 distance"}],"summary":"### Description de la vuln\u00e9rabilit\u00e9\n\nDans le cadre de son *Patch Tuesday*, en date du 11 juillet 2023,\nMicrosoft a indiqu\u00e9 l'existence d'une vuln\u00e9rabilit\u00e9 r\u00e9f\u00e9renc\u00e9e\nCVE-2023-36884 \\[1\\] au sein de plusieurs versions de Windows et\nproduits Office. Un score CVSSv3 de 8.3 lui a \u00e9t\u00e9 attribu\u00e9.\n\nL'\u00e9diteur confirme qu'elle est activement exploit\u00e9e de fa\u00e7on cibl\u00e9e\n\\[2\\].\n\nLa vuln\u00e9rabilit\u00e9 CVE-2023-36884 permet \u00e0 un attaquant d'ex\u00e9cuter du code\narbitraire \u00e0 distance dans le contexte utilisateur \u00e0 l'aide d'un\ndocument Microsoft Office sp\u00e9cialement con\u00e7u, pr\u00e9alablement transmis \u00e0\nl'aide de technique d'ing\u00e9nierie sociale.\n\nLe CERT-FR recommande fortement de mettre en \u0153uvre les moyens\nd'att\u00e9nuation propos\u00e9s par l'\u00e9diteur en attendant la publication d'un\ncorrectif.\n\nCette alerte sera mise \u00e0 jour de fa\u00e7on r\u00e9guli\u00e8re au gr\u00e9 des nouveaux\n\u00e9l\u00e9ments qui nous seront communiqu\u00e9s.\n\n\u00a0\n\n### Campagne d'exploitation\n\nLa CVE-2023-36884 aurait \u00e9t\u00e9 exploit\u00e9e, d\u2019apr\u00e8s Microsoft \\[4\\], par le\nmode op\u00e9ratoire Storm-0978 lors d\u2019une campagne en juin 2023 contre des\nentit\u00e9s gouvernementales et du secteur de la d\u00e9fense europ\u00e9ennes et\nnord-am\u00e9ricaines \u00e0 des fins d\u2019espionnage. Le code malveillant utilis\u00e9\npar les attaquants suite \u00e0 l\u2019exploitation de cette vuln\u00e9rabilit\u00e9,\npr\u00e9senterait des similarit\u00e9s avec la porte d\u00e9rob\u00e9e RomCom.\n\nRomCom est un code malveillant d\u00e9couvert en ao\u00fbt 2022 par PaloAlto\n\\[5\\], qui aurait \u00e9t\u00e9 utilis\u00e9 depuis octobre 2022 dans des campagnes\nd\u2019espionnage contre des entit\u00e9s gouvernementales et militaires\nukrainiennes (\\[6\\], \\[7\\]), et des entit\u00e9s des secteurs du\ngouvernement, de la d\u00e9fense, de la sant\u00e9, des services num\u00e9riques et de\nla logistique dans certains pays d\u2019Europe et d\u2019Am\u00e9rique du Nord (\\[7\\],\n\\[8\\], \\[9\\], \\[10\\], \\[11\\], \\[4\\]).\n\nLe code malveillant RomCom a \u00e9t\u00e9 associ\u00e9 au groupe cybercriminel Cuba\npar plusieurs \u00e9diteurs de s\u00e9curit\u00e9 \\[5\\], \\[12\\]. Cuba est notamment\nconnu pour avoir revendiqu\u00e9 l\u2019attaque par ran\u00e7ongiciel contre le\ngouvernement du Mont\u00e9n\u00e9gro en ao\u00fbt 2022 \\[13\\].\n\n\u00a0\n","title":"Vuln\u00e9rabilit\u00e9 dans les produits Microsoft","vendor_advisories":[]}