KLA11859
Multiple vulnerabilities in Microsoft Developer Tools

Updated: 03/10/2021
Detect date
?
07/14/2020
Severity
?
Critical
Description

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, spoof user interface.

Below is a complete list of vulnerabilities:

  1. An elevation of privilege vulnerability in Windows Diagnostics Hub can be exploited remotely via specially crafted application to gain privileges.
  2. A remote code execution vulnerability in .NET Framework, SharePoint Server, and Visual Studio can be exploited remotely via specially crafted document to execute arbitrary code.
  3. A cross-site-scripting (XSS) vulnerability Azure DevOps Server can be exploited remotely via specially crafted payload to spoof user interface.
  4. An elevation of privilege vulnerability in Visual Studio and Visual Studio Code can be exploited remotely to gain privileges.
  5. A remote code execution vulnerability in Visual Studio Code ESLint Extention can be exploited remotely to execute arbitrary code.
Exploitation

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Affected products

Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft .NET Framework 3.0 Service Pack 2
Azure Storage Explorer
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Microsoft .NET Framework 3.5.1
Microsoft SharePoint Server 2019
Microsoft .NET Framework 3.5
Azure DevOps Server 2019.0.1
Microsoft Visual Studio Code ESLint extension
Microsoft Visual Studio 2019 version 16.0
Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2
Microsoft .NET Framework 3.5 AND 4.6/4.6.1/4.6.2
Microsoft SharePoint Enterprise Server 2016
Azure DevOps Server 2019 Update 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft .NET Framework 3.5 AND 4.7.2
.NET Core 2.1
Visual Studio Code
Microsoft .NET Framework 4.5.2
TypeScript
Microsoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5)
Azure DevOps Server 2019 Update 1.1
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 3.5 AND 4.8
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft Visual Studio 2015 Update 3
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
.NET Core 3.1

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2020-1393
CVE-2020-1147
CVE-2020-1326
CVE-2020-1416
CVE-2020-1481

Impacts
?
ACE 
[?]

PE 
[?]

SUI 
[?]
Related products
Microsoft .NET Framework
Microsoft Visual Studio
Microsoft Azure
CVE-IDS
?
CVE-2020-13934.6Warning
CVE-2020-11476.8High
CVE-2020-13263.5Warning
CVE-2020-14169.3Critical
CVE-2020-14819.3Critical
KB list

4566468
4566469
4566466
4566467
4567703
4579980
4578974
4578972
4578971
4579977
4579978
4579979
4578968
4578969
4580328
4579976
4580330
4580327
4580346
4578977
4578975
4578973
4578961
4578962
4578963

Microsoft official advisories
Microsoft Security Update Guide
Find out the statistics of the vulnerabilities spreading in your region