Kaspersky Threats

Detect date

?

12/08/2020

Severity

?

High

Description

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, bypass security restrictions.

Below is a complete list of vulnerabilities:

A spoofing vulnerability in Azure DevOps Server can be exploited remotely to spoof user interface.
A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code.
A remote code execution vulnerability in Visual Studio Code Remote Development Extension can be exploited remotely to execute arbitrary code.
A remote code execution vulnerability in Visual Studio Code Java Extension Pack can be exploited remotely to execute arbitrary code.
A spoofing vulnerability in Azure DevOps Server and Team Foundation Services can be exploited remotely to spoof user interface.
A security feature bypass vulnerability in Azure SDK for C can be exploited remotely to bypass security restrictions.
A remote code execution vulnerability in Visual Studio Code can be exploited remotely to execute arbitrary code.

Affected products

Visual Studio Code TS-Lint Extension
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Team Foundation Server 2017 Update 3.1
Azure DevOps Server 2019 Update 1.1
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Azure DevOps Server 2020
Team Foundation Server 2018 Update 3.2
Team Foundation Server 2015 Update 4.2
C SDK for Azure IoT
Team Foundation Server 2018 Update 1.2
Azure DevOps Server 2019.0.1
Microsoft Visual Studio 2019 version 16.8
Visual Studio Code Remote - SSH Extension
Visual Studio Code Language Support for Java Extension

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2020-17135
CVE-2020-17156
CVE-2020-17148
CVE-2020-17159
CVE-2020-17145
CVE-2020-17002
CVE-2020-17150

Impacts

?

ACE

[?]

SB

[?]

SUI

[?]

Detect date ?	12/08/2020
Severity ?	High
Description	Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, bypass security restrictions. Below is a complete list of vulnerabilities: A spoofing vulnerability in Azure DevOps Server can be exploited remotely to spoof user interface. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code. A remote code execution vulnerability in Visual Studio Code Remote Development Extension can be exploited remotely to execute arbitrary code. A remote code execution vulnerability in Visual Studio Code Java Extension Pack can be exploited remotely to execute arbitrary code. A spoofing vulnerability in Azure DevOps Server and Team Foundation Services can be exploited remotely to spoof user interface. A security feature bypass vulnerability in Azure SDK for C can be exploited remotely to bypass security restrictions. A remote code execution vulnerability in Visual Studio Code can be exploited remotely to execute arbitrary code.
Affected products	Visual Studio Code TS-Lint Extension Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) Microsoft Visual Studio 2019 version 16.0 Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) Team Foundation Server 2017 Update 3.1 Azure DevOps Server 2019 Update 1.1 Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) Azure DevOps Server 2020 Team Foundation Server 2018 Update 3.2 Team Foundation Server 2015 Update 4.2 C SDK for Azure IoT Team Foundation Server 2018 Update 1.2 Azure DevOps Server 2019.0.1 Microsoft Visual Studio 2019 version 16.8 Visual Studio Code Remote - SSH Extension Visual Studio Code Language Support for Java Extension
Solution	Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Original advisories	CVE-2020-17135 CVE-2020-17156 CVE-2020-17148 CVE-2020-17159 CVE-2020-17145 CVE-2020-17002 CVE-2020-17150
Impacts ?	ACE [?] SB [?] SUI [?]
Related products	Microsoft Visual Studio Team Foundation Server Microsoft Azure
CVE-IDS ?	CVE-2020-171350.0Unknown CVE-2020-171560.0Unknown CVE-2020-171480.0Unknown CVE-2020-171590.0Unknown CVE-2020-171450.0Unknown CVE-2020-170020.0Unknown CVE-2020-171500.0Unknown

KLA12020Multiple vulnerabilities in Microsoft Developer Tools

KLA12020
Multiple vulnerabilities in Microsoft Developer Tools