KLA11859
Multiple vulnerabilities in Microsoft Developer Tools
Обновлено: 22/07/2020
Дата обнаружения
14/07/2020
Уровень угрозы
Critical
Описание

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, spoof user interface.

Below is a complete list of vulnerabilities:

  1. An elevation of privilege vulnerability in Windows Diagnostics Hub can be exploited remotely via specially crafted application to gain privileges.
  2. A remote code execution vulnerability in .NET Framework, SharePoint Server, and Visual Studio can be exploited remotely via specially crafted document to execute arbitrary code.
  3. A cross-site-scripting (XSS) vulnerability Azure DevOps Server can be exploited remotely via specially crafted payload to spoof user interface.
  4. An elevation of privilege vulnerability in Visual Studio and Visual Studio Code can be exploited remotely to gain privileges.
  5. A remote code execution vulnerability in Visual Studio Code ESLint Extention can be exploited remotely to execute arbitrary code.
Эксплуатация

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Пораженные продукты

Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft .NET Framework 3.0 Service Pack 2
Azure Storage Explorer
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Microsoft .NET Framework 3.5.1
Microsoft SharePoint Server 2019
Microsoft .NET Framework 3.5
Azure DevOps Server 2019.0.1
Microsoft Visual Studio Code ESLint extension
Microsoft Visual Studio 2019 version 16.0
Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2
Microsoft .NET Framework 3.5 AND 4.6/4.6.1/4.6.2
Microsoft SharePoint Enterprise Server 2016
Azure DevOps Server 2019 Update 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft .NET Framework 3.5 AND 4.7.2
.NET Core 2.1
Visual Studio Code
Microsoft .NET Framework 4.5.2
TypeScript
Microsoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5)
Azure DevOps Server 2019 Update 1.1
Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 3.5 AND 4.8
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft Visual Studio 2015 Update 3
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
.NET Core 3.1

Решение

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Первичный источник обнаружения
CVE-2020-1393
CVE-2020-1147
CVE-2020-1326
CVE-2020-1416
CVE-2020-1481
Оказываемое влияние
?
ACE 
[?]

PE 
[?]

SUI 
[?]
Связанные продукты
Microsoft .NET Framework
Microsoft Visual Studio
Microsoft Azure
CVE-IDS
CVE-2020-13930.0Unknown
CVE-2020-11470.0Unknown
CVE-2020-13260.0Unknown
CVE-2020-14160.0Unknown
CVE-2020-14810.0Unknown
KB list

4565489
4565508
4565511
4565513
4566518
4565627
4566520
4565628
4566519
4565633
4565630
4565631
4566516
4566468
4566469
4566466
4566467
4567703
4566517

Microsoft official advisories
Microsoft Security Update Guide