KLA12020
Multiple vulnerabilities in Microsoft Developer Tools

Обновлено: 10/12/2020
Дата обнаружения
08/12/2020
Уровень угрозы
High
Описание

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, bypass security restrictions.

Below is a complete list of vulnerabilities:

  1. A spoofing vulnerability in Azure DevOps Server can be exploited remotely to spoof user interface.
  2. A remote code execution vulnerability in Visual Studio can be exploited remotely to execute arbitrary code.
  3. A remote code execution vulnerability in Visual Studio Code Remote Development Extension can be exploited remotely to execute arbitrary code.
  4. A remote code execution vulnerability in Visual Studio Code Java Extension Pack can be exploited remotely to execute arbitrary code.
  5. A spoofing vulnerability in Azure DevOps Server and Team Foundation Services can be exploited remotely to spoof user interface.
  6. A security feature bypass vulnerability in Azure SDK for C can be exploited remotely to bypass security restrictions.
  7. A remote code execution vulnerability in Visual Studio Code can be exploited remotely to execute arbitrary code.
Пораженные продукты

Visual Studio Code TS-Lint Extension
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Team Foundation Server 2017 Update 3.1
Azure DevOps Server 2019 Update 1.1
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Azure DevOps Server 2020
Team Foundation Server 2018 Update 3.2
Team Foundation Server 2015 Update 4.2
C SDK for Azure IoT
Team Foundation Server 2018 Update 1.2
Azure DevOps Server 2019.0.1
Microsoft Visual Studio 2019 version 16.8
Visual Studio Code Remote - SSH Extension
Visual Studio Code Language Support for Java Extension

Решение

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Первичный источник обнаружения
CVE-2020-17135
CVE-2020-17156
CVE-2020-17148
CVE-2020-17159
CVE-2020-17145
CVE-2020-17002
CVE-2020-17150
Оказываемое влияние
?
ACE 
[?]

SB 
[?]

SUI 
[?]
Связанные продукты
Microsoft Visual Studio
Team Foundation Server
Microsoft Azure
CVE-IDS
CVE-2020-171350.0Unknown
CVE-2020-171560.0Unknown
CVE-2020-171480.0Unknown
CVE-2020-171590.0Unknown
CVE-2020-171450.0Unknown
CVE-2020-170020.0Unknown
CVE-2020-171500.0Unknown