KLA11399 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, cause denial of service.

Below is a complete list of vulnerabilities:

1. An information disclosure vulnerability in Microsoft Visual Studio can be exploited remotely to obtain sensitive information.
2. A remote code execution vulnerability in Visual Studio can be exploited remotely via specially crafted file to execute arbitrary code.
3. A denial of service vulnerability in ASP.NET Core can be exploited remotely via specially crafted requests to cause denial of service.
4. An information disclosure vulnerability in .NET Framework can be exploited remotely to obtain sensitive information.

Original advisories

CVE-2019-0537

CVE-2019-0546

CVE-2019-0548

CVE-2019-0564

CVE-2019-0545

Related products

Microsoft-.NET-Framework

Microsoft-Visual-Studio

CVE list

CVE-2019-0537 warning

CVE-2019-0546 critical

CVE-2019-0548 warning

CVE-2019-0564 warning

CVE-2019-0545 warning

KB list

4480978

4480962

4480966

4480961

4480973

4476698

4476755

4480056

4481480

4481481

4481482

4481483

4481484

4481485

4481486

4481487

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Visual Studio 2012 Update 5Microsoft Visual Studio 2010 Service Pack 1ASP.NET Core 2.1ASP.NET Core 2.2Microsoft .NET Framework 3.5.1Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2Microsoft .NET Framework 3.5Microsoft .NET Framework 4.7/4.7.1/4.7.2Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 4.7.1/4.7.2Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Microsoft .NET Framework 4.7.2.NET Core 2.2Microsoft .NET Framework 4.6/4.6.1/4.6.2Microsoft .NET Framework 4.5.2.NET Core 2.1Microsoft .NET Framework 4.6PowerShell Core 6.2PowerShell Core 6.1Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)