KLA11513 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, spoof user interface, cause denial of service, obtain sensitive information.

Below is a complete list of vulnerabilities:

1. Security bypass vulnerabulity in Windows Communication Foundation can be exploited remotely to gain privileges.
2. An elevation of privilege vulnerability in Visual Studio can be exploited remotely via specially crafted application to gain privileges.
3. A remote code execution vulnerability in .NET Framework can be exploited remotely via specially crafted file to execute arbitrary code.
4. An elevation of privilege vulnerability in Docker can be exploited remotely to gain privileges.
5. A spoofing vulnerability in ASP.NET Core can be exploited remotely via specially crafted to spoof user interface.
6. A denial of service vulnerability in .NET can be exploited remotely via specially crafted requests to cause denial of service.
7. A cross-site-scripting (XSS) vulnerability Team Foundation Server can be exploited remotely via specially crafted payload to spoof user interface.
8. A remote code execution vulnerability in Azure DevOps Server and Team Foundation Server can be exploited remotely via specially crafted file to execute arbitrary code.
9. An information disclosure vulnerability in Visual Studio can be exploited remotely via specially crafted to obtain sensitive information.

Original advisories

CVE-2018-15664

CVE-2019-1113

CVE-2019-1076

CVE-2019-1079

CVE-2019-1006

CVE-2019-1072

CVE-2019-1077

CVE-2019-1075

CVE-2019-1083

Exploitation

Public exploits exist for this vulnerability.

Related products

Microsoft-.NET-Framework

Microsoft-Visual-Studio

Microsoft-Windows

Microsoft-Windows-Server

Microsoft-Windows-Server-2012

Microsoft-Windows-8

Microsoft-Windows-7

Microsoft-Windows-Server-2008

Windows-RT

Microsoft-Windows-10

Microsoft-Edge

Team-Foundation-Server

Microsoft-Azure

CVE list

CVE-2019-1006 warning

CVE-2019-1077 high

CVE-2019-1113 high

CVE-2018-15664 high

CVE-2019-1075 high

CVE-2019-1083 warning

CVE-2019-1076 warning

CVE-2019-1072 critical

CVE-2019-1079 warning

KB list

4507460

4507435

4507455

4507458

4507450

4507412

4507421

4507419

4507420

4507411

4507423

4507414

4506989

4506988

4506987

4506991

4507413

4507422

4506986

4506161

4506163

4506164

4506162

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Visual Studio 2019 version 16.1Microsoft Visual Studio 2019 version 16.0Microsoft .NET Framework 3.5Microsoft .NET Framework 3.5 AND 4.7.2Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2Microsoft .NET Framework 4.6Microsoft .NET Framework 4.8Microsoft .NET Framework 4.6/4.6.1/4.6.2Microsoft Visual Studio 2017Microsoft .NET Framework 4.5.2Microsoft .NET Framework 3.5 AND 4.8Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5.1Microsoft Azure Kubernetes ServiceAzure IoT EdgeASP.NET Core 2.1ASP.NET Core 2.2Azure DevOps Server 2019.0.1Team Foundation Server 2018 Update 3.2Team Foundation Server 2018 Update 1.2Team Foundation Server 2017 Update 3.1Team Foundation Server 2012 Update 4Team Foundation Server 2010 SP1 (x64)Team Foundation Server 2010 SP1 (x86)Team Foundation Server 2013 Update 5Team Foundation Server 2015 Update 4.2Microsoft Visual Studio 2010 Service Pack 1Microsoft Visual Studio 2013 Update 5Microsoft Visual Studio 2012 Update 5Microsoft Visual Studio 2015 Update 3Windows 7 for 32-bit Systems Service Pack 1Windows 10 Version 1703 for x64-based SystemsWindows 7 for x64-based Systems Service Pack 1Windows Server 2019 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1Windows Server, version 1803 (Server Core Installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Microsoft.IdentityModel 7.0.0Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)Windows Server 2012 R2 (Server Core installation)Windows 10 Version 1903 for ARM64-based SystemsMicrosoft SharePoint Foundation 2013 Service Pack 1Windows 8.1 for 32-bit systemsWindows Server 2012Microsoft SharePoint Foundation 2010 Service Pack 2Windows RT 8.1Windows 10 Version 1903 for 32-bit SystemsWindows 10 Version 1607 for x64-based SystemsWindows 10 Version 1803 for 32-bit SystemsWindows 10 Version 1709 for ARM64-based SystemsWindows 10 for 32-bit SystemsWindows Server, version 1903 (Server Core installation)Windows Server 2012 (Server Core installation)Windows 10 Version 1803 for x64-based SystemsWindows Server 2016Microsoft SharePoint Enterprise Server 2016Windows 10 Version 1809 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows Server 2012 R2Windows Server 2016 (Server Core installation)Microsoft SharePoint Enterprise Server 2013 Service Pack 1Windows 10 Version 1803 for ARM64-based SystemsWindows 10 Version 1709 for 32-bit SystemsWindows Server 2008 for x64-based Systems Service Pack 2Windows 10 Version 1903 for x64-based SystemsWindows 10 for x64-based SystemsWindows 10 Version 1709 for x64-based SystemsWindows Server 2019Windows 10 Version 1703 for 32-bit SystemsWindows 10 Version 1809 for 32-bit SystemsWindows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Microsoft SharePoint Server 2019Windows Server 2008 for Itanium-Based Systems Service Pack 2Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows 8.1 for x64-based systems