Kaspersky LabKLA11748KLA11748 Multiple vulnerabilities in Microsoft Developer Tools
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.6%
Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, bypass security restrictions.
Below is a complete list of vulnerabilities:
- An elevation of privilege vulnerability in Microsoft Visual Studio can be exploited remotely to gain privileges.
- A security feature bypass vulnerability in MSR JavaScript Cryptography Library can be exploited remotely to bypass security restrictions.
- An elevation of privilege vulnerability in Visual Studio Extension Installer Service can be exploited remotely via specially crafted application to gain privileges.
Original advisories
Related products
CVE list
CVE-2020-0899 warning
CVE-2020-1026 critical
CVE-2020-0900 warning
KB list
Solution
Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Impacts
- SB
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
- PE
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
Affected Products
- Microsoft Visual Studio 2017 version 15.9 (includes 15.1 - 15.8)Microsoft Visual Studio 2015 Update 3Microsoft Visual Studio 2019 version 16.5Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)Microsoft Research JavaScript Cryptography Library V1.4Microsoft Visual Studio 2019 version 16.0
References
support.microsoft.com/kb/4540102
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0899
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-0900
portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1026
statistics.securelist.com/
threats.kaspersky.com/en/product/Microsoft-Visual-Studio/
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.6%