Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0139
Microsoft Developer Tools security updates
15 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Developer Tools
Operating System: Windows
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Modify Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Delete Arbitrary Files -- Existing Account
Cross-site Request Forgery -- Existing Account
Cross-site Scripting -- Existing Account
Provide Misleading Information -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1000 CVE-2019-0982 CVE-2019-0981
CVE-2019-0980 CVE-2019-0979 CVE-2019-0976
CVE-2019-0971 CVE-2019-0937 CVE-2019-0933
CVE-2019-0927 CVE-2019-0925 CVE-2019-0924
CVE-2019-0922 CVE-2019-0917 CVE-2019-0916
CVE-2019-0915 CVE-2019-0914 CVE-2019-0913
CVE-2019-0912 CVE-2019-0911 CVE-2019-0872
CVE-2019-0864 CVE-2019-0820 CVE-2019-0727
Member content until: Friday, June 14 2019
Reference: ASB-2019.0137
OVERVIEW
Microsoft has released its monthly security patch update for the month of May 2019.
This update resolves 24 vulnerabilities across the following products: [1]
.NET Core 1.0
.NET Core 1.1
.NET Core 2.1
.NET Core 2.2
ASP.NET Core 2.1
ASP.NET Core 2.2
Azure DevOps Server 2019
ChakraCore
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6.2
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.7.1/4.7.2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Microsoft Azure Active Directory Connect
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017 version 15.0
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2019 version 16.0
Nuget 5.0.2
Team Foundation Server 2015 Update 4.2
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2019-0727 Elevation of Privilege Important
CVE-2019-0820 Denial of Service Important
CVE-2019-0864 Denial of Service Important
CVE-2019-0872 Spoofing Important
CVE-2019-0911 Remote Code Execution Critical
CVE-2019-0912 Remote Code Execution Critical
CVE-2019-0913 Remote Code Execution Critical
CVE-2019-0914 Remote Code Execution Critical
CVE-2019-0915 Remote Code Execution Critical
CVE-2019-0916 Remote Code Execution Critical
CVE-2019-0917 Remote Code Execution Critical
CVE-2019-0922 Remote Code Execution Critical
CVE-2019-0924 Remote Code Execution Critical
CVE-2019-0925 Remote Code Execution Critical
CVE-2019-0927 Remote Code Execution Critical
CVE-2019-0933 Remote Code Execution Critical
CVE-2019-0937 Remote Code Execution Critical
CVE-2019-0971 Information Disclosure Important
CVE-2019-0976 Tampering Important
CVE-2019-0979 Spoofing Important
CVE-2019-0980 Denial of Service Important
CVE-2019-0981 Denial of Service Important
CVE-2019-0982 Denial of Service Important
CVE-2019-1000 Elevation of Privilege Important
MITIGATION
Microsoft recommends updating the software with the version made available on the Microsoft Update Catalogue for the following Knowledge Base articles. [1].
KB4499179, KB4494440, KB4499154, KB4499409, KB4499408
KB4495611, KB4499405, KB4499407, KB4499406, KB4495610
KB4499167, KB4489639, KB4495613, KB4495616, KB4499181
KB4498964, KB4498961, KB4495620, KB4498963, KB4498962
REFERENCES
[1] Microsoft Security Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXNtpamaOgq3Tt24GAQivJQ//TAK3Zt+ybDXC8CVXaqDU+iIE23sZ3/mI
v8OCld2Di+Rzpn2O6Na5pkQ1v98lldC1zT35ATgxT+BKKYY4cmYU3ys5/21Kt8AK
n70E5U9P5Mp48YzIzpP6jZO15NUrejCr0NP7+UJnttfKavGTQKisDLfgAScwRLwE
LNEGRo1+IbzTZhtY9hMBxqMLj24yL2rOkHzTVKtz1scNvoDTa7NQSaiRHzoNnYvT
10ocxmhVnhKoutwf+yGVTfdq8hViS8jPZlPuSk5QpthkBtuO8p5AOk0A2UO8IUx9
8Z3abK3AxCCUug/aX9rx/FbwlvWjMH/JhLAVaRCZFZbqZWmzYkztin0uDCxne0nG
uA+z3nTQAtbesi4T+M3LyVU/b20ybYeeeCyvfIrkHYU+vDZO7MvYK8n/dWlfYP18
4R4CnRN6Uy8VKy9eEpxCsJv5BSi0erpUtIeF7Uq+OuSs4lR0Q3D2+cdWw0RYMZbZ
gIfwuA4raYGlZUOGb+d2gSSx1S/zkoPJZ7o2rwMdpsSWPbiDWohhLctcQVK6yIch
CLeAZ5C+QWjsTkmxoBwZzMSRkmaIiwQOXsii0XvkuTGhifDrkYIbrIDOPYcwGLK2
qxcGaRGVf6L8XuE5679wJHC9J2dkN5J+hDHLxVE44L2LiuNHWmtvixxb+8miiHTv
i/c2RgopfnU=
=msN5
-----END PGP SIGNATURE-----