Security Updates for Microsoft Visual Studio Products (September 2020)

high Nessus Plugin ID 140465

Synopsis

The Microsoft Visual Studio Products are affected by multiple vulnerabilities.

Description

The Microsoft Visual Studio Products are missing security updates. It is, therefore, affected by multiple vulnerabilities :

- An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Diagnostics Hub Standard Collector handles file operations. (CVE-2020-1133)

- A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2020-16856, CVE-2020-16874)

- An elevation of privilege vulnerability exists when the Diagnostics Hub Standard Collector improperly handles data operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Diagnostics Hub Standard Collector handles data operations. (CVE-2020-1130)

Solution

Microsoft has released the following security updates to address this issue:
-KB4571480
-KB4571479
-KB4571481
-KB4576950

See Also

http://www.nessus.org/u?1837f66d

http://www.nessus.org/u?40ae669c

http://www.nessus.org/u?2c1500e4

http://www.nessus.org/u?2d7d095b

Plugin Details

Severity: High

ID: 140465

File Name: smb_nt_ms20_sep_visual_studio.nasl

Version: 1.7

Type: local

Agent: windows

Published: 9/10/2020

Updated: 12/5/2022

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-16874

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:visual_studio

Required KB Items: SMB/MS_Bulletin_Checks/Possible, installed_sw/Microsoft Visual Studio

Exploit Ease: No known exploits are available

Patch Publication Date: 9/8/2020

Vulnerability Publication Date: 9/8/2020

Reference Information

CVE: CVE-2020-1130, CVE-2020-1133, CVE-2020-16856, CVE-2020-16874

IAVA: 2020-A-0414-S

MSFT: MS20-4571479, MS20-4571480, MS20-4571481, MS20-4576950

MSKB: 4571479, 4571480, 4571481, 4576950