CVE-2019-1072
published 2019-07-15CVE-2019-1072: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
12.44%
95.7th percentile
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | azure_devops_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server_2010 | — | — |
| microsoft | team_foundation_server_2010 | — | — |
| microsoft | team_foundation_server_2012 | — | — |
| microsoft | team_foundation_server_2013_update_5 | — | — |
| microsoft | team_foundation_server_2015 | — | — |
| microsoft | team_foundation_server_2018 | — | — |
| microsoft | team_foundation_server_2018 | — | — |
| msrc | azure_devops_server_2019.0.1 | — | — |
| msrc | team_foundation_server_2010_sp1 | — | — |
| msrc | team_foundation_server_2012_update_4 | — | — |
| msrc | team_foundation_server_2013_update_5 | — | — |
| msrc | team_foundation_server_2015_update_4.2 | — | — |
| msrc | team_foundation_server_2017_update_3.1 | — | — |
| msrc | team_foundation_server_2018_update_1.2 | — | — |
| msrc | team_foundation_server_2018_update_3.2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector is a specially crafted file submitted to the server; monitor for unusual file uploads to Azure DevOps Server / TFS endpoints, especially from unauthenticated (anonymous) sources. ↗
- →Successful exploitation results in code execution in the context of the DevOps or TFS service account; monitor for unexpected process spawning or command execution under the TFS/Azure DevOps service account. ↗
- →The vulnerability is triggered by improper handling of user input (specific file types); consider inspecting and restricting file type uploads on TFS/Azure DevOps Server attachment or import endpoints. ↗
- ·Anonymous access to projects significantly lowers the attack bar to zero authentication required; audit and disable anonymous access on TFS/Azure DevOps Server instances where not strictly necessary. ↗
- ·Exploitation likelihood is rated 'Less Likely' for both latest and older software releases per Microsoft's assessment, and no public exploit or in-the-wild exploitation was confirmed at time of disclosure. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g5c6-v9ph-hmxh: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps
ghsa_unreviewed·2022-05-24
CVE-2019-1072 [CRITICAL] CWE-20 GHSA-g5c6-v9ph-hmxh: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps
A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input, aka 'Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability'.
Microsoft
Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability
vendor_msrc·2019-07-09·CVSS 9.8
CVE-2019-1072 [CRITICAL] Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability
Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Azure DevOps Server and Team Foundation Server (TFS) improperly handle user input. An attacker who successfully exploited the vulnerability could execute code on the target server in the context of the DevOps or TFS service account.
To exploit the vulnerability, an attacker could submit a specially crafted file to an affected server. If anonymous access is allowed to projects on an affected server, the attacker would not require authentication.
The update corrects the way that DevOps Server and TFS process certain file types.
Azure DevOps: Azure DevOps
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;E
No detection rules found.
No public exploits indexed.
Qualys
July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns | Qualys
blogs_qualys·2019-07-09·CVSS 9.8
[CRITICAL] July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns | Qualys
This month’s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server. In addition, Microsoft has released Important patches for two actively exploited privilege escalation vulnerabilities, as well as a SQL Server RCE. Microsoft also issued two advisories for Outlook on the web and Linux Kernel vulnerabilities. Adobe issued patches today for Bridge CC, Experience Manager, and Dreamweaver.
### Workstation Patches
Scripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to acc
Qualys
July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns
blogs_qualys·2019-07-09·CVSS 9.8
[CRITICAL] July 2019 Patch Tuesday – 77 Vulns, 15 Critical, DHCP RCE, Exploited PrivEsc, SQL, Adobe Vulns
This month’s Microsoft Patch Tuesday addresses 77 vulnerabilities with 15 of them labeled as Critical. Of the 15 Critical vulns, 11 are for scripting engines and browsers, with the remaining four covering DHCP Server, GDI+, .NET Framework, and Azure DevOps Server / Team Foundation Server. In addition, Microsoft has released Important patches for two actively exploited privilege escalation vulnerabilities, as well as a SQL Server RCE. Microsoft also issued two advisories for Outlook on the web and Linux Kernel vulnerabilities. Adobe issued patches today for Bridge CC, Experience Manager, and Dreamweaver.
## Workstation Patches
Scripting Engine, Browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to acce
2019-07-15
Published