CVE-2019-1306
published 2019-09-11CVE-2019-1306: A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azure DevOps…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.91%
96.5th percentile
A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability'.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | azure_devops_server | — | — |
| microsoft | azure_devops_server | — | — |
| microsoft | azure_devops_server_2019_update_1 | — | — |
| microsoft | team_foundation_server | — | — |
| microsoft | team_foundation_server_2018 | — | — |
| msrc | azure_devops_server_2019.0.1 | — | — |
| msrc | azure_devops_server_2019_update_1 | — | — |
| msrc | team_foundation_server_2018_update_3.2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x0000FEFF (BinaryFormatter RootId header bypass)
- →Detect Git repository pushes containing files whose binary content begins with the byte sequence 0x00 0x00 0xFE 0xFF (BOM bypass) combined with a Markdown parsing-exception trigger string, as this is the specific exploit delivery mechanism. ↗
- →Alert on files committed to ADO/TFS Git repos that trigger Markdig.Tests.MiscTests::TestInvalidCodeEscape-style parsing exceptions (invalid code-escape Markdown), as this is used to smuggle the BinaryFormatter payload into the index. ↗
- →Inspect calls to BinaryFormatter::Deserialize within Microsoft.VisualStudio.Services.Search.Server.Jobs.dll (method DeserializeToObject) for untrusted/attacker-controlled input, as the absence of a SerializationBinder is the root cause. ↗
- →Look for the TypeConfuseDelegate gadget chain in BinaryFormatter serialized streams pushed to ADO/TFS Wiki Git repositories, as this is the documented RCE gadget used in exploitation. ↗
- ·The exploit requires the attacker to have at minimum read/write access to a Git repository on the target ADO/TFS server (to push the crafted file); it is not an unauthenticated attack. ↗
- ·The vulnerability is triggered asynchronously — the attacker must push the file and then wait for TFSJobAgent to index it; there is no immediate/synchronous trigger. ↗
- ·The patch adds a custom SerializationBinder to BinaryFormatter that restricts deserialization to known types; unpatched instances lack this control entirely. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability
vendor_msrc·2019-09-10·CVSS 9.8
CVE-2019-1306 [CRITICAL] Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability
Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly. An attacker who successfully exploited this vulnerability could execute code on the server in the context of the TFS or ADO service account.
To exploit the vulnerability, an attacker would need to upload a specially-crafted file to a vulnerable ADO or TFS server repo and wait for the system to index the file.
The security update addresses the vulnerability by correcting how ADO and TFS index files.
Team Foundation Server: Team Foundation Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclose
GHSA
GHSA-wvw6-4r49-h4g6: A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azu
ghsa_unreviewed·2022-05-24
CVE-2019-1306 [HIGH] GHSA-wvw6-4r49-h4g6: A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azu
A remote code execution vulnerability exists when Azure DevOps Server (ADO) and Team Foundation Server (TFS) fail to validate input properly, aka 'Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability'.
No detection rules found.
No public exploits indexed.
Trendmicro
CVE-2019-1306: Are you my Index?
blogs_trendmicro·2019-10-24·CVSS 9.8
CVE-2019-1306 [CRITICAL] CVE-2019-1306: Are you my Index?
# CVE-2019-1306: Are you my Index?
Get the answer to the question CVE-2019-1306, are you my index?
By: Zero Day Initiative
2019/10/24
Read time: ( words)
Save to Folio
n September, Microsoft released patches to address a remote code execution (RCE) vulnerability in Azure DevOps (ADO) and Team Foundation Server (TFS). In this Critical-rated vulnerability, an attacker would need to upload a specially crafted file to a vulnerable ADO or TFS server repo and wait for the system to index the file. Doing so would result in code execution on the target system. This bug was reported to the ZDI program by Mikhail Shcherbakov. He has graciously provided the following write-up on the details of CVE-2019-1306.
The BinaryFormatter is known as a popular binary serializer in the .NET platform. It’s
Trendmicro
CVE-2019-1306: Are you my Index?
blogs_trendmicro·2019-10-24·CVSS 9.8
CVE-2019-1306 [CRITICAL] CVE-2019-1306: Are you my Index?
## CVE-2019-1306: Are you my Index?
Get the answer to the question CVE-2019-1306, are you my index?
By: Zero Day Initiative 2019/10/24 Read time: ( words)
Save to Folio
n September, Microsoft released patches to address a remote code execution (RCE) vulnerability in Azure DevOps (ADO) and Team Foundation Server (TFS). In this Critical-rated vulnerability, an attacker would need to upload a specially crafted file to a vulnerable ADO or TFS server repo and wait for the system to index the file. Doing so would result in code execution on the target system. This bug was reported to the ZDI program by Mikhail Shcherbakov . He has graciously provided the following write-up on the details of CVE-2019-1306 .
The BinaryFormatter is known as a popular binary serializer in the .NET platform. It’
Qualys
September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
blogs_qualys·2019-09-10·CVSS 8.8
[HIGH] September 2019 Patch Tuesday – 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
## Workstation Patches
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are
Qualys
September 2019 Patch Tuesday - 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc | Qualys
blogs_qualys·2019-09-10·CVSS 8.8
[HIGH] September 2019 Patch Tuesday - 79 Vulns, 17 Critical, Remote Desktop Client, SharePoint, Exploited PrivEsc | Qualys
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 17 of them labeled as Critical. Of the 17 Critical vulns, 8 are for scripting engines and browsers, 4 are for the Remote Desktop Client, and 3 are for SharePoint. In addition, Microsoft has again patched a critical vulnerability in LNK files, along with a vuln in Azure DevOps / TFS. Adobe has also released patches for Flash and Application Manager.
Update: Following Patch Tuesday, Microsoft updated the entries for CVE-2019-1214 and CVE-2019-1215 to remove the “exploited” label.
### Workstation Patches
Scripting Engine, Browser, and LNK patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are
2019-09-11
Published