Microsoft Visual Studio up to 2019 Version 16.7 memory corruption

Summaryinfo

A vulnerability identified as critical has been detected in Microsoft Visual Studio 2012 Update 5/2013 Update 5/2015 Update 3/2017 Version 15.9/2019 Version 16.7. Affected by this issue is some unknown functionality of the component Studio. Performing a manipulation results in memory corruption. This vulnerability was named CVE-2020-16856. The attack may be initiated remotely. There is no available exploit. It is suggested to install a patch to address this issue.

Detailsinfo

A vulnerability was found in Microsoft Visual Studio 2012 Update 5/2013 Update 5/2015 Update 3/2017 Version 15.9/2019 Version 16.7 (Programming Tool Software). It has been classified as critical. This affects some unknown functionality of the component Studio. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

<p>A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio.</p> <p>The update addresses the vulnerability by correcting how Visual Studio handles objects in memory.</p>

The weakness was presented 09/08/2020 as confirmed security update guide (Website). The advisory is shared at portal.msrc.microsoft.com. The public release was coordinated in cooperation with Microsoft. This vulnerability is uniquely identified as CVE-2020-16856. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The advisory points out:

A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Programming Tool Software

Vendor

• Microsoft

Name

• Visual Studio

Version

• 2012 Update 5
• 2013 Update 5
• 2015 Update 3
• 2017 Version 15.9
• 2019 Version 16.7

License

• commercial

Website

• Vendor: https://www.microsoft.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion