Advisory No: TZCERT/SA/2018/12/05
Date of First Release: 6 December 2018
- Team Foundation Server 2018 Update 1.1
- Team Foundation Server 2018 Update 3
- Team Foundation Server 2018 Update 3.1
- Team Foundation Server 2017 Update 3.1
Multiple vulnerabilities have been identified in Microsoft Team Foundation Server that could allow a remote unauthorized execution of arbitrary code that may result into compromise of potentially sensitive information on the targeted system.
Microsoft Team Foundation Server (TFS) has been reported to vulnerable to a remote code execution and Cross-site Scripting (CSS) vulnerabilities.
The remote code execution vulnerability is a result of disabling basic authorization on the communication between the Team Foundation Server (TFS) and the search services. Whereas, the Cross-site scripting vulnerability is caused by improper handling of user input into the Team Foundation Server (TFS).
An authenticated remote access exploit can exploit these vulnerabilities by sending a specially crafted payload to the Team Foundation Server, which can be executed on user’s behalf upon visiting the compromised page.
Successful exploitation of the remote code execution vulnerability could allow remote unauthorized access to bypass authorization to run certain commands on the Search service to execute arbitrary code with the privileges of the user.
The cross-site scripting vulnerability could allow unauthorized access to perform cross-site scripting attacks on affected systems. Exploitation of these vulnerabilities could allow take off control of the affected system.
Users and administrators are urged to review security updates guide available on Microsoft web portal to fix the vulnerabilities.