Microsoft pulls out DevOps Server and TFS security patches

Microsoft pulls out DevOps Server and TFS security patches

The team behind Azure DevOps Server has made a couple of security patches available, which are meant to mitigate some cross-site scripting and privilege elevation vulnerabilities.

Though Microsoft deems the exploitation for all three issues fixed in the DevOps Server 2019.1.1 Patch 1 and 2019.0.1 Patch 5 to be less likely, teams can reduce that risk by actually upgrading their systems.

The cross-site scripting issue dubbed CVE-2020-0700 allowed attackers to send a “specially crafted payload to the Team Foundation Server, which will get executed in the context of the user every time a user visits the compromised page”. 

This in turn facilitated cross-site scripting attacks, opening up the possibility of attackers executing malicious code, reading content without proper authorisation, and taking actions such as deleting content on behalf of other users. To prevent that from happening, the update makes sure inputs are now properly sanitised.

The privilege elevation issues, CVE-2020-0758 and -0815, were down to the Azure DevOps Server “improperly handling pipeline tokens”. It allowed attackers to swap short-term tokens for long-term ones, practically extending their access to a project.

Since some of the vulnerabilities are also affecting DevOps Server’s predecessor Team Foundation Server, Microsoft customers still running TFS 2015, 2017, and 2018 are advised to also get their installations updated. 
TFS 2018 users on Update 2 or 3 will have to upgrade to 3.2 before installing patch 9, while those on TFS 2018 RTW or Update 1 will have to switch to Update 1.2 before patch 8 can fix the issue. TFS 2017 users will have to update to 3.1 in order to make patch 10 work and TFS 2015 will have to be on Update 4.2 before downloading patch 11. Details on verifying installations can be found on the Microsoft blog.