Vulnerabilities > CVE-2020-0618 - Deserialization of Untrusted Data vulnerability in Microsoft SQL Server 2012/2014/2016
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Common Weakness Enumeration (CWE)
Metasploit
| description | A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server. |
| id | MSF:EXPLOIT/WINDOWS/HTTP/SSRS_NAVCORRECTOR_VIEWSTATE |
| last seen | 2020-06-14 |
| modified | 2020-04-11 |
| published | 2020-03-06 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/ssrs_navcorrector_viewstate.rb |
| title | SQL Server Reporting Services (SSRS) ViewState Deserialization |
Nessus
NASL family Windows NASL id SMB_NT_MS20_FEB_MSSQL_REMOTE.NASL description The Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. (CVE-2020-0618) last seen 2020-03-18 modified 2020-02-14 plugin id 133718 published 2020-02-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133718 title Security Updates for Microsoft SQL Server (Uncredentialed Check) (February 2020) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. include('compat.inc'); if (description) { script_id(133718); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13"); script_cve_id("CVE-2020-0618"); script_xref(name:"IAVA", value:"2020-A-0074"); script_xref(name:"MSKB", value:"4532095"); script_xref(name:"MSKB", value:"4532097"); script_xref(name:"MSKB", value:"4532098"); script_xref(name:"MSKB", value:"4535288"); script_xref(name:"MSKB", value:"4535706"); script_xref(name:"MSFT", value:"MS20-4532095"); script_xref(name:"MSFT", value:"MS20-4532097"); script_xref(name:"MSFT", value:"MS20-4532098"); script_xref(name:"MSFT", value:"MS20-4535288"); script_xref(name:"MSFT", value:"MS20-4535706"); script_name(english:"Security Updates for Microsoft SQL Server (Uncredentialed Check) (February 2020)"); script_set_attribute(attribute:"synopsis", value: "The Microsoft SQL Server installation on the remote host is missing a security update."); script_set_attribute(attribute:"description", value: "The Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. (CVE-2020-0618)"); # https://support.microsoft.com/en-us/help/4532097/description-of-the-security-update-for-sql-server-2016-sp2-gdr-feb script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ff30ef1b"); # https://support.microsoft.com/en-us/help/4535288/description-of-the-security-update-for-sql-server-2014-sp3-cu4-feb script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8089305a"); # https://support.microsoft.com/en-us/help/4532095/description-of-the-security-update-for-sql-server-2014-sp3-gdr-feb script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?899d9f68"); # https://support.microsoft.com/en-us/help/4532098/security-update-for-sql-server-2012-sp4-gdr script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c9e8cfc"); # https://support.microsoft.com/en-us/help/4535706/description-of-the-security-update-for-sql-server-2016-sp2-cu11-februa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?226a31d0"); script_set_attribute(attribute:"solution", value: "Microsoft has released the following security updates to address this issue: -KB4532095 -KB4532097 -KB4532098 -KB4535288 -KB4535706"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0618"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SQL Server Reporting Services (SSRS) ViewState Deserialization'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/11"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mssqlserver_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports(139, 445, 1433, "Services/mssql", "Host/patch_management_checks"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); port = get_service(svc:'mssql', exit_on_fail:TRUE); instance = get_kb_item('MSSQL/' + port + '/InstanceName'); version = get_kb_item_or_exit('MSSQL/' + port + '/Version'); if (report_paranoia < 2) audit(AUDIT_PARANOID); ver = pregmatch(pattern:"^([0-9.]+)([^0-9]|$)", string:version); if (!isnull(ver) && !isnull(ver[1])) ver = ver[1]; if ( # 2012 SP4 GDR # KB4532098 ver_compare(minver:'11.0.5200.0', ver:ver, fix:'11.0.7493.0', strict:FALSE) < 0 || # 2014 SP3 GDR # KB 4532095 ver_compare(minver:'12.0.6000.0', ver:ver, fix:'12.0.6118.0', strict:FALSE) < 0 || # 2014 SP3 CU4 # KB 4535288 ver_compare(minver:'12.0.6200.0', ver:ver, fix:'12.0.6372.0', strict:FALSE) < 0 || # 2016 SP2 GDR # KB 4532097 ver_compare(minver:'13.0.5000.0', ver:ver, fix:'13.0.5102.0', strict:FALSE) < 0 || # 2016 SP2 CU11 # KB 4535706 ver_compare(minver:'13.0.5149.0', ver:ver, fix:'13.0.5622.0', strict:FALSE) < 0 ) { report = ''; if (!empty_or_null(version)) report += '\n SQL Server Version : ' + version; if (!empty_or_null(instance)) report += '\n SQL Server Instance : ' + instance; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); } else audit(AUDIT_INST_VER_NOT_VULN, 'MSSQL', version);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS20_FEB_MSSQL.NASL description The Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. (CVE-2020-0618) last seen 2020-04-10 modified 2020-02-14 plugin id 133719 published 2020-02-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133719 title Security Updates for Microsoft SQL Server (February 2020) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. include('compat.inc'); if (description) { script_id(133719); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/07"); script_cve_id("CVE-2020-0618"); script_xref(name:"IAVA", value:"2020-A-0074"); script_xref(name:"MSKB", value:"4532095"); script_xref(name:"MSKB", value:"4532097"); script_xref(name:"MSKB", value:"4532098"); script_xref(name:"MSKB", value:"4535288"); script_xref(name:"MSKB", value:"4535706"); script_xref(name:"MSFT", value:"MS20-4532095"); script_xref(name:"MSFT", value:"MS20-4532097"); script_xref(name:"MSFT", value:"MS20-4532098"); script_xref(name:"MSFT", value:"MS20-4535288"); script_xref(name:"MSFT", value:"MS20-4535706"); script_name(english:"Security Updates for Microsoft SQL Server (February 2020)"); script_set_attribute(attribute:"synopsis", value: "The Microsoft SQL Server installation on the remote host is missing a security update."); script_set_attribute(attribute:"description", value: "The Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. (CVE-2020-0618)"); # https://support.microsoft.com/en-us/help/4532097/description-of-the-security-update-for-sql-server-2016-sp2-gdr-feb script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ff30ef1b"); # https://support.microsoft.com/en-us/help/4535288/description-of-the-security-update-for-sql-server-2014-sp3-cu4-feb script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8089305a"); # https://support.microsoft.com/en-us/help/4532095/description-of-the-security-update-for-sql-server-2014-sp3-gdr-feb script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?899d9f68"); # https://support.microsoft.com/en-us/help/4532098/security-update-for-sql-server-2012-sp4-gdr script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c9e8cfc"); # https://support.microsoft.com/en-us/help/4535706/description-of-the-security-update-for-sql-server-2016-sp2-cu11-februa script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?226a31d0"); script_set_attribute(attribute:"solution", value: "Microsoft has released the following security updates to address this issue: -KB4532095 -KB4532097 -KB4532098 -KB4535288 -KB4535706"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0618"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SQL Server Reporting Services (SSRS) ViewState Deserialization'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/11"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "smb_enum_services.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 1433, "Services/mssql", "Host/patch_management_checks"); exit(0); } include('audit.inc'); include('smb_func.inc'); include('smb_hotfixes.inc'); include('smb_hotfixes_fcheck.inc'); include('misc_func.inc'); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); kbs = make_list( '4532095', '4532097', '4532098', '4535288', '4535706' ); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(kbs:kbs, severity:SECURITY_WARNING); get_kb_item_or_exit('SMB/Registry/Enumerated'); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); vuln = 0; ver_list = get_kb_list('mssql/installs/*/SQLVersion'); program_files_dir = hotfix_get_programfilesdir(); program_files_x86_dir = hotfix_get_programfilesdirx86(); if (isnull(ver_list)) audit(AUDIT_NOT_INST, 'Microsoft SQL Server'); foreach item (keys(ver_list)) { item -= '/SQLVersion'; arch = get_kb_item(item + '/arch'); item -= 'mssql/installs/'; sqlpath = item; share = hotfix_path2share(path:sqlpath); if (!is_accessible_share(share:share)) continue; version = get_kb_item('mssql/installs/' + sqlpath + '/SQLVersion'); if (empty_or_null(version)) continue; ############ # 2012 ############ if (version =~ "^11\.0\.") { sqlpath = '\\Microsoft SQL Server\\110\\Setup Bootstrap\\SQLServer2012'; osqlpath = '\\Microsoft SQL Server\\110\\Tools\\Binn'; if ( # 2012 SP4 GDR # KB 4532098 hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:"2011.110.7493.4", min_version:"2011.110.0.0", kb:'4532098') || (arch == "x86" && hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:"2011.110.7493.4", min_version:"2011.110.0.0", kb:'4532098') || # check for OSQL.exe if the above is not found hotfix_is_vulnerable(path:program_files_dir + osqlpath, file:'OSQL.exe', version:'2011.110.7493.4', min_version:'2011.110.0.0', kb:'4532098') || (arch == 'x86' && hotfix_is_vulnerable(path:program_files_x86_dir + osqlpath, file:'OSQL.exe', version:'2011.110.7493.4', min_version:'2011.110.0.0', kb:'4532098')) )) vuln++; } ############ # 2014 ############ if (version =~ "^12\.0\.") { sqlpath = '\\Microsoft SQL Server\\120\\Setup Bootstrap\\SQLServer2014'; osqlpath = '\\Microsoft SQL Server\\120\\Tools\\Binn'; if ( # 2014 SP3 GDR # KB 4532095 hotfix_is_vulnerable(path:program_files_dir + osqlpath, file:'OSQL.exe', version:'2014.120.6118.4', min_version:'2014.120.6000.0', kb:'4532095') || (arch == 'x86' && hotfix_is_vulnerable(path:program_files_x86_dir + osqlpath, file:'OSQL.exe', version:'2014.120.6118.4', min_version:'2014.120.6000.0', kb:'4532095')) || # 2014 SP3 CU4 # KB 4535288 hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2014.120.6372.1', min_version:'2014.120.6200.0', kb:'4535288') || (arch == 'x86' && hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2014.120.6372.1', min_version:'2014.120.6200.0', kb:'4535288') )) vuln++; } ############ # 2016 ############ else if (version =~ "^13\.0\.") { sqlpath = '\\Microsoft SQL Server\\130\\Setup Bootstrap\\SQLServer2016'; osqlpath = '\\Microsoft SQL Server\\130\\Tools\\Binn'; if ( # 2016 SP2 GDR # KB 4532097 # - x64 only (arch == 'x64' && hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2015.131.5102.14', min_version:'2015.131.5000.0', kb:'4532097') ) || # 2016 SP2 CU11 # KB 4535706 # - x64 only (arch == 'x64' && hotfix_is_vulnerable(path:program_files_dir + osqlpath, file:'OSQL.exe', version:'2015.131.5622.0', min_version:'2015.131.5149.0', kb:'4535706') ) ) vuln++; } } hotfix_check_fversion_end(); if (vuln) { hotfix_security_warning(); exit(0); } audit(AUDIT_HOST_NOT, 'affected');
Packetstorm
| data source | https://packetstormsecurity.com/files/download/156707/ssrs_navcorrector_viewstate.rb.txt |
| id | PACKETSTORM:156707 |
| last seen | 2020-03-13 |
| published | 2020-03-12 |
| reporter | Soroush Dalili |
| source | https://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html |
| title | SQL Server Reporting Services (SSRS) ViewState Deserialization |
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
- http://packetstormsecurity.com/files/156707/SQL-Server-Reporting-Services-SSRS-ViewState-Deserialization.html
- http://packetstormsecurity.com/files/159216/Microsoft-SQL-Server-Reporting-Services-2016-Remote-Code-Execution.html