Vulnerabilities > CVE-2020-1022 - Injection vulnerability in Microsoft Dynamics 365 Business Central and Dynamics NAV
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
A remote code execution vulnerability exists in Microsoft Dynamics Business Central, aka 'Dynamics Business Central Remote Code Execution Vulnerability'.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS20_APR_MICROSOFT_DYNAMICS_365_BC.NASL description The Microsoft Dynamics 365 Business Central install is missing a security update. It is, therefore, affected by a the following vulnerabilities : - An information disclosure vulnerability exists in Business Central due to the application not properly hiding the value of a masked field when showing the records as a chart page. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2020-1018) - A remote code execution vulnerability exists in Business Central due to an unspecified reason. An authenticated, remote attacker can exploit this by convincing a user to connect to a malicious Dynamics Business Central client to execute arbitrary commands. (CVE-2020-1022) Note that Nessus has not attempted to exploit this issue but has instead relied only on the application last seen 2020-05-16 modified 2020-05-08 plugin id 136425 published 2020-05-08 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136425 title Security Updates for Microsoft Dynamics 365 Business Central (Apr 2020) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136425); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/15"); script_cve_id("CVE-2020-1018", "CVE-2020-1022"); script_xref(name:"MSKB", value:"4549676"); script_xref(name:"MSKB", value:"4549677"); script_xref(name:"MSKB", value:"4549678"); script_xref(name:"MSFT", value:"MS20-4549676"); script_xref(name:"MSFT", value:"MS20-4549677"); script_xref(name:"MSFT", value:"MS20-4549678"); script_xref(name:"IAVA", value:"2020-A-0160-S"); script_name(english:"Security Updates for Microsoft Dynamics 365 Business Central (Apr 2020)"); script_set_attribute(attribute:"synopsis", value: "The Microsoft Dynamics 365 Business Central install is missing a security update."); script_set_attribute(attribute:"description", value: "The Microsoft Dynamics 365 Business Central install is missing a security update. It is, therefore, affected by a the following vulnerabilities : - An information disclosure vulnerability exists in Business Central due to the application not properly hiding the value of a masked field when showing the records as a chart page. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2020-1018) - A remote code execution vulnerability exists in Business Central due to an unspecified reason. An authenticated, remote attacker can exploit this by convincing a user to connect to a malicious Dynamics Business Central client to execute arbitrary commands. (CVE-2020-1022) Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4549676"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4549677"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4549678"); script_set_attribute(attribute:"solution", value: "Update Microsoft Dynamics 365 Business Central to CU18 for the October 2018 release, CU11 for the April 2019 release, 15.5 for 2019 Release Wave 2, or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1022"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:dynamics_365"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("microsoft_dynamics_365_business_central_server_win_installed.nbin"); script_require_keys("installed_sw/Microsoft Dynamics 365 Business Central Server"); script_require_ports(139, 445); exit(0); } include('vcf.inc'); app = 'Microsoft Dynamics 365 Business Central Server'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [ { 'min_version' : '13.0', 'fixed_version' : '13.0.41879.0' }, # 2019 October Update { 'min_version' : '14.0', 'fixed_version' : '14.0.41862.0' }, # 2019 Spring Update { 'min_version' : '15.0', 'fixed_version' : '15.0.41893.0' } # 2019 Release Wave 2 ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS20_APR_MICROSOFT_DYNAMICS_NAV.NASL description The Microsoft Dynamics NAV install is missing a security update. It is, therefore, affected by the following vulnerabilities : - An information disclosure vulnerability exists in Dynamics NAV due to the application not properly hiding the value of a masked field when showing the records as a chart page. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2020-1018) - A remote code execution vulnerability exists in Dynamics NAV due to an unspecified reason. An authenticated, remote attacker can exploit this by convincing a user to connect to a malicious Dynamics Business Central client to execute arbitrary commands. (CVE-2020-1022) Note that Nessus has not attempted to exploit this issue but has instead relied only on the application last seen 2020-05-16 modified 2020-05-11 plugin id 136474 published 2020-05-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136474 title Security Updates for Microsoft Dynamics NAV (Apr 2020) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136474); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/15"); script_cve_id("CVE-2020-1018", "CVE-2020-1022"); script_xref(name:"MSKB", value:"4557699"); script_xref(name:"MSKB", value:"4557700"); script_xref(name:"MSKB", value:"4549673"); script_xref(name:"MSKB", value:"4549674"); script_xref(name:"MSKB", value:"4549675"); script_xref(name:"MSFT", value:"MS20-4557699"); script_xref(name:"MSFT", value:"MS20-4557700"); script_xref(name:"MSFT", value:"MS20-4549673"); script_xref(name:"MSFT", value:"MS20-4549674"); script_xref(name:"MSFT", value:"MS20-4549675"); script_xref(name:"IAVA", value:"2020-A-0158"); script_name(english:"Security Updates for Microsoft Dynamics NAV (Apr 2020)"); script_set_attribute(attribute:"synopsis", value: "The Microsoft Dynamics NAV install is missing a security update."); script_set_attribute(attribute:"description", value: "The Microsoft Dynamics NAV install is missing a security update. It is, therefore, affected by the following vulnerabilities : - An information disclosure vulnerability exists in Dynamics NAV due to the application not properly hiding the value of a masked field when showing the records as a chart page. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information. (CVE-2020-1018) - A remote code execution vulnerability exists in Dynamics NAV due to an unspecified reason. An authenticated, remote attacker can exploit this by convincing a user to connect to a malicious Dynamics Business Central client to execute arbitrary commands. (CVE-2020-1022) Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4557699"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4557700"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4549673"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4549674"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4549675"); script_set_attribute(attribute:"solution", value: "The solution varies for different versions of Microsoft Dynamics NAV : - Dynamics NAV 2013 R2: Install the update package from KB4557699 - Dynamics NAV 2015: Install the update package from KB4557700 - Dynamics NAV 2016: Install Cumulative Update 54 or later - Dynamics NAV 2017: Install Cumulative Update 41 or later - Dynamics NAV 2018: Install Cumulative Update 28 or later"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1022"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:dynamics_nav"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("microsoft_dynamics_nav_server_win_installed.nbin"); script_require_keys("installed_sw/Microsoft Dynamics NAV Server"); script_require_ports(139, 445); exit(0); } include('vcf.inc'); app = 'Microsoft Dynamics NAV Server'; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [ { 'min_version' : '7.0', 'fixed_version' : '7.1.51833.0' }, # 2013 R2 { 'min_version' : '8.0', 'fixed_version' : '8.0.51812.0' }, # 2015 { 'min_version' : '9.0', 'fixed_version' : '9.0.51811.0' }, # 2016 { 'min_version' : '10.0', 'fixed_version' : '10.0.30219.0' }, # 2017 { 'min_version' : '11.0', 'fixed_version' : '11.0.41920.0' } # 2018 ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);