CVE-2020-0618: What is the Microsoft SQL Server Reporting Services Security Vulnerability ? Analysis:
CVE-2020-0618 is a vulnerability in the incorrect input validation in the ReportingServicesWebServer.dll file of SSRS. According to a blog post by Dalili, the OnLoad method of the Microsoft.Reporting.WebForms.BrowserNavigationCorrector class passes untrusted user input (such as a serialized load via the NavigationCorrector$ViewState parameter) to the LosFormatter class for deserialization.
In his research, Dalili observed the Microsoft.Reporting.WebForms.BrowserNavigationCorrector class used by the Microsoft.ReportingServices.WebServer.ReportViewerPage class.
To exploit the vulnerability, Dalili targeted the ReportViewer.aspx file on a SharePoint server. By sending a specially crafted POST request containing a serialized payload generated using ysoserial.net, Dalili could trigger the vulnerability and obtain a shell on the vulnerable server.
Exploiting the vulnerability requires Microsoft SSRS to be installed beforehand. However, we see reports from security researchers indicating instances of vulnerable deployments being sought by attackers.
Penetration tester Damian Schwyrz recently discovered and reported a vulnerability found on the server of a "very large car company
."
Additionally, Dalili shared a Google search query revealing over 8,900 instances of ReportViewer.aspx that appear to be publicly accessible, many of which seem to be government-related.
Solution:
Microsoft patched this vulnerability as part of the Tuesday Update on February 11th. According to their advisories, this vulnerability affects Microsoft SQL Server 2012, 2014, and 2016. However, additional reports from security researcher Kevin Beaumont confirmed that this vulnerability also affects Microsoft SQL Server 2008. The reason for 2008 not being mentioned in the advisory is due to its support ending in July 2014.
Madde | Yazı | Type | Applicable Versions | Included Servicing Release |
|---|---|---|---|---|
Security update for SQL Server 2016 Service Pack 2 | GDR | 13.0.5026.0—13.0.5101.9 | ||
Security update for SQL Server 2016 Service Pack 2 | CU | 13.0.5149.0—13.0.5598.27 | ||
Security update for SQL Server 2014 Service Pack 3 | GDR | 12.0.6024.0—12.0.6108.1 | ||
Security update for SQL Server 2014 Service Pack 2 | CU | 12.0.6205.1—12.0.6329.1 | ||
Security update for SQL Server 2012 Service Pack 4 | GDR | 111.0.7001.0—11.0.7462.6 |