[German]Another urgent request to Microsoft SQL server administrators to patch the vulnerability CVE-2020-0618. An exploit has been discovered that allows remote code execution (RCE).
Updates Microsoft SQL-Server February 2020
- Update KB4532095, Microsoft SQL Server 2014 for Service Pack 3 (CU)
- Update KB4532097, Microsoft SQL Server 2016 SP2 GDR
- Update KB4532098, Microsoft SQL Server 2012 for Service Pack 4 (QFE)
- Update KB4535288, Microsoft SQL Server 2014 for Service Pack 3 (CU)
- Update KB4535706, Microsoft SQL Server 2016 SP2 CU11
The vulnerability exists in the Reporting Services of the different SQL Server versions and can only be exploited if these services are installed. In Advisory CVE-2020-0618 Microsoft writes that a remote code execution vulnerability exists:
In Microsoft SQL Server Reporting Services besteht eine Sicherheitslücke bei der Remotecodeausführung, wenn Seitenanforderungen falsch behandelt werden. Ein Angreifer, der diese Sicherheitsanfälligkeit erfolgreich ausnutzt, könnte Code im Zusammenhang mit dem Report Server-Dienstkonto ausführen.
To exploit the vulnerability, an authenticated attacker would have to send a specially crafted page request to an affected Reporting Services instance. The security updates resolve this vulnerability.
Exploit for CVE-2020-0618 published
Now a proof of concept has emerged to exploit the vulnerability. This is likely to affect a lot of companies.
— Catalin Cimpanu (@campuscodi) February 18, 2020
The technical analysis can be found in this blog post. Woody Leonhard took up some hints on the topic in this article. Microsoft writes in the KB articles that it only affects SQL Server 2012 and higher. But there are indications that it also affects SQL Server 2008. But it is no longer supported since July 9, 2019 (that’s when the last security update was released, see).
Addendum: Note this tweet, which indicates that the updates require an already patched Microsoft SQL Server system. However, for SQL Server (Express) these updates are not always available.
Adobe Flash Player 126.96.36.1990 released
Microsoft Office Patchday (February 4, 2020)
Microsoft Security Update Summary (February 11, 2020)
Patchday Windows 10-Updates (February 11, 2020)
Patchday: Updates for Windows 7/8.1/Server (Feb. 11, 2020)
Patchday Microsoft Office Updates (February 11, 2020)
Cookies helps to fund this blog: Cookie settings