[German]Another urgent request to Microsoft SQL server administrators to patch the vulnerability CVE-2020-0618. An exploit has been discovered that allows remote code execution (RCE).
Advertising
Updates Microsoft SQL-Server February 2020
Microsoft has released various security updates for its SQL server on February 11, 2020. According to this table and this tenable post, the following patches are available.
- Update KB4532095, Microsoft SQL Server 2014 for Service Pack 3 (CU)
- Update KB4532097, Microsoft SQL Server 2016 SP2 GDR
- Update KB4532098, Microsoft SQL Server 2012 for Service Pack 4 (QFE)
- Update KB4535288, Microsoft SQL Server 2014 for Service Pack 3 (CU)
- Update KB4535706, Microsoft SQL Server 2016 SP2 CU11
All updates address the vulnerability CVE-2020-0618 described below and an overview is also available on this Microsoft page.dieser Microsoft-Seite.
Vulnerability CVE-2020-0618
The vulnerability exists in the Reporting Services of the different SQL Server versions and can only be exploited if these services are installed. In Advisory CVE-2020-0618 Microsoft writes that a remote code execution vulnerability exists:
In Microsoft SQL Server Reporting Services besteht eine Sicherheitslücke bei der Remotecodeausführung, wenn Seitenanforderungen falsch behandelt werden. Ein Angreifer, der diese Sicherheitsanfälligkeit erfolgreich ausnutzt, könnte Code im Zusammenhang mit dem Report Server-Dienstkonto ausführen.
To exploit the vulnerability, an authenticated attacker would have to send a specially crafted page request to an affected Reporting Services instance. The security updates resolve this vulnerability.
Exploit for CVE-2020-0618 published
Now a proof of concept has emerged to exploit the vulnerability. This is likely to affect a lot of companies.
Advertising
PoC published for CVE-2020-0618, which is an RCE in Microsoft's SQL Server Reporting Services (SSRS)https://t.co/t6bmycdUjX pic.twitter.com/n16cHivDMe
— Catalin Cimpanu (@campuscodi) February 18, 2020
The technical analysis can be found in this blog post. Woody Leonhard took up some hints on the topic in this article. Microsoft writes in the KB articles that it only affects SQL Server 2012 and higher. But there are indications that it also affects SQL Server 2008. But it is no longer supported since July 9, 2019 (that's when the last security update was released, see).
Addendum: Note this tweet, which indicates that the updates require an already patched Microsoft SQL Server system. However, for SQL Server (Express) these updates are not always available.
Similar articles:
Adobe Flash Player 32.0.0.330 released
Microsoft Office Patchday (February 4, 2020)
Microsoft Security Update Summary (February 11, 2020)
Patchday Windows 10-Updates (February 11, 2020)
Patchday: Updates for Windows 7/8.1/Server (Feb. 11, 2020)
Patchday Microsoft Office Updates (February 11, 2020)
