Attacker Value
High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-0618

Disclosure Date: February 11, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka ‘Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability’.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

Although the application was only accessible to authorised users, the lowest privilege (the Browser role) was sufficient in order to exploit this issue.

https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/

My testing confirmed that the endpoint is post-auth. No idea how to configure anonymous users yet, if possible. Uses Windows auth by default. Needed a password to get anywhere. Not really a problem in a Windows environment. So, if you have creds, this could be potentially useful pivot point.

I don’t know how common this is in enterprise environments, but it seems to be a likely pairing with Microsoft’s SQL Server. That may gain you access to useful information.

2
Ratings
Technical Analysis

This service is incredibly common on the inside of Enterprise Environments. Would make for an extremely useful pivot to a resource that would likely have other valuable credentials on it.

Because obtaining valid Credentials in a Windows Environment is trivial, this is easy to exploit.

Because this is a viewstate serialization issue, the toolkits to create the attack payload are easy to find (https://github.com/pwntester/ysoserial.net) and the POC is readily available: https://github.com/euphrat1ca/CVE-2020-0618

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • sql server 2012,
  • sql server 2014,
  • sql server 2016

Exploited in the Wild

Reported by:
Technical Analysis