Search...

Security Update for Microsoft Power BI Report Server (May 2020)

2020-05-15T00:00:00

ID MICROSOFT_POWER_BI_RS_MAY_20.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-05-15T00:00:00

Description

A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments. An authenticated attacker could exploit the vulnerability by uploading a specially crafted payload and sending it to the user.

The attacker who successfully exploited this vulnerability could then perform actions and run scripts in the security context of the user.

This security update addresses the vulnerability by ensuring Power BI Report Server properly validates content-type of the attachments when uploading and opening.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#


# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('compat.inc');

if (description)
{
  script_id(136664);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2020-1173");
  script_xref(name:"IAVB", value:"2020-B-0027");

  script_name(english:"Security Update for Microsoft Power BI Report Server (May 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has an application installed that is missing a security update.");
  script_set_attribute(attribute:"description", value:
"A spoofing vulnerability exists in Microsoft Power BI Report Server in the way 
it validates the content-type of uploaded attachments. An authenticated attacker could 
exploit the vulnerability by uploading a specially crafted payload and sending it to the user.

The attacker who successfully exploited this vulnerability could then perform actions 
and run scripts in the security context of the user.

This security update addresses the vulnerability by ensuring Power BI Report Server 
properly validates content-type of the attachments when uploading and opening.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dde4bbb9");
  script_set_attribute(attribute:"solution", value:
"Upgrade Power BI Report Server to version 1.6.7236.4246 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1173");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:power_bi_report_server");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_power_bi_rs_win_installed.nbin");
  script_require_keys("installed_sw/Microsoft Power BI Report Server");

  exit(0);
}

include('vcf.inc');

app_info = vcf::get_app_info(app:'Microsoft Power BI Report Server', win_local:TRUE);

vcf::check_granularity(app_info:app_info, sig_segments:4);

constraints = [
  { 'min_version': '1.5.7074.36177' ,'fixed_version' : '1.6.7236.4246' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);

JSON Vulners Source

Initial Source

{"id": "MICROSOFT_POWER_BI_RS_MAY_20.NASL", "bulletinFamily": "scanner", "title": "Security Update for Microsoft Power BI Report Server (May 2020)", "description": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way \nit validates the content-type of uploaded attachments. An authenticated attacker could \nexploit the vulnerability by uploading a specially crafted payload and sending it to the user.\n\nThe attacker who successfully exploited this vulnerability could then perform actions \nand run scripts in the security context of the user.\n\nThis security update addresses the vulnerability by ensuring Power BI Report Server \nproperly validates content-type of the attachments when uploading and opening.", "published": "2020-05-15T00:00:00", "modified": "2020-05-15T00:00:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/136664", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?dde4bbb9"], "cvelist": ["CVE-2020-1173"], "type": "nessus", "lastseen": "2020-06-05T11:02:04", "edition": 3, "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-1173"]}, {"type": "kaspersky", "idList": ["KLA11776"]}, {"type": "mscve", "idList": ["MS:CVE-2020-1173"]}, {"type": "avleonov", "idList": ["AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548"]}], "modified": "2020-06-05T11:02:04", "rev": 2}, "score": {"value": 4.4, "vector": "NONE", "modified": "2020-06-05T11:02:04", "rev": 2}, "vulnersScore": 4.4}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136664);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2020-1173\");\n script_xref(name:\"IAVB\", value:\"2020-B-0027\");\n\n script_name(english:\"Security Update for Microsoft Power BI Report Server (May 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application installed that is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"A spoofing vulnerability exists in Microsoft Power BI Report Server in the way \nit validates the content-type of uploaded attachments. An authenticated attacker could \nexploit the vulnerability by uploading a specially crafted payload and sending it to the user.\n\nThe attacker who successfully exploited this vulnerability could then perform actions \nand run scripts in the security context of the user.\n\nThis security update addresses the vulnerability by ensuring Power BI Report Server \nproperly validates content-type of the attachments when uploading and opening.\");\n # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dde4bbb9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Power BI Report Server to version 1.6.7236.4246 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1173\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:power_bi_report_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_power_bi_rs_win_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Power BI Report Server\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Microsoft Power BI Report Server', win_local:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nconstraints = [\n { 'min_version': '1.5.7074.36177' ,'fixed_version' : '1.6.7236.4246' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "naslFamily": "Windows", "pluginID": "136664", "cpe": ["cpe:/a:microsoft:power_bi_report_server"], "cvss3": {"score": 6.8, "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N"}, "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:55:48", "description": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments, aka 'Microsoft Power BI Report Server Spoofing Vulnerability'.", "edition": 4, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 4.0}, "published": "2020-05-21T23:15:00", "title": "CVE-2020-1173", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1173"], "modified": "2020-05-27T16:56:00", "cpe": ["cpe:/a:microsoft:power_bi_report_server:-"], "id": "CVE-2020-1173", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1173", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:power_bi_report_server:-:*:*:*:*:*:*:*"]}], "kaspersky": [{"lastseen": "2020-09-02T11:43:42", "bulletinFamily": "info", "cvelist": ["CVE-2020-1173"], "description": "### *Detect date*:\n05/12/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nSUI vulnerability was found in Microsoft SQL Server. Malicious users can exploit this vulnerability to spoof user interface.\n\n### *Affected products*:\nPower BI Report Server\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2020-1173](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-1173>) \n\n\n### *Impacts*:\nSUI \n\n### *Related products*:\n[Microsoft SQL Server](<https://threats.kaspersky.com/en/product/Microsoft-SQL-Server/>)\n\n### *CVE-IDS*:\n[CVE-2020-1173](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1173>)0.0Unknown\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-05-29T00:00:00", "published": "2020-05-12T00:00:00", "id": "KLA11776", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11776", "title": "\r KLA11776SUI vulnerability in Microsoft SQL Server ", "type": "kaspersky", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "mscve": [{"lastseen": "2020-08-07T11:48:32", "bulletinFamily": "microsoft", "cvelist": ["CVE-2020-1173"], "description": "A spoofing vulnerability exists in Microsoft Power BI Report Server in the way it validates the content-type of uploaded attachments. An authenticated attacker could exploit the vulnerability by uploading a specially crafted payload and sending it to the user.\n\nThe attacker who successfully exploited this vulnerability could then perform actions and run scripts in the security context of the user.\n\nThis security update addresses the vulnerability by ensuring Power BI Report Server properly validates content-type of the attachments when uploading and opening.\n", "edition": 2, "modified": "2020-05-12T07:00:00", "id": "MS:CVE-2020-1173", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173", "published": "2020-05-12T07:00:00", "title": "Microsoft Power BI Report Server Spoofing Vulnerability", "type": "mscve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "avleonov": [{"lastseen": "2020-12-20T04:20:58", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0662", "CVE-2020-0684", "CVE-2020-0796", "CVE-2020-0901", "CVE-2020-0909", "CVE-2020-0932", "CVE-2020-0963", "CVE-2020-1010", "CVE-2020-1021", "CVE-2020-1023", "CVE-2020-1024", "CVE-2020-1028", "CVE-2020-1035", "CVE-2020-1037", "CVE-2020-1048", "CVE-2020-1051", "CVE-2020-1054", "CVE-2020-1055", "CVE-2020-1056", "CVE-2020-1058", "CVE-2020-1059", "CVE-2020-1060", "CVE-2020-1061", "CVE-2020-1062", "CVE-2020-1063", "CVE-2020-1064", "CVE-2020-1065", "CVE-2020-1066", "CVE-2020-1067", "CVE-2020-1068", "CVE-2020-1069", "CVE-2020-1070", "CVE-2020-1071", "CVE-2020-1072", "CVE-2020-1075", "CVE-2020-1076", "CVE-2020-1077", "CVE-2020-1078", "CVE-2020-1079", "CVE-2020-1081", "CVE-2020-1082", "CVE-2020-1084", "CVE-2020-1086", "CVE-2020-1087", "CVE-2020-1088", "CVE-2020-1090", "CVE-2020-1092", "CVE-2020-1093", "CVE-2020-1096", "CVE-2020-1099", "CVE-2020-1100", "CVE-2020-1101", "CVE-2020-1102", "CVE-2020-1103", "CVE-2020-1104", "CVE-2020-1105", "CVE-2020-1106", "CVE-2020-1107", "CVE-2020-1108", "CVE-2020-1109", "CVE-2020-1110", "CVE-2020-1111", "CVE-2020-1112", "CVE-2020-1113", "CVE-2020-1114", "CVE-2020-1116", "CVE-2020-1117", "CVE-2020-1118", "CVE-2020-1121", "CVE-2020-1123", "CVE-2020-1124", "CVE-2020-1125", "CVE-2020-1126", "CVE-2020-1131", "CVE-2020-1132", "CVE-2020-1134", "CVE-2020-1135", "CVE-2020-1136", "CVE-2020-1137", "CVE-2020-1138", "CVE-2020-1139", "CVE-2020-1140", "CVE-2020-1141", "CVE-2020-1142", "CVE-2020-1143", "CVE-2020-1144", "CVE-2020-1145", "CVE-2020-1149", "CVE-2020-1150", "CVE-2020-1151", "CVE-2020-1153", "CVE-2020-1154", "CVE-2020-1155", "CVE-2020-1156", "CVE-2020-1157", "CVE-2020-1158", "CVE-2020-1161", "CVE-2020-1164", "CVE-2020-1165", "CVE-2020-1166", "CVE-2020-1171", "CVE-2020-1173", "CVE-2020-1174", "CVE-2020-1175", "CVE-2020-1176", "CVE-2020-1179", "CVE-2020-1184", "CVE-2020-1185", "CVE-2020-1186", "CVE-2020-1187", "CVE-2020-1188", "CVE-2020-1189", "CVE-2020-1190", "CVE-2020-1191", "CVE-2020-1192"], "description": "This will be my third Microsoft Patch Tuesday report in video and audio format. And for the third time in a row, Microsoft has addressed over a hundred vulnerabilities. With my [Microsoft Patch Tuesday parser](<https://avleonov.com/2020/04/26/microsoft-patch-tuesday-april-2020/#classification-script>), it was possible to generate a report almost on the same day. But, of course, it takes much more time to describe the vulnerabilities manually.\n\n![Microsoft Patch Tuesday May 2020](https://avleonov.com/wp-content/uploads/2020/05/Microsoft_Patch_Tuesday_May_2020-1024x576.png)\n\n * All vulnerabilities: 111\n * Critical: 16\n * Important: 95\n * Moderate: 0\n * Low: 0\n\n[Last time](<https://avleonov.com/2020/04/26/microsoft-patch-tuesday-april-2020/>) I complained that different VM vendors release completely different reports for Microsoft Patch Tuesday. This time I decided that it's not a bug, but a feature. I upgraded my script to not only show vulnerabilities, but also show how these vulnerabilities were mentioned in the reports of various VM vendors ([Tenable](<https://www.tenable.com/blog/microsoft-s-may-2020-patch-tuesday-addresses-111-cves>), [Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2020/05/12/may-2020-patch-tuesday-111-vulns-16-critical-sharepoint-vs-code-adobe-patches>), [Rapid7](<https://blog.rapid7.com/2020/05/12/patch-tuesday-may-2020/>) and [ZDI](<https://www.thezdi.com/blog/2020/5/12/the-may-2020-security-update-review>)). In my opinion, it seems pretty useful.\n\n### Exploitation detected (0)\n\nIn the old report, we can see that there are no vulnerabilities actively used in attacks.\n\n### Exploitation more likely (8)\n\nThere are 8 vulnerabilities that MS considers more likely to be exploited. We see the types of these vulnerabilities and what products they affect. But all other details should be googled.\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Internet Explorer ([CVE-2020-1062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1062>))\n * Microsoft Graphics Components ([CVE-2020-1153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1153>))\n * VBScript ([CVE-2020-1035](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1035>), [CVE-2020-1058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1058>), [CVE-2020-1060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1060>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * Windows Graphics Component ([CVE-2020-1135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1135>))\n * Windows Kernel ([CVE-2020-1054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1054>), [CVE-2020-1143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1143>))\n\nAnd here my script adds comments about vulnerabilities from the vendors and highlights vulnerabilities that were mentioned (or not mentioned).\n\n![my script adds comments about vulnerabilities from the vendors\n](https://avleonov.com/wp-content/uploads/2020/05/image-3.png)\n\nWe can see right away that Rapid7 recommends paying attention to RCE in Internet Explorer (CVE-2020-1062), although other vendors ignore this vulnerability.\n\nAccording to W3Counter, the current IE11 share is only 1.75%. But, on the other hand, it can still be used in some organizations to access legacy systems. And so this vulnerability may be exploited in targeted attacks.\n\nTenable pays attention to RCE in Microsoft Graphics Components. "The attacker would need to utilize social engineering tactics to convince a user to open a specially crafted file". Finally, ZDI claims that VBScript RCE (CVE-2020-1060) is especially interesting because "does't involve some form of user interaction".\n\nAgree that looking at Microsoft Patch Tuesday vulnerabilities in this way is much more fun. ![\ud83d\ude42](https://s.w.org/images/core/emoji/13.0.1/72x72/1f642.png)\n\nRegarding the Elevation of Privilege, ZDI claims that Windows Graphics Component EoP (CVE-2020-1135) is a real exploitable thing. Tenable mentions vulnerabilities of this type in Windows Kernel (CVE-2020-1054, CVE-2020-1143).\n\nThese were all "more likely to be exploited" vulnerabilities, according to Microsoft.\n\n### Other Product based (36)\n\nWhat about other vulnerabilities? Let's see the large groups of vulnerabilities in the same product. Strictly speaking, there is only one product, Microsoft SharePoint, with a bunch of different vulnerabilities. The rest are EoPs in Windows components that no VM vendor mentions.\n\n#### Microsoft SharePoint\n\n * ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution ([CVE-2020-1023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1023>), [CVE-2020-1024](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1024>), [CVE-2020-1102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1102>), [CVE-2020-1069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1069>))\n * ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure ([CVE-2020-1103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1103>))\n * ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting ([CVE-2020-1099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1099>), [CVE-2020-1100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1100>), [CVE-2020-1101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1101>), [CVE-2020-1106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1106>))\n * ![](http://www.avleonov.com/vulnicons/spoofing.png)Spoofing ([CVE-2020-1104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1104>), [CVE-2020-1105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1105>), [CVE-2020-1107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1107>))\n\n#### Windows Runtime\n\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1077>), [CVE-2020-1086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1086>), [CVE-2020-1090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1090>), [CVE-2020-1125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1125>), [CVE-2020-1139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1139>), [CVE-2020-1149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1149>), [CVE-2020-1151](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1151>), [CVE-2020-1155](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1155>), [CVE-2020-1156](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1156>), [CVE-2020-1157](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1157>), [CVE-2020-1158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1158>), [CVE-2020-1164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1164>))\n\n#### Windows State Repository Service\n\n * ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege ([CVE-2020-1124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1124>), [CVE-2020-1131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1131>), [CVE-2020-1134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1134>), [CVE-2020-1144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1144>), [CVE-2020-1184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1184>), [CVE-2020-1185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1185>), [CVE-2020-1186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1186>), [CVE-2020-1187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1187>), [CVE-2020-1188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1188>), [CVE-2020-1189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1189>), [CVE-2020-1190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1190>), [CVE-2020-1191](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1191>))\n\nBut they write a lot about SharePoint, especially about RCEs (CVE-2020-1023, CVE-2020-1024, CVE-2020-1069, CVE-2020-1102). Three of the four RCEs involve uploading a malicious application package to exploit the vulnerabilities, while the other involves uploading a malicious page. In short, if you use SharePoint in your organization, you need to patch again.\n\n### Other Vulnerability Type based (67)\n\nAnd what about the remaining vulnerabilities in various products. Of course, the RCEs that can be used in phishing attacks are most interesting. These are vulnerabilities in Microsoft Color Management (CVE-2020-1117), Edge PDF (CVE-2020-1096) and Excel (CVE-2020-0901).\n\nVendors paid a lot of attention to RCEs in Visual Studio Code Python Extension (CVE-2020-1171, CVE-2020-1192). But IMHO this is just a funny case. It is unlikely that attacks that require opening a specially crafted file or a repository with malicious code in Visual Studio Code will be massive.\n\nIt is also worth noting the RCE vulnerability in Windows (CVE-2020-1067). ZDI guys write that: "the only thing keeping this from being Critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise."\n\n#### ![](http://www.avleonov.com/vulnicons/rce.png)Remote Code Execution\n\n * Chakra Scripting Engine ([CVE-2020-1037](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1037>), [CVE-2020-1065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1065>))\n * Internet Explorer ([CVE-2020-1092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1092>))\n * Jet Database Engine ([CVE-2020-1051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1051>), [CVE-2020-1174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1174>), [CVE-2020-1175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1175>), [CVE-2020-1176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1176>))\n * MSHTML Engine ([CVE-2020-1064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1064>))\n * Microsoft Color Management ([CVE-2020-1117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1117>))\n * Microsoft Edge PDF ([CVE-2020-1096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1096>))\n * Microsoft Excel ([CVE-2020-0901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0901>))\n * Microsoft Script Runtime ([CVE-2020-1061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1061>))\n * VBScript ([CVE-2020-1093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1093>))\n * Visual Studio Code Python Extension ([CVE-2020-1171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1171>), [CVE-2020-1192](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1192>))\n * Windows ([CVE-2020-1067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1067>))\n\n#### ![](http://www.avleonov.com/vulnicons/dos.png)Denial of Service\n\n * .NET Core & .NET Framework ([CVE-2020-1108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1108>))\n * ASP.NET Core ([CVE-2020-1161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1161>))\n * Connected User Experiences and Telemetry Service ([CVE-2020-1084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1084>), [CVE-2020-1123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1123>))\n * Microsoft Windows Transport Layer Security ([CVE-2020-1118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1118>))\n * Windows ([CVE-2020-1076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1076>))\n * Windows Hyper-V ([CVE-2020-0909](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0909>))\n\n#### ![](http://www.avleonov.com/vulnicons/memcor.png)Memory Corruption\n\n * Media Foundation ([CVE-2020-1150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1150>), [CVE-2020-1028](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1028>), [CVE-2020-1126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1126>), [CVE-2020-1136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1136>))\n\n#### ![](http://www.avleonov.com/vulnicons/eop.png)Elevation of Privilege\n\n * .NET Framework ([CVE-2020-1066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1066>))\n * DirectX ([CVE-2020-1140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1140>))\n * Microsoft Edge ([CVE-2020-1056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1056>))\n * Microsoft Windows ([CVE-2020-1010](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1010>), [CVE-2020-1068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1068>), [CVE-2020-1079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1079>))\n * Windows Background Intelligent Transfer Service ([CVE-2020-1112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1112>))\n * Windows Clipboard Service ([CVE-2020-1111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1111>), [CVE-2020-1121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1121>), [CVE-2020-1165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1165>), [CVE-2020-1166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1166>))\n * Windows Common Log File System Driver ([CVE-2020-1154](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1154>))\n * Windows Error Reporting ([CVE-2020-1021](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1021>), [CVE-2020-1082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1082>), [CVE-2020-1088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1088>))\n * Windows Error Reporting Manager ([CVE-2020-1132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1132>))\n * Windows GDI ([CVE-2020-1142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1142>))\n * Windows Installer ([CVE-2020-1078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1078>))\n * Windows Kernel ([CVE-2020-1087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1087>), [CVE-2020-1114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1114>))\n * Windows Print Spooler ([CVE-2020-1048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1048>), [CVE-2020-1070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1070>))\n * Windows Printer Service ([CVE-2020-1081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1081>))\n * Windows Push Notification Service ([CVE-2020-1137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1137>))\n * Windows Remote Access Common Dialog ([CVE-2020-1071](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1071>))\n * Windows Storage Service ([CVE-2020-1138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1138>))\n * Windows Update Stack ([CVE-2020-1109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1109>), [CVE-2020-1110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1110>))\n\n#### ![](http://www.avleonov.com/vulnicons/sf_bypass.png)Security Feature Bypass\n\n * Windows Task Scheduler ([CVE-2020-1113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1113>))\n\n#### ![](http://www.avleonov.com/vulnicons/infdis.png)Information Disclosure\n\n * Windows CSRSS ([CVE-2020-1116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1116>))\n * Windows GDI ([CVE-2020-0963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0963>), [CVE-2020-1141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1141>), [CVE-2020-1145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1145>), [CVE-2020-1179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1179>))\n * Windows Kernel ([CVE-2020-1072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1072>))\n * Windows Subsystem for Linux ([CVE-2020-1075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1075>))\n\n#### ![](http://www.avleonov.com/vulnicons/xss.png)Cross Site Scripting\n\n * Microsoft Active Directory Federation Services ([CVE-2020-1055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1055>))\n * Microsoft Dynamics 365 (On-Premise) ([CVE-2020-1063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1063>))\n\n#### ![](http://www.avleonov.com/vulnicons/spoofing.png)Spoofing\n\n * Microsoft Edge ([CVE-2020-1059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1059>))\n * Microsoft Power BI Report Server ([CVE-2020-1173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1173>))\n\nAmong DoS vulnerabilities, the most promising is DoS in TLS (CVE-2020-1118). An attacker sends a malicious Client Key Exchange message to TLS client or server during a handshake. This flaw can cause the target system to stop responding or automatically reboot.\n\nMemory Corruption in Media Foundation (CVE-2020-1150, CVE-2020-1028, CVE-2020-1126, CVE-2020-1136) is in fact RCE that can allow full system access to an attacker.\n\nAmong many Elevation of Privilege vulnerabilities, vendors pay attention to the EoP in Microsoft Edge (CVE-2020-1056) and Windows Remote Access Common Dialog (CVE-2020-1071). Among other vulnerabilities, they mention\u0442 Cross Site Scripting in Microsoft Active Directory Federation Services (CVE-2020-1055) and Spoofing in Microsoft Edge (CVE-2020-1059).\n\nThat's all for the May Microsoft Patch Tuesday vulnerabilities.\n\n### Older vulnerabilities\n\n * The PoC for previous month RCE in Microsoft SharePoint (CVE-2020-0932) was [demonstrated by ZDI](<https://www.thezdi.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters>). \u201cYou can download all the necessary files to try this yourself.\u201d\n * Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796) now has [POC by Ricerca Security](<https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html>). The code is still not available.\n * And nothing new for .LNK files processing (CVE-2020-0684) and Mysterious Windows RCE (CVE-2020-0662) from [February](<https://avleonov.com/2020/02/13/microsoft-patch-tuesday-february-2020/>).\n![](http://feeds.feedburner.com/~r/avleonov/~4/k3TPd7XE0GM)", "modified": "2020-05-13T00:49:16", "published": "2020-05-13T00:49:16", "id": "AVLEONOV:D8BE9238C3E35C438BC4D8515D78E548", "href": "http://feedproxy.google.com/~r/avleonov/~3/k3TPd7XE0GM/", "type": "avleonov", "title": "Microsoft Patch Tuesday May 2020: comments from VM vendors, promising stuff for phishing, troubles with SharePoint and lulz with Visual Studio", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}