Security Updates for Microsoft Dynamics NAV (Dec 2020)

2021-03-2300:00:00

www.tenable.com

The Microsoft Dynamics NAV install is missing a security update. It is, therefore, affected by an information disclosure vulnerability in the Document Service table due to the Password field not being masked. An authenticated, remote attacker can exploit this, by inspecting as a system user, to reveal passwords.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable Network Security, Inc.
##

include('compat.inc');

if (description)
{
  script_id(147956);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/03/24");

  script_cve_id("CVE-2020-17133");
  script_xref(name:"MSKB", value:"4583556");
  script_xref(name:"MSFT", value:"MS20-4583556");

  script_name(english:"Security Updates for Microsoft Dynamics NAV (Dec 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft Dynamics NAV install is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Dynamics NAV install is missing a security update. It is, therefore, affected by an information
disclosure vulnerability in the Document Service table due to the Password field not being masked. An authenticated,
remote attacker can exploit this, by inspecting as a system user, to reveal passwords.

Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported
version number.");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4583556");
  script_set_attribute(attribute:"solution", value:
"Install the approprate update package from KB4583556.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-17133");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/03/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:dynamics_nav");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_dynamics_nav_server_win_installed.nbin");
  script_require_keys("installed_sw/Microsoft Dynamics NAV Server");
  script_require_ports(139, 445);

  exit(0);
}

include('vcf.inc');

app = 'Microsoft Dynamics NAV Server';

app_info = vcf::get_app_info(app:app, win_local:TRUE);

constraints = [
  { 'min_version' : '7.1', 'fixed_version' : '7.1.51940.0' }, # 2013 R2
  { 'min_version' : '8.0', 'fixed_version' : '8.0.51958.0' }  # 2015
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING
);

VendorProductVersionCPE
microsoftdynamics_navx-cpe:/a:microsoft:dynamics_nav

Vendor	Product	Version	CPE
microsoft	dynamics_nav		x-cpe:/a:microsoft:dynamics_nav

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17133

support.microsoft.com/en-us/help/4583556

JSON

Related for SMB_NT_MS20_DEC_MICROSOFT_DYNAMICS_NAV.NASL