Security Updates for Microsoft SQL Server (February 2020)

2020-02-1400:00:00

www.tenable.com

181

The Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account. (CVE-2020-0618)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#



# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(133719);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/06/29");

  script_cve_id("CVE-2020-0618");
  script_xref(name:"IAVA", value:"2020-A-0074-S");
  script_xref(name:"MSKB", value:"4532095");
  script_xref(name:"MSKB", value:"4532097");
  script_xref(name:"MSKB", value:"4532098");
  script_xref(name:"MSKB", value:"4535288");
  script_xref(name:"MSKB", value:"4535706");
  script_xref(name:"MSFT", value:"MS20-4532095");
  script_xref(name:"MSFT", value:"MS20-4532097");
  script_xref(name:"MSFT", value:"MS20-4532098");
  script_xref(name:"MSFT", value:"MS20-4535288");
  script_xref(name:"MSFT", value:"MS20-4535706");
  script_xref(name:"CEA-ID", value:"CEA-2020-0018");

  script_name(english:"Security Updates for Microsoft SQL Server (February 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft SQL Server installation on the remote host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The Microsoft SQL Server installation on the remote host is
missing a security update. It is, therefore, affected by the
following vulnerability :

  - A remote code execution vulnerability exists in
    Microsoft SQL Server Reporting Services when it
    incorrectly handles page requests. An attacker who
    successfully exploited this vulnerability could execute
    code in the context of the Report Server service
    account.  (CVE-2020-0618)");
  # https://support.microsoft.com/en-us/help/4532097/description-of-the-security-update-for-sql-server-2016-sp2-gdr-feb
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ff30ef1b");
  # https://support.microsoft.com/en-us/help/4535288/description-of-the-security-update-for-sql-server-2014-sp3-cu4-feb
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8089305a");
  # https://support.microsoft.com/en-us/help/4532095/description-of-the-security-update-for-sql-server-2014-sp3-gdr-feb
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?899d9f68");
  # https://support.microsoft.com/en-us/help/4532098/security-update-for-sql-server-2012-sp4-gdr
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c9e8cfc");
  # https://support.microsoft.com/en-us/help/4535706/description-of-the-security-update-for-sql-server-2016-sp2-cu11-februa
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?226a31d0");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:
  -KB4532095
  -KB4532097
  -KB4532098
  -KB4535288
  -KB4535706");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0618");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SQL Server Reporting Services (SSRS) ViewState Deserialization');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "smb_enum_services.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 1433, "Services/mssql", "Host/patch_management_checks");

  exit(0);
}

include('vcf_extras_microsoft.inc');

var app_info = vcf::microsoft::mssql::get_app_info();

var constraints =
[
  {
    'product_version' : '2012',
    'target_hw'       : 'x64, x86',
    'file'            : 'setup.exe',
    'min_version'     : '2011.110.0.0',
    'fixed_version'   : '2011.110.7493.4',
    'kb'              : '4532098'
  },
  {
    'product_version' : '2012',
    'target_hw'       : 'x64, x86',
    'file'            : 'OSQL.exe',
    'min_version'     : '2011.110.0.0',
    'fixed_version'   : '2011.110.7493.4',
    'kb'              : '4532098'
  },
  {
    'product_version' : '2014',
    'target_hw'       : 'x64, x86',
    'file'            : 'setup.exe',
    'min_version'     : '2014.120.6000.0',
    'fixed_version'   : '2014.120.6118.4',
    'kb'              : '4532095'
  },
  {
    'product_version' : '2014',
    'target_hw'       : 'x64, x86',
    'file'            : 'OSQL.exe',
    'min_version'     : '2014.120.6000.0',
    'fixed_version'   : '2014.120.6118.4',
    'kb'              : '4532095'
  },
  {
    'product_version' : '2014',
    'target_hw'       : 'x64, x86',
    'file'            : 'setup.exe',
    'min_version'     : '2014.120.6200.0',
    'fixed_version'   : '2014.120.6372.1',
    'kb'              : '4535288'
  },
  {
    'product_version' : '2014',
    'target_hw'       : 'x64, x86',
    'file'            : 'OSQL.exe',
    'min_version'     : '2014.120.6200.0',
    'fixed_version'   : '2014.120.6372.1',
    'kb'              : '4535288'
  },
  {
    'product_version' : '2016',
    'target_hw'       : 'x64',
    'file'            : 'setup.exe',
    'min_version'     : '2015.131.5000.0',
    'fixed_version'   : '2015.131.5102.14',
    'kb'              : '4532097'
  },
  {
    'product_version' : '2016',
    'target_hw'       : 'x64',
    'file'            : 'xmlrw.dll',
    'min_version'     : '2015.131.5149.0',
    'fixed_version'   : '2015.131.5622.0',
    'kb'              : '4535706'
  }
];

vcf::microsoft::mssql::check_version_and_report(
  app_info          : app_info,
  constraints       : constraints,
  severity          : SECURITY_WARNING
);

VendorProductVersionCPE
microsoftsql_servercpe:/a:microsoft:sql_server

Vendor	Product	Version	CPE
microsoft	sql_server		cpe:/a:microsoft:sql_server

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0618

www.nessus.org/u?226a31d0

www.nessus.org/u?7c9e8cfc

www.nessus.org/u?8089305a

www.nessus.org/u?899d9f68

www.nessus.org/u?ff30ef1b

JSON

Related for SMB_NT_MS20_FEB_MSSQL.NASL