Lucene search
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS20_MAR_MICROSOFT_DYNAMICS_365_BC.NASLHistoryMay 11, 2020 - 12:00 a.m.
Security Updates for Microsoft Dynamics 365 Business Central (Mar 2020)
2020-05-1100:00:00
This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
45
8.2 High
AI Score
Confidence
High
The Microsoft Dynamics 365 Business Central install is missing a security update. It is, therefore, affected by a remote code execution vulnerability due to an issue with the Role-Tailored Client. An authenticated, remote attacker can exploit this to execute arbitrary commands or elevate privileges.
Note that Nessus has not attempted to exploit this issue but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(136472);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/12");
script_cve_id("CVE-2020-0905");
script_xref(name:"MSKB", value:"4538886");
script_xref(name:"MSKB", value:"4538887");
script_xref(name:"MSKB", value:"4538888");
script_xref(name:"MSFT", value:"MS20-4538886");
script_xref(name:"MSFT", value:"MS20-4538887");
script_xref(name:"MSFT", value:"MS20-4538888");
script_xref(name:"IAVA", value:"2020-A-0094-S");
script_name(english:"Security Updates for Microsoft Dynamics 365 Business Central (Mar 2020)");
script_set_attribute(attribute:"synopsis", value:
"The Microsoft Dynamics 365 Business Central install is missing a security update.");
script_set_attribute(attribute:"description", value:
"The Microsoft Dynamics 365 Business Central install is missing a security update. It is, therefore, affected by a
remote code execution vulnerability due to an issue with the Role-Tailored Client. An authenticated, remote attacker can
exploit this to execute arbitrary commands or elevate privileges.
Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported
version number.");
# https://support.microsoft.com/en-us/help/4538886/cumulative-update-17-for-microsoft-dynamics-365-business-central-octob
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ee0dcbc");
# https://support.microsoft.com/en-us/help/4538887/cumulative-update-10-for-microsoft-dynamics-365-business-central-april
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?103ad92c");
# https://support.microsoft.com/en-us/help/4538888/update-15-4-for-microsoft-dynamics-365-business-central-2019-release-w
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?05aa698b");
script_set_attribute(attribute:"solution", value:
"Update Microsoft Dynamics 365 Business Central to CU17 for the October 2018 release, CU10 for the April 2019 release,
15.4 for 2019 Release Wave 2, or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0905");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/10");
script_set_attribute(attribute:"patch_publication_date", value:"2020/03/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:dynamics_365");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("microsoft_dynamics_365_business_central_server_win_installed.nbin");
script_require_keys("installed_sw/Microsoft Dynamics 365 Business Central Server");
script_require_ports(139, 445);
exit(0);
}
include('vcf.inc');
app = 'Microsoft Dynamics 365 Business Central Server';
app_info = vcf::get_app_info(app:app, win_local:TRUE);
constraints = [
{ 'min_version' : '13.0', 'fixed_version' : '13.0.41152.0' }, # 2019 October Update
{ 'min_version' : '14.0', 'fixed_version' : '14.0.41143.0' }, # 2019 Spring Update
{ 'min_version' : '15.0', 'fixed_version' : '15.0.41271.0' } # 2019 Release Wave 2
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | dynamics_365 | cpe:/a:microsoft:dynamics_365 |
Related
prion
prion
Remote code execution
2020-03-12 16:15:00
mskb
mskb
nessus
nessus
Security Updates for Microsoft Dynamics NAV (Mar 2020)
2020-05-11 00:00:00
cve
cve
CVE-2020-0905
2020-03-12 16:15:00
mscve
mscve
Dynamics Business Central Remote Code Execution Vulnerability
2020-03-10 07:00:00
kaspersky
kaspersky
KLA11683 ACE vulnerability in Microsoft Dynamics
2020-03-10 00:00:00
qualysblog
qualysblog