Microsoft SQL Server Reporting Services 2016 ViewState deserialization vulnerability

2020-09-25T00:00:00
ID SAINT:42A55639AE1F6E2A8BE2071F2F668787
Type saint
Reporter SAINT Corporation
Modified 2020-09-25T00:00:00

Description

Added: 09/25/2020
CVE: CVE-2020-0618

Background

Microsoft SQL Server Reporting Services is a set of tools and services for creating, deploying, and managing mobile and paginated reports.

Problem

A deserialization vulnerability in Microsoft SQL Server Reporting Services 2016 allows a remote, authenticated attacker to execute arbitrary commands on the server by sending a POST request with a specially crafted serialized object.

Resolution

See Microsoft Security Advisory CVE-2020-0618 for fix information.

References

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618>

Limitations

This exploit requires valid Microsoft SQL Server Reporting Services credentials.

Platforms

Windows