CPU in socket

CVE-2020-0618 | Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability

Published by Microsoft: 02/11/2020
MITRE CVE-2020-0618

“A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. An attacker who successfully exploited this vulnerability could execute code in the context of the Report Server service account.”

There exists a proof of concept and write-up.

Basefarm considers this a Base CVSS Score: 9.8 (Critical) – but there exists an official fix from Microsoft, bringing the Temporal CVSS Score down to a 9.4 (Critical).

And we consider most of our users do not expose Microsoft SQL Server Reporting Service directly to the internet, so this CVSS Environmental Score can be lowered down to a 7.6 (High).

Per Basefarm Vulnerability process we still consider this a priority 1 (of 3) issue, and we will not wait until normal patch window to mitigate this issue. Internally we are tracking this progress in BF-VLN-1990987, registered 2020-02-18.