CVE-2020-0618: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0618) exists in Microsoft SQL Server Reporting Services (SSRS) when it incorrectly handles page requests. The vulnerability affects Microsoft SQL Server versions 2012, 2014, 2016, and 2008 (though 2008 is unsupported). This security flaw was disclosed and patched by Microsoft on February 11, 2020 (Tenable Blog).

The vulnerability exists in the ReportingServicesWebServer.dll of SSRS, specifically in how the OnLoad method of the Microsoft.Reporting.WebForms.BrowserNavigationCorrector class handles untrusted user input. The flaw involves the improper deserialization of ViewState data passed via the NavigationCorrector$ViewState parameter. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system with the privileges of the SQL Server Reporting Services service account. The vulnerability has been classified as a high-severity issue due to its potential impact on system confidentiality, integrity, and availability (NVD).

Microsoft has released security updates to address this vulnerability. Organizations should apply the appropriate patches based on their SQL Server version: SQL Server 2016 SP2 (GDR and CU updates), SQL Server 2014 SP3 (GDR and CU updates), and SQL Server 2012 SP4 (GDR update). These updates are available through Microsoft's standard update channels (Microsoft KB4535305).

Security researchers have actively discussed this vulnerability on social media, with some reporting successful identification of vulnerable systems in major organizations, including a "very large car company." The widespread exposure of publicly accessible instances has raised concerns in the security community (Tenable Blog).