CVE-2020-0905: Dynamics Business Central Remote Code Execution Vulnerability

Overview

Severity

N/A

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Mar

Released

2020-03-10

Last Updated

2020-04-14

EPSS Score

32.92% (percentile: 96.9%)

Description

A remote code execution vulnerability exists in Microsoft Dynamics Business Central. An attacker who successfully exploited this vulnerability could execute arbitrary shell commands on victim's server. To exploit the vulnerability, an authenticated attacker needs to convince the victim into connect to a malicious Dynamics Business Central client or elevate permission to system to perform the code execution. The security update addresses the vulnerability by preventing the possibility of using a binary type that could eventually execute code on the victim’s server.

Affected Products (8)

Microsoft Dynamics

• Microsoft Dynamics NAV 2018
• Microsoft Dynamics NAV 2015
• Microsoft Dynamics 365 BC On Premise
• Dynamics 365 Business Central 2019 Spring Update
• Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise)
• Microsoft Dynamics NAV 2016
• Microsoft Dynamics NAV 2017
• Microsoft Dynamics NAV 2013

Security Updates (8)

• 4538885
• 4551259
• 4538886
• 4538887
• 4538888
• 4538708
• 4538884
• 4551258

Acknowledgments

Ha Anh Hoang of <a href="https://viettelcybersecurity.com/">Viettel Cybersecurity</a>

Revision History

• 2020-03-10: Information published.
• 2020-04-14: In the Security Updates table, corrected the Download links for the following products: Microsoft Dynamics NAV 2018, Microsoft Dynamics 365 BC On Premise, Dynamics 365 Business Central 2019 Spring Update, and Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise). Customers who are running one of these affected versions of Microsoft Dynamics should ensure that they have downloaded and installed the most recent updates to be protected from this vulnerability.