CVE-2020-1147: .NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability

Overview

Severity: N/A
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: More Likely
Patch Tuesday: 2020-Jul
Released: 2020-07-14
Last Updated: 2020-10-13
EPSS Score: 93.43% (percentile: 99.8%)
CISA KEV: Listed — due 2022-05-03

Description

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content. The security update addresses the vulnerability by correcting how .NET Framework, Microsoft SharePoint, and Visual Studio validates the source markup of XML content.

FAQ

I am running Windows Server 2008, Windows 7, or Windows Server 2008 R2 and I cannot install the Monthly Rollup or Security Only updates for any of the 4.X versions of Microsoft .NET Framework. How do I protect my system from this vulnerability? There is a known issue with the Monthly Rollup and Security Only updates for the 4.X versions of .NET Framework installed on Windows Server 2008, Windows 7, and Windows Server 2008 R2. For a workaround to this known issue, please see the Article listed in the Security Updates table for the version of .NET Framework you are trying to install. Where does this vulnerability present itself? The vulnerability is found in the DataSet and DataTable types which are .NET components used to manage data sets. Where can I find additional developer guidance for the secure use of DataSet or DataTable types? Updated security guidance can be found on MSDN here - https://go.microsoft.com/fwlink/?linkid=2132227 What updates need to be installed to fully protect my system from this vulnerability? Full protection requires the installation of the .NET Framework update as well as updates for any additional affected products mentioned in this article.

Detection & Weaponization (1 sources)

Maturity: Exploit

Metasploit modules: SharePoint DataSet / DataTable Deserialization

Affected Products (103)

Microsoft Office

Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft SharePoint Server 2010 Service Pack 2

Developer Tools

Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5)
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
.NET Core 2.1
.NET Core 3.1
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)
Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems
Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems
Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation)
Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systems
Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systems
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems
Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems
Microsoft .NET Framework 4.8 on Windows Server 2016
Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)
Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1
Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1
Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems
Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems
Microsoft .NET Framework 4.8 on Windows RT 8.1
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Microsoft .NET Framework 4.8 on Windows Server 2012
Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)
Microsoft .NET Framework 4.8 on Windows Server 2012 R2
Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for 32-bit Systems
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for x64-based Systems
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1909 (Server Core installation)
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for 32-bit Systems
Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for x64-based Systems
Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1903 (Server Core installation)
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for 32-bit Systems
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for x64-based Systems
Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server, version 1803 (Server Core Installation)
... and 49 more

Security Updates (47)

Acknowledgments

Oleksandr Mirosh (<a href="https://twitter.com/olekmirosh">@olekmirosh</a>) from Micro Focus Fortify, <a href="https://www.linkedin.com/in/jonathan-birch-ab27681/">Jonathan Birch</a> of Microsoft Office Security Team, Markus Wulftange (<a href="https://twitter.com/mwulftange">@mwulftange</a>)

Revision History

2020-07-14: Information published.
2020-10-13: To comprehensively address CVE-2020-1147, Microsoft has released the following: October Security Updates for all affected versions of .NET Framework installed on Windows 10; October 2020 Monthly Rollup updates AND updated versions of the Security Only updates released in July 2020 for all affected versions of .NET Framework installed on Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers who install the Security Only updates should ensure that they re-install the updates after October 13. Customers whose systems are configured to receive automatic updates do not need to take any further action.