CVE-2022-41127: Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Dec

Released

2022-12-13

Last Updated

2023-10-10

EPSS Score

1.74% (percentile: 82.5%)

FAQ

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). Can the exploit move from Dynamics NAV to the underlying operating system? Yes. An attacker who successfully exploited this vulnerability in Dynamics NAV could execute code on the host server in the context of the service account Dynamics has been configured to use. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? The attacker must be authenticated to be able to exploit this vulnerability. According to the CVSS metric, the attack vector is network (AV:N). What is the target used in the context of the remote code execution? The Dynamics NAV opened port could be used to connect with the WCF TCP protocol. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

Affected Products (13)

Microsoft Dynamics

• Microsoft Dynamics NAV 2016
• Microsoft Dynamics NAV 2017
• Microsoft Dynamics NAV 2018
• Microsoft Dynamics NAV 2015
• Dynamics 365 Business Central Spring 2019 Update
• Dynamics 365 Business Central 2019 Release Wave 2 (On-Premise)
• Microsoft Dynamics 365 Business Central 2020 Release Wave 2
• Microsoft Dynamics 365 Business Central 2020 Release Wave 1
• Microsoft Dynamics 365 Business Central 2022 Release Wave 1
• Microsoft Dynamics 365 Business Central 2021 Release Wave 2
• Microsoft Dynamics 365 Business Central 2022 Release Wave 2
• Microsoft Dynamics 365 Business Central 2021 Release Wave 1
• Microsoft Dynamics NAV 2013 R2

Security Updates (12)

• 5005293
• 5010202
• 5021668
• 5021669
• 5001733
• 5013420
• 5010910
• 5021671
• 5021670
• 5021672
• 5019239
• Release Notes

Acknowledgments

Yiming Xiang with <a href="https://www.nsfocus.cn/">NSFOCUS TIANJI LAB</a>

Revision History

• 2022-12-13: Information published.
• 2022-12-20: Corrected Download and Article links in the Security Updates table. This is an informational change only.
• 2023-03-14: In the Security Updates table, added the following supported editions of Microsoft Dynamics NAV as they are affected by this vulnerability: Microsoft Dynamics NAV 2013 R2 and Microsoft Dynamics NAV 2015. Microsoft strongly recommends that customers install the updates to be fully protected from this vulnerability.
• 2023-10-10: Corrected security updates table. This is an informational change only.