Security advisories | Jul 21, 2020

CVE-2020-1147 Proof-of-Concept

THE THREAT:

Proof of Concept (PoC) exploit code and technical write-up have been released for the critical vulnerability CVE-2020-1147 affecting .NET Framework, Microsoft SharePoint, and Visual Studio [1]. If exploited, CVE-2020-1147 would allow for remote code execution [2]. This could be used for a variety of malicious purposes including data theft and malware deployment.

The release of PoC code and a technical write-up are likely to decrease the amount of time before exploitation may occur in the wild. Microsoft released security patches for this vulnerability on July 14th, 2020; organizations need to ensure that patches have been deployed on all vulnerable systems.

What we’re doing about it

  • MVS (formerly esRECON) has local plugins to identify this vulnerability
  • eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

  • After performing a business impact review, apply the official security patches provided by Microsoft [2]
    • If all patches from the July 14th, 2020 Patch Tuesday release have already been applied, no further actions are required

Additional information

The vulnerability is due to a failure in .NET Framework, Microsoft SharePoint, and Visual Studio to check the source markup of XML file input.

Proof-of-Concept code for CVE-2020-1147 was first identified on July 20th, and exploitation in the wild has not yet been observed at this time. Microsoft listed this vulnerability as Exploitation More Likely, and with the release of PoC code, attacks in the wild should be considered imminent.

It should be noted that the author of the PoC code states that additional .NET based products may be vulnerable to similar attacks.

Known Affected Products:

  • .NET Core
  • .NET Framework
  • SharePoint Enterprise Server (2013 and 2016)
  • SharePoint Server (2010 and 2019)
  • Visual Studio (2017 and 2019).

References:

[1] https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147