• Running a SQL Server? Heads up! You need to install this month’s patches quickly

    I just saw a notification that the SQL Server security hole known as CVE-2020-0618 has been cracked. Per Kevin Beaumont:

    Ah bums, there’s an exploit for CVE-2020-0618 (Feb 2020 SQL vuln). The good news: it’s not yet point and click. The bad news: it will be, this will be a big enterprise vuln.

    CVSS score 9.7, very easy to exploit but depends on SQL Reporting Services being installed. Some ICS solutions install it, as does Microsoft EPM (Project Server). I’ll keep thread updated if I see any scanning in the wild.

    One thing if it helps people, although the MS advisory says it only impacts SQL Server 2012+, it appears to also impact SQL Server 2008 too (which is out of support).

    He points to Jin Wook Kim’s Proof of Concept code on Github. In the comments, you can find reference to the original PoC on MDSec.co.uk.

    If you aren’t running a SQL Server, or don’t know SQL Server from a hole in the ground, no need to sweat it. But if your company has SQL Server, somebody better let the admins know.