In a recent Microsoft patch, a fix was announced for 2020-0618 which allowed low-level authorized users to remotely execute code on Microsoft SQL servers. Using the functionality provided by the SQL Server Reporting Services web application, browser level users can trigger this exploit by sending a specially crafted POST request to “/ReportServer/pages/ReportViewer.aspx.” A proof of concept (POC) exploit for this vulnerability has been released, making this a higher priority to patch.
With Microsoft’s February 2020 Patch, MAC validation was added in addition to the already existing user access validation. This will allow sysadmins to secure access to the SSRS functionality. Binary Defense recommends updating systems to Microsoft’s latest patch, which fixed this vulnerability as well as 98 others, with 11 marked as “critical.”