CVE-2020-0646:Microsoft .NET Framework Remote Code Execution Vulnerability (CVE-2020-0646)

splash
Back

Description Preview

A critical vulnerability in Microsoft .NET Framework that allows attackers to execute arbitrary code by exploiting an XML External Entity (XXE) injection vulnerability in SharePoint workflows. The vulnerability occurs when the .NET Framework fails to properly validate input, specifically in XOML files used by SharePoint workflows, which could lead to remote code execution with the privileges of the application.

Overview

CVE-2020-0646 is a remote code execution vulnerability in Microsoft .NET Framework that affects SharePoint Server. The vulnerability is classified as CWE-91 (XML Injection) and allows attackers to inject malicious XML content into XOML workflow files. When SharePoint processes these files, the improper input validation in the .NET Framework can lead to remote code execution.

The vulnerability specifically affects the way SharePoint workflows handle XOML (Extensible Object Markup Language) files. An authenticated attacker with permissions to create or modify workflows could exploit this vulnerability to execute arbitrary code in the context of the SharePoint application pool or server process.

The exploitation of this vulnerability could allow attackers to install programs, view, change, or delete data, or create new accounts with full user rights, depending on the context in which the vulnerable application runs.

Remediation

  1. Apply the security update released by Microsoft in January 2020 security updates.
  2. Ensure that all .NET Framework installations are updated to the latest patched version.
  3. Restrict SharePoint workflow creation and modification permissions to trusted users only.
  4. Monitor SharePoint logs for suspicious workflow creation or modification activities.
  5. Consider implementing network segmentation to limit the impact of potential exploitation.
  6. Review and validate all existing SharePoint workflows for potential malicious content.
  7. Implement the principle of least privilege for SharePoint users and service accounts.
  8. Consider using Microsoft Defender ATP or similar security solutions to detect and prevent exploitation attempts.

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646
  2. Packet Storm Security - SharePoint Workflows XOML Injection: http://packetstormsecurity.com/files/156930/SharePoint-Workflows-XOML-Injection.html
  3. Common Weakness Enumeration (CWE-91): https://cwe.mitre.org/data/definitions/91.html
  4. Microsoft January 2020 Security Updates: https://msrc.microsoft.com/update-guide/releaseNote/2020-Jan

Early Warning

Armis Early Warning customers received an advanced alert on this vulnerability.

Armis Alert Date
Jan 7, 2021
CISA KEV Date
Nov 3, 2021
300days early
Learn More

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Educational Services
    Educational Services
  5. Finance and Insurance
    Finance and Insurance
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Retail Trade
    Retail Trade
  8. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  9. Other Services (except Public Administration)
    Other Services (except Public Administration)
  10. Utilities
    Utilities
  11. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  12. Management of Companies & Enterprises
    Management of Companies & Enterprises
  13. Information
    Information
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Construction
    Construction
  16. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  17. Mining
    Mining
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Wholesale Trade
    Wholesale Trade
  20. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background