CVE-2020-1147:Remote Code Execution Vulnerability in .NET Framework, SharePoint, and Visual Studio

splash
Back

Description Preview

CVE-2020-1147 is a critical remote code execution vulnerability affecting Microsoft .NET Framework, SharePoint Server, and Visual Studio. The vulnerability exists when these applications fail to properly validate XML file input source markup, allowing attackers to execute arbitrary code in the context of the current user. This vulnerability is particularly dangerous in SharePoint environments where attackers can upload specially crafted files to trigger code execution.

Overview

This vulnerability stems from an insecure deserialization issue in the DataSet and DataTable components within .NET Framework. When processing XML input, the affected applications do not properly validate the source markup, which allows attackers to inject malicious code that gets executed during the deserialization process. In SharePoint environments, this can be exploited through document uploads or other file processing features.

The vulnerability affects multiple Microsoft products:

  • .NET Framework
  • SharePoint Server (multiple versions)
  • Visual Studio

Successful exploitation could allow attackers to run arbitrary code with the privileges of the application processing the malicious XML content. In web-based scenarios like SharePoint, this could lead to complete compromise of the affected server.

Remediation

To mitigate this vulnerability, the following actions are recommended:

  1. Apply the appropriate security updates from Microsoft:

    • Install the July 2020 security updates for all affected products
    • Ensure .NET Framework installations are updated to the latest patched versions
    • Update SharePoint Server installations with the latest security patches

  2. Implement additional security measures:

    • Restrict access to SharePoint document libraries and file upload functionality
    • Implement proper input validation for all file uploads
    • Consider implementing network segmentation to limit exposure of SharePoint servers
    • Review and restrict user permissions to minimize the impact of potential exploitation

  3. Monitor systems for suspicious activity:

    • Watch for unexpected process executions
    • Monitor for unusual file uploads or document processing activities
    • Enable enhanced logging on SharePoint servers

References

  1. Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

  2. Exploit Information:

    • SharePoint DataSet/DataTable Deserialization: http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html
    • Microsoft SharePoint Server 2019 Remote Code Execution: http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
    • Additional SharePoint Server 2019 RCE exploit: http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html

  3. Additional Resources:

    • Exploit Alert: https://www.exploitalert.com/view-details.html?id=35992

Early Warning

Armis Early Warning customers received an advanced alert on this vulnerability.

Armis Alert Date
Jul 27, 2021
CISA KEV Date
Nov 3, 2021
99days early
Learn More

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Finance and Insurance
    Finance and Insurance
  5. Educational Services
    Educational Services
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  8. Retail Trade
    Retail Trade
  9. Other Services (except Public Administration)
    Other Services (except Public Administration)
  10. Utilities
    Utilities
  11. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  12. Management of Companies & Enterprises
    Management of Companies & Enterprises
  13. Information
    Information
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Construction
    Construction
  16. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  17. Mining
    Mining
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Wholesale Trade
    Wholesale Trade
  20. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database