RCE in SQL Server Reporting Services (SSRS)
Description
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services (SSRS) due to improper validation key generation during installation. When SSRS is installed, it fails to create a cryptographically unique machine key, instead using a predictable default value. An authenticated attacker who knows or can obtain this validation key can exploit the .NET deserialization process to inject malicious serialized objects, leading to arbitrary code execution with SYSTEM privileges.
Remediation
Apply the security updates provided by Microsoft immediately to remediate this vulnerability:
1. Install Security Patches: Apply the latest cumulative updates for SQL Server Reporting Services that address CVE-2020-0618. Refer to the Microsoft Security Advisory for specific patch versions applicable to your SSRS installation.
2. Regenerate Machine Keys: After patching, ensure that unique machine keys are generated for each SSRS instance. Review the RSReportServer.config file to verify that custom validation and decryption keys are in place.
3. Review Access Controls: Limit authenticated user access to SSRS to only those who require it, following the principle of least privilege.
4. Monitor for Exploitation: Review server logs for suspicious deserialization activity or unexpected system commands executed by the SSRS service account prior to patching.
5. Network Segmentation: Isolate SSRS servers from untrusted networks and restrict access using firewall rules where possible.