SID 1:53256

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP SQL Server Reporting Services web application remote code execution attempt

Rule Explanation

This event is generated when there is a potential remote code execution attempt exploiting a deserialization vulnerability in the SQL Server Reporting Services (SSRS) web application. Impact: NIST CVSS score Base Score: 8.8 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Details: Low (Browser role) level user accounts may execute code on the server by exploiting the deserialization vulnerability. Ease of Attack:

What To Look For

This rule looks for a viewstate parameter that is making a call to System.Delegate in SQL Server

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

CVE-2020-0618

Additional Links

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618

Rule Vulnerability

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2020-0618
 Loading description

MITRE ATT&CK Framework

Tactic: Initial Access

Technique: Exploit Public-Facing Application

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org