CVE-2018-8609
published 2018-11-14CVE-2018-8609: A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an…
PriorityP259high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
8.72%
94.5th percentile
A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability." This affects Microsoft Dynamics 365.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | dynamics_365 | >= 8.0 < 8.2.3.0003 | 8.2.3.0003 |
| microsoft | microsoft_dynamics_365 | — | — |
| msrc | microsoft_dynamics_365_version_8 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2018-8609 is exploitable by an authenticated attacker sending a specially crafted web request to an on-premises Microsoft Dynamics 365 (version 8) server; monitor for anomalous or malformed HTTP requests targeting Dynamics 365 endpoints ↗
- →Successful exploitation results in code execution in the context of the SQL service account; alert on unexpected process spawning or outbound connections originating from the SQL service account on Dynamics 365 servers ↗
- →Root cause is insufficient sanitization of web request input on the Dynamics server; inspect web/application logs on Dynamics 365 on-premises servers for unusual or malformed input in web requests ↗
- →Scope is limited to Microsoft Dynamics 365 on-premises version 8 deployments; prioritize patching and monitoring for any on-prem Dynamics 365 v8 instances exposed to authenticated users ↗
- ·Exploit status confirmed as not publicly disclosed and not exploited in the wild at time of patch release; no public PoC available ↗
- ·Vulnerability only affects Microsoft Dynamics 365 on-premises version 8; cloud/hosted deployments are not in scope ↗
- ·Exploitation requires authentication; unauthenticated remote exploitation is not possible ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_msrc8.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
vendor_msrc·2018-11-13·CVSS 8.8
CVE-2018-8609 [HIGH] Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) when the server fails to properly sanitize web requests to an affected Dynamics server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SQL service account.
An authenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Dynamics server.
The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 (on-premises) validates and sanitizes user input.
Microsoft Dynamics: Microsoft Dynamics
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publ
GHSA
GHSA-h52h-3mwv-hvcq: A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests
ghsa_unreviewed·2022-05-13
CVE-2018-8609 [HIGH] CWE-116 GHSA-h52h-3mwv-hvcq: A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests
A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server, aka "Microsoft Dynamics 365 (on-premises) version 8 Remote Code Execution Vulnerability." This affects Microsoft Dynamics 365.
No detection rules found.
No public exploits indexed.
Qualys
November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC | Qualys
blogs_qualys·2018-11-13·CVSS 9.8
[CRITICAL] November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC | Qualys
This month’s Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services’ TFTP server is also addressed in this release. Adobe also patched three Important vulnerabilities this month, although there is a PoC exploit available for Adobe Acrobat and Reader.
### Workstation Patches
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Out of the 12 Critical vulnerabilities, 10 can be exploited through browsers or opening malicio
Qualys
November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC
blogs_qualys·2018-11-13·CVSS 9.8
[CRITICAL] November 2018 Patch Tuesday – 62 Vulns, TFTP Server RCE, Adobe PoC
This month’s Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services’ TFTP server is also addressed in this release. Adobe also patched three Important vulnerabilities this month, although there is a PoC exploit available for Adobe Acrobat and Reader.
## Workstation Patches
Browser and Scripting Engine patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users. Out of the 12 Critical vulnerabilities, 10 can be exploited through browsers or opening maliciou
2018-11-14
Published