Microsoft Dynamics 365 Customer Engagement SQL Injection Vulnerability in Reporting Services

A vulnerability in Microsoft Dynamics 365 Customer Engagement (on-premises) version 1612 (9.0.2.3034) allows authenticated users with the 'Add Reporting Services Reports' privilege to upload .rdl files containing arbitrary SQL queries. These reports are processed by SQL Server Reporting Services, enabling the execution of the injected SQL commands on the underlying database. This vulnerability could lead to unauthorized data access or manipulation, depending on the permissions of the SQL Server Reporting Services account.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary SQL commands in the database, with the potential to access sensitive data from other organizations on the same Dynamics 365 instance. Additionally, depending on the SQL Server Reporting Services account's permissions, it may be possible to execute operating system commands or access linked servers.

Reproduction

To reproduce this vulnerability, log into Dynamics 365 with a user assigned the 'Salesperson' role and the 'Add Reporting Services Reports' privilege. Create a new report and upload a crafted .rdl file that includes a SQL query. Once the report is saved, run it to execute the injected SQL command. The output can be verified by checking the results of the executed query, which may include sensitive information from other organizations on the same Dynamics 365 instance.

Remediation

Microsoft recommends disabling the execution of elevated queries in SQL Server Reporting Services by setting the 'BlockElevatedReportServiceAccount' advanced setting to 'true'.