Power Community

Power Community

Dynamics 365 Business Central and Dynamics NAV on-premises Security Vulnerability CVE-2022-41127: how to fix

image

On December 13, 2022 Microsoft disclosed a security vulnerability (coded CVE-2022-41127) that affects the on-premises versions of Dynamics 365 Business Central and Dynamics NAV.

An attacker who successfully exploited this vulnerability in Dynamics NAV and BC could execute code on the host server in the context of the service account Dynamics has been configured to use. The vulnerability exists due to insufficient validation of user-supplied input in the Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises). A remote user can pass specially crafted input to the application and execute arbitrary code on the target system. The opened port could be used to connect with the WCF TCP protocol. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.

Patching this should be an high priority for partners and mitigation requires to install a platform update.

My friend Duilio Tacconi (Microsoft CSS) wrote a great summary of what you need to know for patching the vulnerability. To help on spreading the informations across partners, here is a recap of what you need to know.

DYNAMICS 365 BUSINESS CENTRAL

Regarding Dynamics 365 Business Central patching, you can follow the simple table provided below. The minor version represents the earlies build where the issue has been fixed. For versions out of support in modern lifecycle, DVD have been refreshed with a new one by December 2022 that contains the platform changes to resolve the security problem.

Dynamics 365 Business Central Major VersionLifecycle TypeSupportabilityMinor VersionUpdate ProvidedKB ArticleDownload Link
2022 Wave 2 (21.x)ModernMainstream21.2Dec-22DownloadDownload
2022 Wave 1 (20.x)ModernMainstream20.8Dec-22DownloadDownload
2021 Wave 2 (19.x)ModernMainstream19.15Dec-22DownloadDownload
2021 Wave 1 (18.x)ModernOut of Support18.18Dec-22DownloadDownload
2020 Wave 2 (17.x)ModernOut of Support17.17Dec-22DownloadDownload
2020 Wave 1 (16.x)ModernOut of Support16.19Dec-22DownloadDownload
October 2019 (15.x)ModernOut of Support15.17Dec-22DownloadDownload
April 2019 (14.x)FixedMainstream14.43Dec-22DownloadDownload
October 2018 (13.x)FixedOut of SupportN/AN/AN/AN/A

DYNAMICS NAV

NAV 2018 (11.x) has been found affected.

This version was in mainstream support when the vulnerability was discovered.

Platform has been patched and security problem is resolved by deploying December 2022 cumulative update or higher:

Cumulative Update 59 for Microsoft Dynamics NAV 2018 (Build 49497) – Microsoft Support

NAV 2017 (10.0) has been found affected.

This version is out of mainstream support but still in extended support. The update (build 30712) that was released on December 13, 2022, fixes the remote code execution vulnerability. W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2016 and NAV 2017 – Dynamics 365 Business Central Community

Dynamics NAV 2016 (9.0) has been found affected.

This version is out of mainstream support but still in extended support.

The update (build 52203) that was released on December 13, 2022, fixes the remote code execution vulnerability. W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2016 and NAV 2017 – Dynamics 365 Business Central Community

Dynamics NAV 2015 (8.0) has been found affected.

This version is out of mainstream support but still in extended support. The update (build 52204) that was released on January 23, 2023, fixes the remote code execution vulnerability. W1 and all localized version of this build can be downloaded at the links provided in this blog post: (+) CVE-2022-41127: Download localized DVDs for Dynamics NAV 2015 – Dynamics 365 Business Central Community

Dynamics NAV 2013 R2 (7.1) has been found affected.

This investigation has been done on best effort by security team since NAV 2013 is currently out of support (end of extended support was 10th January 2023).

On best effort, product group has provided a W1 DVD that contains the platform changes to secure the bulletin. The update (build 52207, download from here) that was released on January 27, 2023 fixes a remote code execution vulnerability.

Dynamics NAV 2013 (7.0) has not been found affected.

This investigation has been done on best effort by security team since NAV 2013 is currently out of support (end of extended support was 10th January 2023).

Dynamics 365 Business Central October 2018 release (13.x), NAV 2009 (RTM/SP1/R2) and backwards

These versions were out of both mainstream and extended support so that Microsoft is not obliged to perform any security checks against these.

The position from Microsoft is that they could potentially be affected hence it is warmly recommended to upgrade them to a patched supported version as soon as possible.

Please react and update your customers.

This post was originally published on this site

- Advertisement -spot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement - Advertisement

Latest News

Preferred Solution | New feature | Microsoft Dataverse

Click on the below image to navigate to my YouTube Channel. Please like and share your valuable feedback on this...

More Articles Like This

- Advertisement -spot_img