Tesla Pays $10K For Microsoft SQL Server Reporting Services Bug

Tesla Pays $10K For Microsoft SQL Server Reporting Services Bug (Feb 20, 2020)

Tesla has paid a $10,000 bounty for a vulnerability found in a Tesla server. The vulnerability, designated as “CVE-2020-0618”, is in Microsoft SQL Server Reporting Services (SSRS), that can allow for a server-side injection that could be used for remote code execution. A patch for the vulnerability was released four days before a German bug hunter “parzel” discovered the vulnerability and reported it on Bugcrowd.

Recommendation: It is important that your company has patch-maintenance policies in place. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.