This isn’t in the SQL Server Regrets series of posts, but another great band from that era once started a song with, “Stop me, oh stop me… Stop me if you think that you’ve heart this one before… Stop me, oh oh oh , Stop me. Stop me if you think that you’ve heard this one before… Nothing’s changed.“
I know you’ve heard this one before – because I’ve been saying it a lot and I even just copied the last post from a couple months back about a slightly more serious one. It’s time to break your spleens and knees on patching your SQL Servers. (Morrissey exagerated more than most of the LLMS do)
On patch Tuesday this week, Microsoft released an Important severity security update (a CVSS base score of 8.8 (that’s really high)
Details of the vulnerability are available on the Microsoft Security Site.
In short, the exploit that Microsoft has discovered and subsequently fixed can allow a potential SQL Injection attacker to exploit a bug in what appears to be a long-standing backup extended stored procedure. The “ingredients” for this vulnerability are not publicly known, there is no known exploit for this, and the security sites assess the exploit risk a bit lower here for now.
It sounds like (Look, I’m just reading what I see…) If a SQL Injection attacker were successful at gaining access, they could “craft a malicious database name.” (Has anyone checked in on Rob Volk lately?) If they crafted the right malicious database name, it could cause bad stuff to happen because of this vulnerability in a proc used for backups for a long time. I don’t even want to imagine the horror that’s there – and if I weren’t busy, I’d be making a bunch of scary-looking database names to figure it out.
What Should We do, Mike?
Patch. You should always patch. Just patch. I don’t believe this is one that you need to freeze what you are doing and get patched immediately. Our team will be notifying all clients over the next two days in our daily communication to them and putting this on the radar. For regularly scheduled patching, we’re suggesting we quickly get this one in – but we are not looking for an out of band, scary zero day holiday patching round for this one (but there’s still time.. and look at the track record this year).
- Get this one on the radar – if you have patches planned and tests planned – get this into the list (if you are on SQL Server 2016 and up..)
- If you don’t have a patch window scheduled, I’d say you should really try and have it done sometime over the next 3 months – get it in by end of January.
- Run sp_checksecurity yourself and fix your security flaws – lock it down, remove your SAs, make your DBs not have trustworthy or be owned by SA, test your apps, yell at your management to put SQL input-accepting apps behind a WAF. Get some consulting help from friendly folks like our team if you aren’t sure – but really – just get that script from our github – and do what our links say. You’ll be better than 75% of the SQL Servers out there with just a little work.
Also be warned – the patches from Microsoft start with SQL Server 2016 (and you have to be on SP3). There are no patches for any version before SQL Server 2016. This does not mean that a SQL Server 2016 SP2 instance or a SQL Server 2014, 2012, etc. instance is safe; it just means you don’t get a patch, because those products are end of life and end of extended support. No patches. Ever.
SQL Server 2016 joins that list next summer. Why haven’t you upgraded yet?! We can help – just reach out.
On Patching/Upgrading Finally…
The year is almost over. I mean, it’s the holiday season – it’s practically over. Why aren’t you planning your upgrades yet? Tell your leadership that it’s not just good for performance and your sanity; they’re also probably not covered by their insurance policies if a breach occurs while they were literally negligent about industry best practices.
Get the patches at the links here.
Our DBA as a Service clients are getting notified tomorrow and Friday. Most will have their patches applied by us. And they aren’t sweating it. You can join them with us as your full on DBA team or just your Senior DBA team working with your DBAs to mentor/help/coach and with 18 of us – we’re never all on vacation at once.
We have 1.5 months left before the year is out. I’m not a betting person – but I wonder what the over/under is on another CVE of 7 or higher patch coming out of Redmond is before the year is over for SQL Server.
