On patch Tuesday this week, Microsoft released an Important severity security update (a CVSS base score of 7.5)
The details of this 0-day exploit are available to read at the NIST site, and the Microsoft security update site.
In short, the exploit that Microsoft has discovered and subsequently fixed can allow information disclosure. (That’s the kind of breach that can put your company in the headlines if the vulnerability is exploited and your environment is susceptible.)
An attacker here does not need to be in your network; they need to be able to access your SQL Server in a way your applications or DBAs don’t intend. This could be from a malicious insider or outside with too much permission, it could be from an API that is not doing input validation to look for SQL Injection attacks, and it could be from a website accepting input from users (authenticated or not) that is not doing input validation/sitting behind a Web Application Firewall, etc.
Further steps are needed – specific input parameter validation inside SQL Server, certain data types, and parameter lengths. However, the fact is that you may be vulnerable, and you need to patch your SQL Servers.
As of the patch release on Tuesday, Microsoft/NIST/etc knew of no “in the wild exploits” occurring – but as often happens the release of the fix and vulnerability once discovered and patched means that the recipe to create an attack is now in the wild. The attackers have good teams, they use AI, and they are scraping, scanning, and digesting vulnerability alerts far better than many corporate security teams deploy them. So if there is no exploit of this yet, there could very well be one coming soon or already deployed.
Short story here – stop what you are doing, test the patch, and release it.
Also be warned – the patches from Microsoft start with SQL Server 2016 (and you have to be on SP3). There are no patches for any version before SQL Server 2016. This does not mean that a SQL Server 2016 SP2 instance or a SQL Server 2014, 2012, etc. instance is safe; it just means you don’t get a patch, because those products are end of life and end of extended support. No patches. Ever.
SQL Server 2016 joins that list next summer. Why haven’t you upgraded yet?! We can help – just reach out.
Get the patches at the links here.
Our DBA as a Service clients have all been notified already, and our team is already working to patch them with several already safe before the weekend even starts. SQL servers backing public-facing apps, environments with many users, APIs, etc., are first on the target list – but all SQL Servers should be patched. Your insurance company and your clients would be pretty upset if you were to get hit by an information disclosure security issue that was fixed and publicly announced already.
