Vulnerabilities > CVE-2014-4061 - Resource Management Errors vulnerability in Microsoft SQL Server 2008/2012

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-399
nessus
NVD
Published: 2014-08-12
Updated: 2018-10-12

Summary

Microsoft SQL Server 2008 SP3, 2008 R2 SP2, and 2012 SP1 does not properly control use of stack memory for processing of T-SQL batch commands, which allows remote authenticated users to cause a denial of service (daemon hang) via a crafted T-SQL statement, aka "Microsoft SQL Server Stack Overrun Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
8

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS14-044
bulletin_url
date2014-08-12T00:00:00
impactDenial of Service
knowledgebase_id2984340
knowledgebase_url
severityImportant
titleVulnerabilities in SQL Server Could Allow Elevation of Privilege

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS14-044.NASL
    descriptionThe remote host has a version of Microsoft SQL Server installed. This version of SQL Server is affected by multiple vulnerabilities : - A cross-site scripting vulnerability exists in the SQL Master Data Services. (CVE-2014-1820) - A denial of service vulnerability exists in SQL Server. (CVE-2014-4061)
    last seen2020-06-01
    modified2020-06-02
    plugin id77162
    published2014-08-12
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77162
    titleMS14-044: Vulnerability in SQL Server Could Allow Elevation of Privilege (2984340)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77162);
  script_version("1.14");
  script_cvs_date("Date: 2020/02/14");

  script_cve_id("CVE-2014-1820", "CVE-2014-4061");
  script_bugtraq_id(69071, 69088);
  script_xref(name:"MSFT", value:"MS14-044");
  script_xref(name:"MSKB", value:"983814");
  script_xref(name:"MSKB", value:"2716427");
  script_xref(name:"MSKB", value:"2716429");
  script_xref(name:"MSKB", value:"2716433");
  script_xref(name:"MSKB", value:"2716434");
  script_xref(name:"MSKB", value:"2716435");
  script_xref(name:"MSKB", value:"2716436");
  script_xref(name:"MSKB", value:"2716439");
  script_xref(name:"MSKB", value:"2716440");
  script_xref(name:"MSKB", value:"2716441");
  script_xref(name:"MSKB", value:"2716442");
  script_xref(name:"MSKB", value:"2754849");

  script_name(english:"MS14-044: Vulnerability in SQL Server Could Allow Elevation of Privilege (2984340)");
  script_summary(english:"Determines the version of the SQL Server.");

  script_set_attribute(attribute:"synopsis", value:
"A cross-site scripting vulnerability in SQL Server could allow an
elevation of privilege.");
  script_set_attribute(attribute:"description", value:
"The remote host has a version of Microsoft SQL Server installed. This
version of SQL Server is affected by multiple vulnerabilities :

  - A cross-site scripting vulnerability exists in the
    SQL Master Data Services. (CVE-2014-1820)

  - A denial of service vulnerability exists in SQL Server.
    (CVE-2014-4061)");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-044
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7712db7a");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for SQL Server 2008, 2008 R2,
2012, and 2014.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1820");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "smb_enum_services.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 1433, "Services/mssql", 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS14-044';
kbs = make_list(
  "983814",
  "2716427",
  "2716429",
  "2716433",
  "2716434",
  "2716435",
  "2716436",
  "2716439",
  "2716440",
  "2716441",
  "2716442",
  "2754849"
);

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

ver_list = get_kb_list("mssql/installs/*/SQLVersion");

if (isnull(ver_list))
   audit(AUDIT_NOT_INST, "Microsoft SQL Server");

# Database Services Core Instance
foreach item (keys(ver_list))
{
  item -= 'mssql/installs/';
  item -= '/SQLVersion';
  sqlpath = item;

  share = hotfix_path2share(path:sqlpath);
  if (!is_accessible_share(share:share)) continue;

  version = get_kb_item("mssql/installs/" + sqlpath + "/SQLVersion");
  if (version !~ "^11\.0\." && version !~ "^10\.0\." && version !~ "^10\.50\." && version !~ "^12\.0\.") continue;

  sqltype = get_kb_item("mssql/installs/" + sqlpath + "/edition_type");
  if (isnull(sqltype)) sqltype = get_kb_item("mssql/installs/" + sqlpath + "/edition");

  if ('Windows Internal Database' >< sqltype) continue;

  sqlarch = get_kb_item("mssql/installs/" + sqlpath + "/arch");

  if (
    (sqlpath && sqlarch && 'x64' >< sqlarch) &&
    # 2014 GDR
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2014.120.2254.0", min_version:"2014.120.2000.0", bulletin:bulletin, kb:'2977315') ||
    # 2014 QFE
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2014.120.2381.0", min_version:"2014.120.2300.0", bulletin:bulletin, kb:'2977316')
  )
  {
    vuln++;
  }

  if (
    sqlpath &&

    # 2012 GDR
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2011.110.3153.0", min_version:"2011.110.3000.0", bulletin:bulletin, kb:'2977326') ||

    # 2012 QFE
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2011.110.3460.0", min_version:"2011.110.3300.0", bulletin:bulletin, kb:'2977325') ||

    # 2008 R2 SP1 QFE
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2009.100.4321.0", min_version:"2009.100.4251.0", bulletin:bulletin, kb:'2977319') ||

    # 2008 R2 SP1 GDR
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2009.100.4033.0", min_version:"2009.100.4000.0", bulletin:bulletin, kb:'2977320') ||

    # 2008 SP3 QFE
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2007.100.5869.0", min_version:"2007.100.5750.0", bulletin:bulletin, kb:"2977322") ||

    # 2008 SP3 GDR
    hotfix_is_vulnerable(path:sqlpath, file:"sqlservr.exe", version:"2007.100.5520.0", min_version:"2007.100.5500.0", bulletin:bulletin, kb:'2977321')
  )
  {
    vuln++;
  }
}
hotfix_check_fversion_end();

if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  set_kb_item(name:"www/0/XSS", value:TRUE);
  hotfix_security_warning();
  exit(0);
}
audit(AUDIT_HOST_NOT, 'affected');
  • NASL familyWindows
    NASL idSMB_KB2984340.NASL
    descriptionThe remote host has a version of Microsoft SQL Server installed. This version of SQL Server is potentially affected by multiple vulnerabilities : - A cross-site scripting vulnerability exists in the SQL Master Data Services. (CVE-2014-1820) - A denial of service vulnerability exists in SQL Server. (CVE-2014-4061)
    last seen2020-06-01
    modified2020-06-02
    plugin id77161
    published2014-08-12
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77161
    titleMS14-044: Vulnerability in SQL Server Could Allow Elevation of Privilege (2984340) (uncredentialed check)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77161);
  script_version("1.10");
  script_cvs_date("Date: 2020/02/14");

  script_cve_id("CVE-2014-1820", "CVE-2014-4061");
  script_bugtraq_id(69071, 69088);
  script_xref(name:"MSFT", value:"MS14-044");
  script_xref(name:"MSKB", value:"2984340");

  script_name(english:"MS14-044: Vulnerability in SQL Server Could Allow Elevation of Privilege (2984340) (uncredentialed check)");
  script_summary(english:"Determines the version of the SQL Server.");

  script_set_attribute(attribute:"synopsis", value:
"A cross-site scripting vulnerability in SQL Server could allow an
elevation of privilege.");
  script_set_attribute(attribute:"description", value:
"The remote host has a version of Microsoft SQL Server installed. This
version of SQL Server is potentially affected by multiple
vulnerabilities :

  - A cross-site scripting vulnerability exists in the
    SQL Master Data Services. (CVE-2014-1820)

  - A denial of service vulnerability exists in SQL Server.
    (CVE-2014-4061)");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-044
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7712db7a");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for SQL Server 2008, 2008 R2,
2012, and 2014.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1820");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/12");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mssqlserver_detect.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports(1433, "Services/mssql");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

port = get_service(svc:"mssql", exit_on_fail:TRUE);
pcidss = get_kb_item("Settings/PCI_DSS");

ver = get_kb_item("MSSQL/" + port + "/Version");
if (!ver) audit(AUDIT_SERVICE_VER_FAIL,"MSSQL", port);

v = split(ver, sep:".", keep:FALSE);

if (
  # 2008 < SP3
  (pcidss && (int(v[0]) == 10 && int(v[1]) == 0 && int(v[2]) < 5500)) ||
  # 2008 SP3 GDR
  (int(v[0]) == 10 && int(v[1]) == 0 && (int(v[2]) >= 5500 && int(v[2]) < 5520)) ||
  # 2008 SP3 QFE
  (int(v[0]) == 10 && int(v[1]) == 0 && (int(v[2]) >= 5750 && int(v[2]) < 5869)) ||
  # 2008 R2 < SP2
  (pcidss && (int(v[0]) == 10 && int(v[1]) == 50 && int(v[2]) < 4000)) ||
  # 2008 R2 SP2 GDR
  (int(v[0]) == 10 && int(v[1]) == 50 && (int(v[2]) >= 4000 && int(v[2]) < 4033)) ||
  # 2008 R2 SP2 QFE
  (int(v[0]) == 10 && int(v[1]) == 50 && (int(v[2]) >= 4251 && int(v[2]) < 4321)) ||
  # 2012 < SP1
  (pcidss && (int(v[0]) == 11 && int(v[1]) == 0 && int(v[2]) < 3000)) ||
  # 2012 GDR
  (int(v[0]) == 11 && int(v[1]) == 0 && (int(v[2]) >= 3000 && int(v[2]) < 3153)) ||
  # 2012 QFE
  (int(v[0]) == 11 && int(v[1]) == 0 && (int(v[2]) >= 3300 && int(v[2]) < 3460)) ||
  # 2014 GDR
  (int(v[0]) == 12 && int(v[1]) == 0 && (int(v[2]) >= 2000 && int(v[2]) < 2254)) ||
  # 2014 QFE
  (int(v[0]) == 12 && int(v[1]) == 0 && (int(v[2]) >= 2300 && int(v[2]) < 2381))
)
{
  set_kb_item(name:"www/0/XSS", value:TRUE);
  version = get_kb_item("MSSQL/" + port + "/Version");
  instance = get_kb_item("MSSQL/" + port + "/InstanceName");
  if(!isnull(version) || !empty_or_null(instance))
  {
    report = '';
    if(version) report += '\n  SQL Server Version   : ' + version;
    if(!empty_or_null(instance)) report += '\n  SQL Server Instance  : ' + instance;
  }

  security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
  exit(0);
}
audit(AUDIT_INST_VER_NOT_VULN, "MSSQL", ver);

References