Vulnerabilities > CVE-2018-8273 - Out-of-bounds Write vulnerability in Microsoft SQL Server 2016/2017
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A buffer overflow vulnerability exists in the Microsoft SQL Server that could allow remote code execution on an affected system, aka "Microsoft SQL Server Remote Code Execution Vulnerability." This affects Microsoft SQL Server.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_MSSQL.NASL description The remote Microsoft SQL Server is missing a security update. It is, therefore, affected by buffer overflow vulnerability that could allow remote code execution on an affected system. An attacker who successfully exploited the vulnerability could execute code in the context of the SQL Server Database Engine service account. last seen 2020-06-01 modified 2020-06-02 plugin id 111786 published 2018-08-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111786 title Security Updates for Microsoft SQL Server 2016 and 2017 x64 (August 2018) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111786); script_version("1.9"); script_cvs_date("Date: 2020/02/14"); script_cve_id("CVE-2018-8273"); script_xref(name:"MSFT", value:"MS18-4458842"); script_xref(name:"MSFT", value:"MS18-4293808"); script_xref(name:"MSFT", value:"MS18-4293802"); script_xref(name:"MSFT", value:"MS18-4458621"); script_xref(name:"MSFT", value:"MS18-4293803"); script_xref(name:"MSFT", value:"MS18-4293805"); script_xref(name:"MSKB", value:"4458842"); script_xref(name:"MSKB", value:"4293808"); script_xref(name:"MSKB", value:"4293802"); script_xref(name:"MSKB", value:"4458621"); script_xref(name:"MSKB", value:"4293803"); script_xref(name:"MSKB", value:"4293805"); script_name(english:"Security Updates for Microsoft SQL Server 2016 and 2017 x64 (August 2018)"); script_summary(english:"Checks for SQL Server updates."); script_set_attribute(attribute:"synopsis", value: "The remote SQL server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Microsoft SQL Server is missing a security update. It is, therefore, affected by buffer overflow vulnerability that could allow remote code execution on an affected system. An attacker who successfully exploited the vulnerability could execute code in the context of the SQL Server Database Engine service account."); # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8273 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?02637930"); # https://support.microsoft.com/en-us/help/4458842/description-of-the-security-update-for-the-remote-code-execution-vulne script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b5296772"); # https://support.microsoft.com/en-us/help/4293808/security-update-for-remote-code-execution-vulnerability-in-sql-server script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ded4707c"); # https://support.microsoft.com/en-us/help/4293802/description-of-the-security-update-for-the-remote-code-execution-vulne script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cc2f6328"); # https://support.microsoft.com/en-us/help/4458621/description-of-the-security-update-for-the-remote-code-execution script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ab5e14c"); # https://support.microsoft.com/en-us/help/4293803/description-of-the-security-update-for-the-remote-code-execution-vulne script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0c6a7711"); # https://support.microsoft.com/en-us/help/4293805/security-update-for-remote-code-execution-vulnerability-in-sql-server script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?82d9f22e"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for x64 versions of SQL Server 2016 and 2017."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8273"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "smb_enum_services.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 1433, "Services/mssql", "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS18-08'; kbs = make_list( "4458842", "4293808", "4293802", "4458621", "4293803", "4293805" ); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); ver_list = get_kb_list("mssql/installs/*/SQLVersion"); if (isnull(ver_list)) audit(AUDIT_NOT_INST, "Microsoft SQL Server"); program_files_dir = hotfix_get_programfilesdir(); setup_2016_path = program_files_dir + "\Microsoft SQL Server\130\Setup Bootstrap\SQLServer2016"; setup_2017_path= program_files_dir + "\Microsoft SQL Server\140\Setup Bootstrap\SQL2017"; foreach item (keys(ver_list)) { item -= '/SQLVersion'; arch = get_kb_item(item + "/arch"); if (arch != "x64") continue; item -= 'mssql/installs/'; sqlpath = item; share = hotfix_path2share(path:sqlpath); if (!is_accessible_share(share:share)) continue; version = get_kb_item("mssql/installs/" + sqlpath + "/SQLVersion"); # continue if not SQL Server 2016 or 2017 if (version !~ "^13\.0\." && version !~ "^14\.0\.") continue; if ( # 2016 GDR SP1 hotfix_is_vulnerable(path:setup_2016_path, file:"setup.exe", version:"2015.130.4224.16", min_version:"2015.130.4001.0", bulletin:bulletin, kb:'4458842') || # 2016 CU SP1 hotfix_is_vulnerable(path:setup_2016_path, file:"setup.exe", version:"2015.130.4522.0", min_version:"2015.130.4411.0", bulletin:bulletin, kb:'4293808') || # 2016 GDR SP2 hotfix_is_vulnerable(path:setup_2016_path, file:"setup.exe", version:"2015.131.5081.1", min_version:"2015.131.5026.0", bulletin:bulletin, kb:'4293802') || # 2016 CU SP2 hotfix_is_vulnerable(path:setup_2016_path, file:"setup.exe", version:"2015.131.5201.2", min_version:"2015.131.5149.0", bulletin:bulletin, kb:'4458621') || # 2017 GDR hotfix_is_vulnerable(path:setup_2017_path, file:"setup.exe", version:"2017.140.2002.14", min_version:"2017.140.1000.169", bulletin:bulletin, kb:'4293803') || # 2017 CU hotfix_is_vulnerable(path:setup_2017_path, file:"setup.exe", version:"2017.140.3035.2", min_version:"2017.140.3006.16", bulletin:bulletin, kb:'4293805') ) { vuln++; } } hotfix_check_fversion_end(); if (vuln) { replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); exit(0); } else { audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_NT_MS18_AUG_MSSQL_REMOTE.NASL description The remote Microsoft SQL Server is missing a security update. It is, therefore, affected by buffer overflow vulnerability that could allow remote code execution on an affected system. An attacker who successfully exploited the vulnerability could execute code in the context of the SQL Server Database Engine service account. last seen 2020-06-01 modified 2020-06-02 plugin id 122486 published 2019-02-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122486 title Security Updates for Microsoft SQL Server 2016 and 2017 x64 (August 2018) (uncredentialed check)
The Hacker News
| id | THN:F033FC8698702175A4736D089C3C9D13 |
| last seen | 2018-08-14 |
| modified | 2018-08-14 |
| published | 2018-08-14 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2018/08/microsoft-patch-updates.html |
| title | Microsoft Releases Patches for 60 Flaws—Two Under Active Attack |