Vulnerabilities > CVE-2019-1068 - Unspecified vulnerability in Microsoft SQL Server 2014/2016/2017

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus

Summary

A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions, aka 'Microsoft SQL Server Remote Code Execution Vulnerability'.

Vulnerable Configurations

Part Description Count
Application
Microsoft
5

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_MSSQL.NASL
    descriptionThe Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account. (CVE-2019-1068)
    last seen2020-06-01
    modified2020-06-02
    plugin id126631
    published2019-07-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126631
    titleSecurity Updates for Microsoft SQL Server (July 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126631);
      script_version("1.4");
      script_cvs_date("Date: 2020/02/14");
    
      script_cve_id("CVE-2019-1068");
      script_bugtraq_id(108954);
      script_xref(name:"MSKB", value:"4505217");
      script_xref(name:"MSKB", value:"4505419");
      script_xref(name:"MSKB", value:"4505422");
      script_xref(name:"MSKB", value:"4505218");
      script_xref(name:"MSKB", value:"4505219");
      script_xref(name:"MSKB", value:"4505225");
      script_xref(name:"MSKB", value:"4505224");
      script_xref(name:"MSKB", value:"4505222");
      script_xref(name:"MSKB", value:"4505221");
      script_xref(name:"MSKB", value:"4505220");
      script_xref(name:"MSFT", value:"MS19-4505217");
      script_xref(name:"MSFT", value:"MS19-4505419");
      script_xref(name:"MSFT", value:"MS19-4505422");
      script_xref(name:"MSFT", value:"MS19-4505218");
      script_xref(name:"MSFT", value:"MS19-4505219");
      script_xref(name:"MSFT", value:"MS19-4505225");
      script_xref(name:"MSFT", value:"MS19-4505224");
      script_xref(name:"MSFT", value:"MS19-4505222");
      script_xref(name:"MSFT", value:"MS19-4505221");
      script_xref(name:"MSFT", value:"MS19-4505220");
    
      script_name(english:"Security Updates for Microsoft SQL Server (July 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft SQL Server installation on the remote host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft SQL Server installation on the remote host is
    missing a security update. It is, therefore, affected by the
    following vulnerability :
    
      - A remote code execution vulnerability exists in
        Microsoft SQL Server when it incorrectly handles
        processing of internal functions. An attacker who
        successfully exploited this vulnerability could execute
        code in the context of the SQL Server Database Engine
        service account.  (CVE-2019-1068)");
      # https://support.microsoft.com/en-us/help/4505217/security-update-for-sql-server-2014-sp2-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a359a1a6");
      # https://support.microsoft.com/en-us/help/4505419/description-of-the-security-update-for-sql-server-2014-sp2-cu17-gdr-ju
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3515161a");
      # https://support.microsoft.com/en-us/help/4505422/security-update-for-sql-server-2014-sp3-cu3-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e525f475");
      # https://support.microsoft.com/en-us/help/4505218/description-of-the-security-update-for-sql-server-2014-sp3-gdr-july-9
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?619cf09c");
      # https://support.microsoft.com/en-us/help/4505219/security-update-for-sql-server-2016-sp1-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87d34b59");
      # https://support.microsoft.com/en-us/help/4505225/security-update-for-sql-server-2017-cu15-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2e915a50");
      # https://support.microsoft.com/en-us/help/4505224/description-of-the-security-update-for-sql-server-2017-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9e5dfaf");
      # https://support.microsoft.com/en-us/help/4505222/security-update-for-sql-server-2016-sp2-cu7-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2a252018");
      # https://support.microsoft.com/en-us/help/4505221/description-of-the-security-update-for-sql-server-2016-sp1-cu15-gdr-ju
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?893cb218");
      # https://support.microsoft.com/en-us/help/4505220/security-update-for-sql-server-2016-sp2-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d42b7b26");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:  
      -KB4505217
      -KB4505419
      -KB4505422
      -KB4505218
      -KB4505219
      -KB4505225
      -KB4505224
      -KB4505222
      -KB4505221
      -KB4505220");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1068");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "smb_enum_services.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 1433, "Services/mssql", "Host/patch_management_checks");
    
      exit(0);
    }
    
    include('audit.inc');
    include('smb_func.inc');
    include('smb_hotfixes.inc');
    include('smb_hotfixes_fcheck.inc');
    include('misc_func.inc');
    
    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
    
    kbs = make_list(
      '4505217',
      '4505218',
      '4505219',
      '4505220',
      '4505221',
      '4505222',
      '4505224',
      '4505225',
      '4505419',
      '4505422'
    );
    
    if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit('SMB/Registry/Enumerated');
    get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
    
    vuln = 0;
    ver_list = get_kb_list('mssql/installs/*/SQLVersion');
    program_files_dir = hotfix_get_programfilesdir();
    program_files_x86_dir = hotfix_get_programfilesdirx86();
    
    if (isnull(ver_list)) audit(AUDIT_NOT_INST, 'Microsoft SQL Server');
    
    foreach item (keys(ver_list))
    {
      item -= '/SQLVersion';
    
      arch = get_kb_item(item + '/arch');
    
      item -= 'mssql/installs/';
      sqlpath = item;
    
      share = hotfix_path2share(path:sqlpath);
    
      if (!is_accessible_share(share:share)) continue;
    
      version = get_kb_item('mssql/installs/' + sqlpath + '/SQLVersion');
    
      if(empty_or_null(version)) continue;
    
    
      ############
      # 2014
      ############
      if (version =~ "^12\.0\.")
      { 
        sqlpath = '\\Microsoft SQL Server\\120\\Setup Bootstrap\\SQLServer2014';
        if(
          # 2014 SP2 GDR
          # KB 4505217
          hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2014.120.5223.6', min_version:'2014.120.5000.0', kb:'4505217') ||
          (arch == 'x86' &&
          hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2014.120.5223.6', min_version:'2014.120.5000.0', kb:'4505217')
          ) ||
    
          # 2014 SP2 CU17 + GDR
          # KB 4505419
          hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2014.120.5659.1', min_version:'2014.120.5300.0', kb:'4505419') ||
          (arch == 'x86' &&
          hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2014.120.5659.1', min_version:'2014.120.5300.0', kb:'4505419')
          ) ||
    
          # 2014 SP3 GDR
          # KB 4505418
          hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2014.120.6108.1', min_version:'2014.120.6100.0', kb:'4505418') ||
          (arch == 'x86' &&
          hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2014.120.6108.1', min_version:'2014.120.6100.0', kb:'4505418')
          ) ||
    
          # 2014 SP3 CU3 + GDR
          # KB 4505422
          hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2014.120.6293.0', min_version:'2014.120.6200.0', kb:'4505422') ||
          (arch == 'x86' &&
          hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2014.120.6293.0', min_version:'2014.120.6200.0', kb:'4505422')
          )
        )
          vuln++;
      }
    
    
      ############
      # 2016
      ############
      else if (version =~ "^13\.0\.")
      {
        sqlpath = '\\Microsoft SQL Server\\130\\Setup Bootstrap\\SQLServer2016';
        if(
           # 2016 SP1 GDR
           # KB 4505219
           hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2015.130.4259.0', min_version:'2015.130.4000.0', kb:'4505219') ||
           (arch == 'x86' &&
           hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2015.130.4259.0', min_version:'2015.130.4000.0', kb:'4505219')
           ) ||
    
           # 2016 SP1 CU15 + GDR
           # KB 4505221
           hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2015.130.4466.4', min_version:'2015.130.4400.0', kb:'4505221') ||
           (arch == 'x86' &&
           hotfix_is_vulnerable(path:program_files_x86_dir + sqlpath, file:'setup.exe', version:'2015.130.4466.4', min_version:'2015.130.4400.0', kb:'4505221')
           ) ||
    
           # 2016 SP2 GDR
           # KB 4505220
           #  - x64 only
           (arch == 'x64' &&
            hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2015.131.5101.9', min_version:'2015.131.5000.0', kb:'4505220')
           ) ||
    
           # 2016 SP2 CU7 + GDR
           # KB 4505222
           #  - x64 only
          (arch == 'x64' &&
           hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2015.131.5366.0', min_version:'2015.131.5250.0', kb:'4505222')
          )
        )
          vuln++;
      }
    
    
      ############
      # 2017
      ############
      else if ( version =~ "^14\.0\.")
      {
        sqlpath = '\\Microsoft SQL Server\\140\\Setup Bootstrap\\SQL2017';
        if(
          # 2017 GDR
          # KB 4505224
          #  - x64 only
          (arch == 'x64' &&
          hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2017.140.2021.2', min_version:'2017.140.1000.0', kb:'4505224')
          ) ||
    
          # 2017 CU15 + GDR
          # KB 4505225
          #  - x64 only
          (arch == 'x64' &&
          hotfix_is_vulnerable(path:program_files_dir + sqlpath, file:'setup.exe', version:'2017.140.3192.2', min_version:'2017.140.3000.0', kb:'4505225')
          )
        )
          vuln++;
      }
    }
    
    hotfix_check_fversion_end();
    
    if (vuln)
    {
      hotfix_security_warning();
      exit(0);
    }
    audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyWindows
    NASL idSMB_NT_MS19_JUL_MSSQL_REMOTE.NASL
    descriptionThe Microsoft SQL Server installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in Microsoft SQL Server when it incorrectly handles processing of internal functions. An attacker who successfully exploited this vulnerability could execute code in the context of the SQL Server Database Engine service account. (CVE-2019-1068)
    last seen2020-06-01
    modified2020-06-02
    plugin id126630
    published2019-07-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126630
    titleSecurity Updates for Microsoft SQL Server (Uncredentialed Check) (July 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126630);
      script_version("1.3");
      script_cvs_date("Date: 2020/02/14");
    
      script_cve_id("CVE-2019-1068");
      script_bugtraq_id(108954);
      script_xref(name:"MSKB", value:"4505217");
      script_xref(name:"MSKB", value:"4505419");
      script_xref(name:"MSKB", value:"4505422");
      script_xref(name:"MSKB", value:"4505218");
      script_xref(name:"MSKB", value:"4505219");
      script_xref(name:"MSKB", value:"4505225");
      script_xref(name:"MSKB", value:"4505224");
      script_xref(name:"MSKB", value:"4505222");
      script_xref(name:"MSKB", value:"4505221");
      script_xref(name:"MSKB", value:"4505220");
      script_xref(name:"MSFT", value:"MS19-4505217");
      script_xref(name:"MSFT", value:"MS19-4505419");
      script_xref(name:"MSFT", value:"MS19-4505422");
      script_xref(name:"MSFT", value:"MS19-4505218");
      script_xref(name:"MSFT", value:"MS19-4505219");
      script_xref(name:"MSFT", value:"MS19-4505225");
      script_xref(name:"MSFT", value:"MS19-4505224");
      script_xref(name:"MSFT", value:"MS19-4505222");
      script_xref(name:"MSFT", value:"MS19-4505221");
      script_xref(name:"MSFT", value:"MS19-4505220");
    
      script_name(english:"Security Updates for Microsoft SQL Server (Uncredentialed Check) (July 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft SQL Server installation on the remote host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft SQL Server installation on the remote host is
    missing a security update. It is, therefore, affected by the
    following vulnerability :
    
      - A remote code execution vulnerability exists in
        Microsoft SQL Server when it incorrectly handles
        processing of internal functions. An attacker who
        successfully exploited this vulnerability could execute
        code in the context of the SQL Server Database Engine
        service account.  (CVE-2019-1068)");
      # https://support.microsoft.com/en-us/help/4505217/security-update-for-sql-server-2014-sp2-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a359a1a6");
      # https://support.microsoft.com/en-us/help/4505419/description-of-the-security-update-for-sql-server-2014-sp2-cu17-gdr-ju
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3515161a");
      # https://support.microsoft.com/en-us/help/4505422/security-update-for-sql-server-2014-sp3-cu3-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e525f475");
      # https://support.microsoft.com/en-us/help/4505218/description-of-the-security-update-for-sql-server-2014-sp3-gdr-july-9
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?619cf09c");
      # https://support.microsoft.com/en-us/help/4505219/security-update-for-sql-server-2016-sp1-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?87d34b59");
      # https://support.microsoft.com/en-us/help/4505225/security-update-for-sql-server-2017-cu15-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2e915a50");
      # https://support.microsoft.com/en-us/help/4505224/description-of-the-security-update-for-sql-server-2017-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d9e5dfaf");
      # https://support.microsoft.com/en-us/help/4505222/security-update-for-sql-server-2016-sp2-cu7-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2a252018");
      # https://support.microsoft.com/en-us/help/4505221/description-of-the-security-update-for-sql-server-2016-sp1-cu15-gdr-ju
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?893cb218");
      # https://support.microsoft.com/en-us/help/4505220/security-update-for-sql-server-2016-sp2-gdr-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d42b7b26");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:  
      -KB4505217
      -KB4505419
      -KB4505422
      -KB4505218
      -KB4505219
      -KB4505225
      -KB4505224
      -KB4505222
      -KB4505221
      -KB4505220");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1068");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/12");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mssqlserver_detect.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports(139, 445, 1433, "Services/mssql", "Host/patch_management_checks");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    port = get_service(svc:'mssql', exit_on_fail:TRUE);
    instance = get_kb_item('MSSQL/' + port + '/InstanceName');
    version = get_kb_item_or_exit('MSSQL/' + port + '/Version');
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    ver = pregmatch(pattern:"^([0-9.]+)([^0-9]|$)", string:version);
    if(!isnull(ver) && !isnull(ver[1])) ver = ver[1];
    
    if (
        # N/A : 4505218 , 4505220 , 4505221
    
        # 2014 GDR
        # KB4505417
        ver_compare(minver:'12.0.5200.0', ver:ver, fix:'12.0.5223.0', strict:FALSE) < 0 ||
        # 2014 CU + GDR
        # KB4505419
        ver_compare(minver:'12.0.5500.0', ver:ver, fix:'12.0.5659.0', strict:FALSE) < 0 ||
        # 2014 CU + GDR
        # KB4505422
        ver_compare(minver:'12.0.6200.0', ver:ver, fix:'12.0.6293.0', strict:FALSE) < 0 ||
        # 2016 CU + GDR
        # KB4505222
        ver_compare(minver:'13.0.5300.0', ver:ver, fix:'13.0.5366.0', strict:FALSE) < 0 ||
        # 2017 GDR
        # KB4505224
        ver_compare(minver:'14.0.1000.0', ver:ver, fix:'14.0.2027.0', strict:FALSE) < 0 ||
        # 2017 CU + GDR
        # KB4505225
        ver_compare(minver:'14.0.3006.0', ver:ver, fix:'14.0.3192.0', strict:FALSE) < 0
    )
    {
      report = '';
      if(!empty_or_null(version)) report += '\n  SQL Server Version   : ' + version;
      if(!empty_or_null(instance)) report += '\n  SQL Server Instance  : ' + instance;
      security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, 'MSSQL', version);